Why your primary account shouldn't be admin-level - Mac, Windows or Unix.
Sometimes it can be difficult to grasp: why do I want to limit myself? Why do I want to make things more difficult?
It's important to make the distinction, though: by not running as admin, you're not limiting yourself, but protecting yourself.
This post is somewhat of a companion piece to my white paper on security, which also explains this issue.
As an admin-level user, you typically have rights to everything on that particular machine. Yes, that makes life easy in many, many cases. You can install programs without obstacle. You can save files anywhere you like, and, you can also move and delete them. Why is this bad?
All three systems mentioned above are multi-user systems. From a security perspective, letting any one person (or account) that is used on a daily basis rule the roost is a terrible idea. Naturally, from a privacy perspective, this has implications. More importantly, from a "Oops, I deleted a bunch of files" perspective, it turns into a big problem. Especially since those files, for an admin user, may or may not even be theirs.
Also, think of the spyware/adware/malware! Software can only do what your user account is capable of. When you run software that wants to do something malicious, if you're an admin, it can pretty much wipe the whole machine. As a regular user, the most damage it can do is to your own files (sometimes a small consolation).
Windows is absolutely terrible at handling this situation. Every new user added to a local system is an administrator by default. You have to go manually change the user's type. How often do you think people do that? SP 2 made this situation a little bit better. The default is now "Power User". The second, and more disturbing issue, is that if you've ever tried to run as a non-admin, you'll know how difficult it is. It's almost as if all forces are conspiring against you in this case.
Win2K and XP provide the 'Run As...' function which is moderately useful, but has two problems. 1) it doesn't solve every case, and 2) You have to give out the admin account and password (or an admin-level account), and that just gives people the run of the box. No good!
As a Windows user, if you are one, you need to petition developers of the applications you use to develop in such a way that their app doesn't require administrative rights. Quickbooks users know that this only became a reality with Windows XP. But I still have to ask: why does an accounting program require an admin level user? Why was it ever designed this way? There are many other examples, but it's up to end users to put pressure on the developers.
Linux and the BSDs are certainly interesting. 'Linux' is no one thing. When people say 'Linux', unless they're pretty hard-core, they're referring to a particular distribution, such as Suse, RedHat or Gentoo. BSD is a little more coherent, but still has three main distributions (FreeBSD, OpenBSD and NetBSD), each with their main focus. OpenBSD has security as its overarching 'secure or bust' mantra. Each Linux or BSD distribution can choose how it wishes to deal with security, however, but there are several common methods.
One is much like Windows: the user runs as admin ("root" in Unix/Linux) all of the time. We've already decided that's a terrible idea, but it's one possibility. The difference with Unix and Linux is that it's not virtually impossible to work as a 'normal' user.
Another option is the granular use of 'sudo'. sudo allows an administrator to grant non-admin users the ability to run certain programs or perform certain actions as if they were root.
Some Unix variants (Linux and BSD included) are good enough to display an authentication dialog to a non-admin user if they're trying to perform an action that requires admin-level privileges.
The important thing to note here is that new users under Unix typically get almost no privileges - also called a 'Least-privilege User Account'. Contrast that with Windows which seems to advocate a 'Most Privilege Account'.
On the Mac, running OS X, you can see how much thought has gone into the entire security process. OS X brings you several distinct levels of privilege. First, on OS X (non-server), 'root' is disabled altogether by default. Well, that solves someone or something gaining root through brute force. However, there's something more clever at play here.
By default, the first account you create after setting up OS X is an 'admin' account. However, OS X has a different idea of what an admin account actually is. If you have multiple users on your machine, and you have an admin account, notice that you can't get into the Documents folder of other users. Also, if you try to wipe out the /System folder, you won't be able to.
OS X also will gracefully ask for an admin-level password from non-admin users when they're trying to do something that requires that level of privilege. Not saying you can't do it...just that you need to show you're allowed to do it.
Of course, OS X also supports the traditional IT locked-down user. in a business setting, with OS X Server, you can really gracefully manage user accounts.
So, what to do?
- No matter the OS, do not use an admin-level account as your regular, daily login.
- Tell developers that it is unacceptable to require admin-level privileges to run their application (unless it's an admin tool...)
- Windows IT people: manage all machines through a domain/AD and group policy. Do not let people run with an admin-level account!
- Unix/Linux/BSD users: you typically know what you're doing. Keep it up. Don't hand out the root password.
- Mac OS 9 users: upgrade.
- Mac OS X Users: same as other platforms: don't run as admin or root. Don't enable root on OS X (client) unless absolutely necessar.
- OS X users in a business setting: Don't create admin-level accounts unnecessarily. Use the remote admin features built into the Mac where appropriate (ssh and ARD).
In any case, it's important to stay vigilant. If you need to hire someone to help you plan out your security strategy, do so. It's pretty important to get this right!
Where is all of this going?
Again, since we have to rely on developers, as the end-user, you need to register your desires with the developers. If you are a developer, you need constant education on how to write a secure application and make your application respectful of the multi-user nature of the major OSes today.
The good news: Apple pretty much has it nailed. OS X provides a robust security mechanism that doesn't put up too many obstacles for the end-user. It's a great balance between usability and security (which are always at odds).
Unix/Linux/BSD (again, a distribution or variant) has it this close. Since Unix is usually deployed as a server, this tends to be OK as people aren't using it as a desktop. However, what about the cases where people are? And what about the future for Unix on the desktop? Until that future arrives, we just have to be careful, as with any operating system. For now, you can keep a Unix desktop locked-down and usable at the same time. Naturally, watch which services are installed and which ports get opened, even for mobile end-users.
Windows is in year three of Microsoft's 'Secure Computing' initiative, and security patches for the base OS continue to flow like wine at a party...and this is after SP 2, which was supposed to fix all of that. Windows is a sad state of affairs in the security department, but Longhorn looks like it will (hopefully) get things right. Longhorn, due in 2006/2007 (7 or 8 years too late), will employ Least User Privilege, and Microsoft is trying to educate developers on the subject (MS-LUA Intro). However, if history is a teacher, I'll believe it when I see it. Microsoft is all about legacy, and not breaking older apps. They work very, very hard at this, and it's one reason why they're so entrenched in IT. But it hurts them in the long run (OK - hurts is a relative term for the world's largest software company).
So, things are looking up in the world of security, but no matter your platform, don't abuse the admin account!
