Published by Javier Guerrero, May 26th 2010
There’s a general feeling that Windows is not a secure operating system, as opposed to others such as Linux or Mac OS. Yet this is not entirely true.
However, it implements all security mechanisms that a modern operating system should do, such as access control lists, permissions, user accounts with different privileges, etc. Paradoxically, most of these functions end up doing little good, simply because they’re not used.
I was thinking about this a few days ago, when I read a news item concerning a report by BeyondTrust, detailing how around 90% of the security problems affecting Windows (things like malware, vulnerabilities, etc.) could be reduced or mitigated if people used ‘limited’ user accounts instead of ‘administrator’ accounts.
So what’s all this about ‘limited’ and ‘administrator’ users?
Whenever a person uses a PC, they do so with a user account which identifies them on the operating system and lets them work with it. Basically there are two types of accounts: administrator accounts and limited accounts. The former have unlimited access to system resources: they can install hardware and applications, manage user information (creating or deleting users or changing passwords), and implement any changes affecting the whole system.
A limited user on the other hand has restricted access to certain system resources, such as folders, files, administration tools, installation of applications, etc.
OK, but what has this got to do with malware?
Right, imagine that, without knowing, you run a malicious program on your computer which tries to install and start a Trojan. Normally, an application will use the access permissions of the account with which it was executed, meaning that if this is a limited account, the intruder cannot copy files to the system, edit registry entries, or even start a driver or service.
There is therefore no doubt that although vulnerabilities and other means of bypassing security checks exist, this simple mechanism is a good way of implementing a barrier against the most common and less sophisticated malware, considerably mitigating many problems.
So if these measures are available, why are they not used?
There are several reasons for this:
- Most users have got used to working with their systems as administrators. This is understandable, as it is not so simple dealing with concepts such as permissions, accounts, privileges, access control lists, etc. even for experienced users. So either through a lack of knowledge, force of habit or just convenience, we normally end up just using the administrator account.
- There are applications that do not take the Windows security model into account, and assume that they will be run under an administrator account, and that they will therefore have permissions to perform certain tasks. This in fact means that if they are run from a limited account, they will not operate properly, or they might not even install, and so they require users to work with an administrator account.
- Also, many users like to have complete control over what happens on the system, and feel that the limited user accounts place too many restrictions on them. They are therefore willing to assume the risks in exchange for having more control.
One of the conclusions we can draw from all of this, evidently, is that an operating system is a complex product, and in trying to reach out to as many users as possible, security is often one of the aspects that suffers.
Javier Guerrero Díaz
R+D Department