Carl, we feel your pain, which is why we're building the concept of "Least User Access" into Longhorn, as described by Keith Brown in this article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp

I think that's a silly band-aid and makes no sense. RunAs isn't that hard, just Shift-Right-Click on Icons to expose RunAs. Hardly a hassle. I certainly don't want my priviledges to change based on something so transient as my connection status.

Interesting thought, but I'm curious as to how connected is "online"? At work I'm connected all day, but that doesn't mean I'm attached to the big amalgamation of evil that is the Internet. XP doesn't know the difference between being connected to a network and being "online", and until it can I think your band-aid would still have you running with least-priviledge.

Good point, Ryan. I'm going for what I think is doable. It isn't possible for MS to rearchitect the kernel now so that it can walk the call stack looking for what program executed a vulnerability exploit and whether that app came from the Internet or not. That can work with managed code apps, but since the browser is never going to be rewritten with managed code it's not possible.

I don't think "upgrade to Longhorn" is the answer in every case, either. Longhorn is going to take a serious hardware upgrade for many people. From MS' perspective it might be too good to be true: Make security work in Longhorn and don't touch XP/2000 so that everyone will HAVE to upgrade just for security purposes.

I don't see that as a bad thing, necessarily. I just wish there was something better that ordinary slobs could do besides deal with RunAs all the time.

Scott, it's not a hassle for you, geekbrain! It is a hassle for my family, none of whom even know what an administrator is.

But that creates another hassle for family members. Now they'll think they have to disconnect the network cable in order to install the latest cool program they downloaded off the internet. The program is free to do whatever at this point. Havoc ensues at this point, or when they re-connect.

Interesting, but I think the better solution would be to block all connection off the local lan when you are run as mode.

TOm

Carl, have you seen:

http://weblogs.asp.net/Aaron_Margosis/

Aaron has some tools that reduce the pain of least privilege somewhat.

I think it's an interesting idea to block LAN communication while running as admin, but it really doesn't address the central issue, and it also would prevent things like Windows Update from working correctly, which would be...bad.

Aaron Margosis's blog Rocks! I wish this was around 6 months ago (and that I had found it), when I first started running as non-admin. I'm sure everyone has seen Keith Brown's security wiki.

What I ended up doing was adding a toolbar to my task bar, with a whole bunch of .lnk's, to "runas /user:hostname\la /savecred "rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl" for example. I have all of the things I ever use from the control panel, and MMC console with all my favorite snap-ins, a link to iexplore.exe running as local admin, which I use as a surrogate Explorer (as per Keith Brown), and a link to a command prompt window running as admin. It took me weeks to accumulate this stuff. It _really_ sucks when you are nitpicky, and want to see the icons for the things that are being runas, and have to change all the icons for the .lnk's.

Now that I have this folder, I can take it with me to all the machines I have to run on. Now running as a normal user isn't so bad and I kind of like it. It makes you stop and think before you do something stupid. Kind of like sudo on Unix.

The _only_ thing that still bugs me is that when I run Enterprise Manager as an admin, I can manage my local SQL Server, but need to switch to another console running as my domain account to manage other servers. It's too bad Enterprise Manager doesn't let you specify credentials per connection.

Can you just Run IE as a regular User? Will that not do the trick?

Many of the solutions that have been posted are good for geeks who know there way around windows, but run-as is not a solution for the average user. My family didn't even like it when they had to start logging in to their computers. They just want to turn it on and use it. IMHO this is one of the biggest problems with security right now. I have a younger brother who just received his first computer. It ran great for about a month. After that he started complaining about how slow it was. I took a peek at it and it had so much junk installed I was amazed. The only solution was to backup/format/re-install. This doesn't typically happen to me because I can make educated guesses about what software is dangerous and what isn't, but my little brother can't, and either can most computer users. If I setup my little brothers computer to use run-as, he would just use it to install the latest innocent looking totally useless spyware app.

I wish I had a solution. Heck I don't even know who to blame. For now, I resort to the backup/format/re-install every 6 months or so.

Jeff,

Get Dan Appleman's book for your kid brother. Unless some miracle happens, we will always have security problems with computers connected to huge networks. If people want to use computers like this, they either have to learn to live with the security obligations, or relegate themselves to using only web based applications. It is the later case where running as a non-admin fits perfectly.

Carl,

Running only IE as a normal user sounds like a good solution, but there are about a dozen other applications that I use constantly that connect to the internet that need to be run as normal users too (RSS Bandit, Outlook, heck...even Word!)

It's easier just to run as non-admin and only runas admin for the things I really need to be an admin for. I have a well defined list of what those things are and just use my short-cuts. It's really pretty easy once everything is set up.

Just be prepared to be slightly less productive while you get used to it.

That looks like a good book Chris, thanks. I already sent a link to my brother. I only see this as a short term (necessary) fix though. If car theft became a huge problem and the solution was that everyone had to read a book in order to secure their car, people would not be happy. Instead, car manufacturers use things like locks, alarms, and GPS tracking. These are all things that consumers accept without any concerns. I know comparing cars to software is a dangerous road to go down (no pun intended), but I really believe that security must be easy. Easy to the point where the majority users don't concern themselves with it. Of course some breaches will always happen, but where we are at now is mayhem.

Carl,
Having similar problems here.

I think what will be nice to have is the ability to throtle (so to speak) your permissions at will while logged on. For example, if you need to do something requiring admin rights, you would click a button - raising perms to x - and that's that.

Just a thought.