March 2003 - Posts
Over the weekend, I blogged about a variety of topics, including the practice of running as admin in one's day-to-day work, a practice which I had to admit I still was guilty of (with the exception of my development work). I've since pulled my regular login from the Administrators group, and while the process hasn't been painless, it's not been painfull either. Here are some of the things I've run into:
- Installing the samples for the latest revision of my book requires admin rights (something I've discussed with my publisher in hopes of eventually resolving).
- Modifying the options for Norton Antivirus requires administrator rights (why that should be, I'm baffled, unless it's installed by an administrator who chooses to lock it down...for the average user this is a stupid requirement, IMO. BTW - my install is an OEM version on my Dell laptop). In fact, when running as a normal user, the options button doesn't even show up.
- As mentioned in my earlier blogs on the subject, if you need to do something in Explorer that requires elevated rights (such as changing ACLs), that can be a PITA.
But the benefit of the above is that I don't have to worry as much about the possibility of rogue code running with full admin rights if I'm careless and open the wrong email, or if someone I trust sends me an Office doc with a macro virus, etc. And more importantly, I won't be writing software examples that require admin permissions to run, so I won't be perpetuating this bad habit of always running as admin.
In the blog listed above, I also asked folks to comment on whether or not they run as admin on a regular basis. So far, it looks to be about 2-1 in favor of running as admin, which is not encouraging. Microsoft, especially in the person of Michael Howard, is trying to get the message out about the principle of least privilege, but it would seem that the message has not yet seeped deeply enough into the developer's conscience.
So here's my challenge: Run for a week as a non-admin account, and blog (or comment on this blog, if you like) about the challenges you faced. I'll respond to the challenges listed in the comments on my blog, offering solutions (where I have them) to try to make this process easier for folks. Let's try to start setting a good example here, folks. :-)
My recent post on running as admin, and my admission that I was still doing it motivated me to reduce my shame quotient by removing my day-to-day account from the Administrators group once and for all.
Given that I've been running as a non-admin when developing samples for a good while now, it's about time I did this day-to-day as well. Fortunately, I was running under a separately named account (i.e. not running as Administrator), so making the switch was relatively simple and (so far) painless.
My friend and .NET Mobile guru, Anil John, has some more to say about this at:
http://www.learnmobile.net/weblog/secureCoding/RunningasLocalAdmin-JustS.html
One of the few things that you need to adjust to in running as a non-admin is using the Run As... command to run program install routines, etc., that require admin privileges. It's as simple as right-clicking the desired executable, and selecting Run As..., and then filling in the required credentials.
One gripe I have is that you can't run Windows Explorer this way (or at least, I haven't figured out how to yet...if anyone knows, let me know, and I'll post the solution), so if I need to change ACLs on something, I occasionally have to switch to log in as the admin account to make the change. A minor thing, but I hope I can find an easier way to deal with that.
One other cool thing included in the management recommendations for the Internet Explorer Enhanced Security Configuration (res://shdoclc.dll/IESechelp.htm#manage, on a Win2K3 machine), is a set of recommendations for browser security for servers. If all server admins followed these, that would certainly be an improvement. Unfortunately, many folks probably won't ever look at the docs for the Enhanced Security Configuration, which is why I'm reproducing these tips here:
Browser Security — Best Practices
Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, you should restrict browsing on your server.
To reduce the risk to your server of potential attacks from malicious Web-based content:
- Do not use servers for browsing general Web content.
Use client computers to download drivers, service packs, and so on.
- Do not view sites that you cannot confirm are secure.
- Use a limited user account instead of an administrator account for general Web browsing.
- Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.
Good advice. Now let's hope people follow it.
Quiz time! How many of you are running as Administrator (or an account with administrative rights) right now?
I'll start by fessing up that I am (at least on my day-to-day machine), which I should not be. There are two big problems with this practice.
The first problem, which affects mainly the person running as admin (as well as potentially any machine on their network) is that if malicious code gets executed while you're running as admin, you're basically owned by that code, it can do whatever it wants.
The second problem, for those of us who are developing code to be used by others, is that the habit of running as admin often means that code that we develop breaks when the user of that code isn't running as admin. This of course means that the user of the code may resort to running as admin just to get your code to work. Thus you've extended your bad habit to someone else. I can say at least that all of the code examples that I write for my books are now written and tested 100% under a non-admin account, so that my readers will never have to run as admin just to get the samples to work.
I'm working on weaning myself from running as admin, and I certainly hope if you're not already, that you will all work on this too.
So how about it? How many of you are running as admin? Let's see a (virtual) show of hands...
Installation and testing of the samples from my latest book went very smoothly (as expected). So far my experience with the RTM version of Windows Server 2003 is as good as I've been hearing from others.
One interesting change from previous RCs is that in keeping with their ongoing push for better security, Microsoft has locked down the security settings on IE. When you open IE on the RTM version, you'll see the following screen:
The key changes I've seen so far is that both ActiveX controls and scripting are disabled by default for all sites other than those in the Local Intranet or Trusted Site zones. In order to allow scripting, you have to either add the desired site to the Trusted Sites zone (which you don't want to do unless you really trust the site), or turn off the Enhanced Security Configuration, using the following steps:
- Open Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
- Select Internet Explorer Enhanced Security Configuration, click the check box to clear the selection, and then click OK.
- Click Next and then click Finish.
- Restart Internet Explorer to apply the changes.
You can also use the Add/Remove Windows Components applet to apply the IE Enhanced Security Configuration to administrators or other groups (by default, it's applied to both), so if you want administrators to be able to surf without the Enhanced Security Configuration, you can disable it for them, while still leaving it enabled for other groups.
I'm pleased to see that Microsoft is continuing to push for more secure default settings, but I'm going to predict that this one will cause quite a bit of squawking because it will break a great many sites (including some of Microsoft's). I'm also not sure that requiring users to add sites to the Trusted Sites zone is such a good idea. Yes, it requires an active step by the user, and thus is secure by default, but the likelihood that many users will simply get in the habit of adding sites to the Trusted Sites zone is pretty high, IMO, and risks making that zone less useful in segregating truly trusted sites. So while I think it's a step in the right direction overall, I hope that the IE team will continue to think about this problem, and perhaps find more comprehensive ways to address it.
I'm not convinced, based on my experience so far.
I'm not sure quite what Sam's going through here, but my experience with Win2K3 is nothing like that. As you can see in the following dialog, I've installed it on a 6gb partition, and have plenty of room to spare.
Not even close to 6GB. Now it's true that I'm running Web Edition, while he's talking about the Standard Edition, but somehow I don't think that's likely to account for a nearly 4GB delta. Wonder what's going on? Hope Sam will keep us posted on what's causing the problem. I'm sure something other than code bloat is going on here.
OK, so not much more than an hour later, and my upgrade from RC2 of Windows Server 2003, Web Edition to the RTM version is complete, and seems to have gone almost entirely smoothly. I say almost, because despite the fact that I was upgrading rather than doing a fresh install, I still had to manually install the VMWare SVGA video driver. I also had a sudden shutdown of the VM, but I'm not sure yet whether that was just a VMWare hiccup, or something more ominous.
But it's up and running right now, and I'm installing the sample files from my latest book, Microsoft® ASP.NET Programming with Microsoft Visual Basic® .NET Version 2003 Step By Step, to make sure they work OK on the RTM release. Will report back.
Meanwhile, one minor gripe about VMWare. I desperately want them to start supporting the third and fourth mouse buttons on Microsoft's (and others') optical mice. I live by these buttons for forward and back in both IE and Windows Explorer, and it's really irritating that I can't use them in a VMWare VM.
...and diving into upgrading my Windows Server 2003, Web Edition RC2 to RTM. I wouldn't be worried about it at all but for the fact that I'm running Win2K3 in a VMWare v3.1.1 virtual machine, and Windows Server 2003 is only provided experimental support in that version. It worked fine for RC1, but locked up hard when attempting a fresh install of RC2. I managed to get RC2 running under VMWare by installing RC1 and then upgrading RC1 to RC2, so I'm going to try the same trick with the RTM version. If that doesn't work, then I'll pave the VM and try installing from scratch.
Unfortunately, it's not clear yet whether VMWare is planning to support Win2K3 in their 3.x product, so I may have to upgrade to 4.x (currently in beta) if neither an upgrade or fresh install works on 3.x. I'll report back with the results!
As an aside for folks who've never used VMWare, if you are often in need of a platform for beta-testing, and don't want to jeopardize your day-to-day work platform, VMWare is worth a look. It's definitely cheaper than buying a new machine for testing betas, but there are a couple of caveats. You'll need at least 4-6gigs of HD space for each VM to comfortably hold both OS and whatever software you're beta testing (particularly if you're testing multiple betas), and you should add as much RAM to your computer as it will hold, since that will definitely improve the performance of any VMs you're running.
I know I'm not the first to comment on the rumors that Wrox may be going under, but one of the first things I thought of is all of the folks that I've met who work for Wrox, and who depend on them for their livelihood. Authors like Alex Homer, Dave Sussman, and Rocky Lhotka, to name just a few, were the main reason that Wrox became such a prominent name in the tech book market.
I hope that everyone will take just a little time to say a little prayer (or send good wishes, or whatever you're comfortable with) for all the folks, authors, reviewers, editors, staff, etc. who are likely to be impacted by this, assuming it's true. While this is a big deal for readers and fans of Wrox books, it's an even bigger one for those who may lose jobs, or whose projects are up in the air.
To the folks at Wrox, here's hoping that you all land on your feet.
Just wrapped up the last of the first-pass edits on my MS Press books. A few more PDFs to review, and I'll be all finished.
Time to move on to the next project. Now it's a race between who will finish first...me, with my next project, or my wife, with delivering our new baby.
:-)
I want to say thank you to everyone who attended my talks on March 4th at the MSDN .NET RoadShow event in Reston, VA, and the Central Maryland ASP Professionals user group meeting in Columbia, MD.
Despite fighting off a nasty cold, I had a great time presenting for both groups, and I really appreciate all of the great questions you all had.
I've posted some pictures from the CMAP user group on my website, with links below:
- How Andrew deals with Powerpoint being ornery (note the Task Manager in the background, preparing to kill off Powerpoint...turns out that the print spooler was acting up, not PP).
- The audience at the CMAP user group was friendly and attentive.
- Andrew explains event handling basics.
Do you run, or are you a member of a .NET user group? Would you like to have me (or another .NET expert) speak at your user group? All you need to do is get in touch with the nice folks at INETA, and they can hook you up.
More Posts
Next page »