Microsoft Versus
Dissecting Microsoft | Directory

Local Administrators

Most computer software systems, such as UNIX® and its descendants, have distinct boundaries between regular user accounts and administrator accounts. There's a simple reason for this. No one wants regular programs, such as word processors and web browsers, to make any significant changes to the core of the computer system. Therefore users run programs using non-administrator accounts which don't have the ability to manipulate the operating system. It's a basic rule of security that every program should run with the least amount of privileges possible. It's also critical that the operating system not let programs overstep their bounds into the space of other users or the kernel (the very core of the operating system).

Microsoft® Windows™ has a long tradition of not promoting boundaries between an operating system and its programs. Most applications still install files into system directories alongside operating system files. Application settings are stored in the same database (the registry) as operating system settings. Some programs operate partly in the execution space of the kernel. All of these factors contribute to application instability and insecurity affecting the whole system.

Due to many programs requiring administrator privileges to run and Windows making it very difficult to operate programs as multiple users most people use their Windows computer as an administrator. Running a Windows computer as a non-admin is an arduous task requiring a massive amount of knowledge and patience. It's worse for software developers who aren't doing anything administrative but require more interaction with the operating system. It's simply too much trouble to run as non-admin.

Microsoft made some effort with features in Windows XP to simplify the task of using a computer with less than full privileges. The system can finally be used by multiple accounts while programs are left running under each of them. Programs can be launched to run as a different user. But this is still very troublesome and often useless with so many current applications requiring an administrator account to execute properly. The problem really stems from Microsoft's lack of genuine attention to security with versions of Windows prior to XP. This trickled down to developers of Windows applications who also often ignored security. An operating system needs to be built from the foundation up with security as a primary concern if the system is to truely be as secure as possible. This has never been the case with Windows.

Microsoft attempted to alleviate these problems with new security features in Windows Vista. However, the implementation is annoying to most average users. Some may quickly click "Allow" to the many security warnings without reading them because they are overloaded with prompts. Others might simply turn off the security feature.

Copyright © 2004-2007 Matthew Schwartz