responsibility
Avecto reckoned 97 percent of critical Microsoft vulnerabilities released in 2014 would be mitigated by removing admin rights.
So for this little user convenience we all have to pay.
Intel Security has fixed a flaw that made it possible to shut down its McAfee Enterprise virus engine, thereby allowing the installation of malware and pirated software. The hotfix addresses an issue that Agazzini Maurizio, senior security advisor at Rome-based consultancy Mediaservice, first warned about 15 months ago. McAfee …
I hear this time and time again (still) - particularly about Citrix..."but the software needs admin rights"
And my answer is always the same - "No it doesn't".
All you need is Sysinternals' process monitor (and this dates back to when they came as filemon and regmon) and filter on the executable of the app(s) for access denied's.
I have never yet found a piece of software that requires elevated rights that cannot be 'fixed' in this way but people are too lazy to put the effort in or too uneducated about the tools available.
I have never yet found a piece of software that requires elevated rights that cannot be 'fixed' in this way but people are too lazy to put the effort in or too uneducated about the tools available.
Or, depressingly often, the software company considers running without admin rights an "unsupported configuration" and won't troubleshoot problems if you set it up that way.
"...Or, depressingly often, the software company considers running without admin rights an "unsupported configuration" and won't troubleshoot problems if you set it up that way..."
I must confess that isn't a problem I've ever encountered despite vendor support occasionally being involved. Of course, I'd be happy to show them that changing to an admin account makes no difference and it would always be a test anyway in case anything was missed in the original admin-removal process.
It was always the same with Citrix - does the problem occur using RDP? Yes - most likely (not always) not a Citrix issue. No - most likely (not always) a Citrix issue.
I'm intrigued by the downvotes - not that I'm unhappy but I'd love to know the counter arguments of my points? Or was this a case of the same laziness?
One other thing I've noticed lately - there seems to be a lowering of basic troubleshooting and support skills. Some of it may be down to not having to wrangle with software to the level we used to even only ten years ago, but a significant portion simply seems to be a general lack of understanding. Worrying, really.
..and if you must have admin rights then at least enable UAC so that you only activate them when needed. Okay so UAC was extremely annoying in Vista but it got a lot better in Win7. I always run with it and the only time it prompts me is when there's a good reason to be prompted.
The trick is not to just click 'Ok' when prompted. For extra safety don't run as an administrator enabled user anyway and just accept that you'll have to enter credentials to get the rights. That can be confusing though if you're installing software as you won't be installing to your normal user account.
I run with UAC on too. About the only situation where it's a real problem is when a full-screen program (okay, game) wants network access. The dialog pops up *under* the program where I can't see it. I've learned to Alt-Tab when I hear the ding, but many games react very badly to having focus pulled away when they're in full-screen mode.
Think in terms of a corporation doing risk management. Pirated software creates a risk for them, not just in terms of malware, but in terms of getting sued by the BSA if they get audited. McAfee and other AV suites have become central monitoring systems for policy compliance.
"The flaw requires users or attackers first gain local administrator privileges, a level of access that many organisations lazily afford staff."
Maybe they're lazy because they don't realize that affording such local admin rights also conferred global kill rights over the AV software too. Ya think?
>Intel Security has fixed a flaw that made it possible to shut down its McAfee Enterprise virus engine, thereby allowing the installation of malware and pirated software.
Being able to shut down McAfee... isn't that something of a blessing? So, shouldn't the above read:
"Intel Security has fixed a flaw that makes it possible to install McAfee Enterprise virus engine, thereby allowing the installation of malware and pirated software."
Clarity, please.
Software written by any other party, including Microsoft themselves is almost impossible to reliably discover the group policy required to operate it. Even MS provide solutions that are "only supported" when running as administrator even when no obvious administrator rights should be required.
Not usually here to knock any particular OS but Windows can be particularly opaque on this, which then makes it very hard to lock solutions down to least privilege without guessing or attempting to diagnose permissions failures, which themselves can be hard to identify from third party software, even if the permissions are easily fixed.
So, yes maybe organisations can be described as lazy, I would describe most of the development culture lazy, rather than the organisations attempting to cope.
"I've got admin rights on my work laptop. I did suggest to my IT department that they gave me 2 accounts, a user one and an admin account but they didn't want to.."
It seems our IT department at least has sorted this out. On my laptop I have <username> with no admin privileges and <adminname> with admin privileges.
On our desktops we don't even have admin accounts, so at least we are down to just the 3%. I am not at all surprised that this is not the case elsewhere.
The reason that a lot programs run at admin level is because of the crap static way, user access levels work and quite stupid default security restrictions on commonly used resources, so it is often much less faff to use compatibility mode with admin level or even turn off user access control!
This keeps biting me as a developer, so damned right I need admin level access!
I will agree that software trying to store config./extensions in Program Files is quite stupid, and too many programs still do this! Junk like Chrome goes too far and stores the software where only config. and extensions should be stored, SRWare Iron shames it!
I hate that stodgy slowness call McAfee, especially on laptops, where the limited CPU and I/O bandwidth it wastes is even more costly!
I do one better than that!
Boot using bart PE bootable cd GUI interface and then visit the C:\program files\mcafee folder then you can directly delete the folder and subfolders without any errors.
then visit the the common files and do the same there then reboot and take cd out and now your pc is free of mcafee and viruses can have a party on your system
So VSE 8.8 Patch 7 doesn't install over Patch 6 without out 1st removing Patch 6. The upgrade just doesn't work - been here before... Seemingly also the new P7 version is stuck with DAT 1111 (even if the ePO extensions have been upgraded) and will not auto update to today's DAT.
I continue testing P7....
McAfee
"We just make it worse".