‘Plan now to eliminate “power users”; from your domains’ – or face the consequences.

Saw this today over at Steve Riley’s blog

Plan now to eliminate “power users” from your domains

That group had rights install software and drivers. And if you can install software and drivers, then you can elevate yourself to Administrator or SYSTEM. Vista includes a signed installer that allows standard users to install packages signed by a trusted root. (The “Trusted Installer” is a service that has a SID, so you’ll see it in the permissions list on various objects throughout the operating system.)

Which is why:

  • Microsoft Application Packaging Standards going back to Windows 2000, state what you should be doing for best application packaging compatibility.
  • Good application packagers test against “”Standard”” user accounts (and not admin)

On my home Windows XP PC, my daily use account is a Standard user account.  With Vista, EVERYONE is a standard user (and some people can temporarily raise their privileges as required)

Some references:

Check for Correct User Privileges [Application Compatibility Guide] – this article now removed, replaced by:
Application Installation and Servicing

Application Compatibility Testing and Mitigation Guide for Windows XP SP2

Designed for Windows XP Application Specification

Isolated Components

Comments are closed.