While I agree with the majority of this post (and live the non-admin life myself on ALL my machines!), I want to point out that while installing programs to a non-\Program Files location may make things easier, but it also means that the program's binaries aren't protected from modification like they otherwise would be and they're not as likely to be accessible to other users. By installing programs to \Program Files as an Administrator, you know that when you run as User your OS *and* programs are protected from tampering.

Love your blog - keep up the great work!

Hey Delay,

I could be wrong, but I don't believe the Program Files directory is a protected one. The Windows directory is, and only from those that are under WFP (the "Windows File Protection" feature you speak of). Normally it only protects those files stored under %systemroot%\system32\dllcache.

What you may be referring to is how the MSI system supports binary overwrite and repair. However, if you use a proper MSI and retarget the destination directory, it will still "repair" itself if its under a different directory, including a user's dir.

I do conceed that installing it in a user's dir does prevent others from accessing it. But thats not a bad thing if you ask me :)

Try: cacls "%ProgramFiles%"
It should show you that Users have read-only access to the entire Program Files directory tree (at least that's the case on W2K3SP1). Granted, it's not the same active protection that WFP provides, but it's a pretty trivial way to prevent users from accidentally (or deliberately!) stomping on any installed programs.

I can't argue with that logic. You're right. Unless someone is granted Pwoer User perms.

That's just an ACL issue though. You could manually reset your own ACLs to prevent "accidental" problems. Of course, nothing prevents the user from nuking their own software installs.

It's a balancing act. I would rather allow a limited user the ability to nuke their own untrusted software installs, rather than force an admin to install untrusted software just so the user can't muck with the files.

So far, Microsoft have basically just slapped the shield icon everywhere that has access to what was traditionally shared, common configuration data. What they need to do now is to consider very carefully whether the option they're protecting actually is shared system state, or whether it's something that should be a user preference.

For example, which media player opens my MP3 files? This should be my choice as a user, not the administrator's configuration. The registry supports this - HKEY_CLASSES_ROOT, which contains file associations, is a merged view of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes, where the user's settings override the machine settings. What does Windows Media Player do? Hide the File Types tab in the Options dialog if you're not an administrator. Maddening.

I'm glad that MS took my advice from ages ago and have copied the way that Apple does things, but man, the way they have done it just sounds and seems crazy. I really hope that this is in the list of stuff to clean up that's on the list that delayed the release.

Seriously. In what real world computing environment is this valid?! The # of IT Geeks and Drones is minimal in comparison with what is in between. What is in between is a class of people that need the rights to do things that involve a higher level of access than USER. Microsoft is at fault for not providing a REAL platform for secure business computing. But if our IT helpdesk had to be contacted everytime that someone needed something because they didn't have the rights we would be under water. YOU can do it because you're in IT and you work for/by yourself. I love the attitude that people have of "well I do it, so why can't a company with thousands of people." Wake up, that's not the real world. When I hear this again at Teched this year my head is going to explode.
/rant

Aaron,

Its this type of attitude which causes such resistance. It's NOT about IT geeks here. It should be ALL users of the system. You might want to check out my latest post "LUA with UAC vs Least Privilege" (http://silverstr.ufies.org/blog/archives/000948.html) where I discuss how least privilege is SUPPOSED to work.

To me, least privilege means that you are given the privileges to accomplish your task/role/job. Nothing more. That's the whole point of the LEAST part. It is giving enough privilege to accomplish what you are deemed responsible to accomplish, and prevents you from doing things you aren't. When least privilege is rolled out properly, users won't even know they are using least privilege unless they do something they aren't supposed to do on the system. And that is the appropriate time to educate them on why they were not authorized to perform that function in the first place.

I have worked in both big and small networks, and I must say, in the properly controlled environments where least privilege is used to meet corporate security policies, there is less admin hell in fixing and managing desktops and people STILL do their job. In fact productivity is typically higher due to the fact the computing resources are used as TOOLS, not TOYS... focusing users to complete their job function and not installing software not needed in the business. If they need software installed, IT gets involved to validate the software functionality and lock it down so that its safe to be used on the network.

I appreciate your feedback and comments. If we remove the vexation and 'head blowing' promises from your comments... you hit on a vital issue. People will continue to have a poor attitude towards least privilege and assume that it can't be rolled out until we show them it can be done. Microsoft needs to lead the way here. That was the one of the key points to my post in the first place.

Thanks for the rant. Hope you enjoy TechEd. :)

The way I do it in my (mostly Mac) office--
Mobile users have two accounts on their computer: a regular davepooser account and an admin account named dpadmin. Both accounts share the same password. So any time the user is prompted to authenticate as an administrator, he can; my goal is not to lock the computer down entirely but to make sure that any time the user is acting as administrator, it's the result of a conscious decision on his part. (And, of course, admin privileges that are abused can be revoked.)
On the other hand, local users do have to contact the IS department (me) to gain admin privileges as needed. Average calls per week? Roughly 1 per 50 users. It hasn't swamped me yet.
All this is true of the Mac side. If Vista provides a similar experience on Windows, that will be the best argument I've heard for corporate users to upgrade sometime in 2007. (Assuming it doesn't slip again, but that's a whole 'nother story.)