Adventures in New Laptopia, Pt 1: Security

Running as a non-admin in Windows, for the first time ever

Before I started laptop shopping, I stumbled onto a pair of blog posts suggesting that you should run as a standard user. The first is from Jeff Atwood, and the best part is the quoted list of stuff in the middle of stuff you’re protected against by being a standard user. Somewhere around the same time, I found a blog post about configuring Windows 7 to run primarily as a standard user. Unfortunately, there’s not enough info in that blog post on the pros and cons of running as a limited user, but here’s what I’ve found in the last few days:

• Some regular actions will prompt you for admin rights on a daily basis (eg Lenovo updater service). This is an absolute pain and I so dearly wish to figure out a way to make exceptions for specific applications. I’m investigating a few options right now, but I’ll update if I find a perfect solution.
• You can’t add administrator privileges to a program that’s already running, and you won’t get a UAC prompt when you need them. The program will just fail with some cryptic message. You probably won’t think of it until it becomes a problem. Example that I dealt with on three separate occasions today as I was setting up new software: I wanted to edit a configuration file stored in Program Files. I open my editor, make minor changes, then try to save. “Access denied”. I have to save my new version as a copy in a folder I own, open explorer, and cut+paste my edited version into Program Files. Explorer, thankfully, can prompt when I need admin privileges.
• The “Run as administrater” option, and the command line utility runas don’t work the way sudo does in Unix. Unlike sudo, they suck terribly. SuperUser has a pretty good explanation of how they actually work and one answer recommends Sudo for Windows, which is complicated but seems workable. If you do check out Sudo for Windows, the Wayback Machine has rescued its documentation from the depths of Internet history (the year 2007).
• If you leave it with the default settings, MediaMonkey (which seems quite awesome so far - check out the files to edit section of your library! *swoon*) will re-check file associations every time you start it. For some unknown reason, while this can be done without admin rights in some other programs, MM will prompt you for admin rights/UAC whenever it starts. If you turn that option off, it seems to work fine. Extremely thankful to this thread for helping me out on that.
• Otherwise, everything seems to work more or less fine. Because I’m running as a standard user all the time, I don’t run into issues with files having different ownership thanks to the terribleness of “run as administrator”. Having to enter a password to install software really didn’t bother me, even though I installed a ton of stuff on this computer. The problems I’ve had so far have mainly been centered around common actions requiring admin privileges, and as mentioned above, I’m looking into ways to make exceptions.

Hardware security features

My new laptop is a Lenovo, and I’ve jokingly told people that I needed one because I am a serious business person working at a serious business. It’s quite a change from my consumer/media focused HP Pavillion laptop. For instance, I added a fingerprint reader for twenty bucks. Hard to tell so far whether it’s actually useful or just a novelty, but it’s generally faster than typing a password to login. At least, once I figured out that it only works if you swipe left-to-right (but it doesn’t say that anyewhere). Now, I know fairly well just how imperfect finger prints are as a biometric, considering I read a handful of papers comparing different biometric approaches over the summer (they can be fooled by replicas and other means, your fingers can be cut off, not 100% reliable, etc). I definitely don’t want to rely on it (aside: but then, Windows passwords aren’t particularly hard to reset…). Not to mention that shoddy firmware can make you less secure than ever. Still, it’s convenient to have it as an option alongside my password.

However, let it be known that I’m prepared for the worst. Lenovo’s software allows you to register any fingers you want for the scanner, so I’ve registered my least useful fingers. If you want into my laptop that badly, please, just take my left pinky.

Some other things that provide hardware security in a different way:

• “Airbag protection” for my inexpensive spinning platter harddrive. If excessive motion is detected by the system, it will turn off the disk so that it isn’t damaged (or at least, not so badly damaged?)
• They have some pretty good diagnostics of the health of your hardware, like the battery. For instance, they have a measure of your battery’s “wear” - how much its max capacity has decreased from its theoretical maximum. It’s a very welcome feature after the silently degrading health of the batteries for my previous laptop (its original battery is nigh-unusable now).
• There’s a yellow warning icon in my taskbar chiding me for not having a backup solution yet. Sheesh, I’m still investigating rdiff-backup and saving money for a NAS at my dad’s!

I haven’t dug too deeply into all the pre-installed stuff, because consumer focused OEM software is either crappy or driven by greed… often both. Some of Lenovo’s original stuff seems like it might not suck, so I’ll definitely have to investigate. The above are a few examples of things that have yet to annoy me - and in fact, I’m actually glad to have - which is pretty high praise for OEM stuff from someone used to Dell and HP.

As for the pre-installed software they didn’t make… The less said about their generous offer of a free 5 gb SugarSync account (as if that’s somehow a special offer), the better.