The install process creates only a "user account" without pointing out that it is privileged and should not be used online.Although the account manager does recommend use of standard accounts, the average home user is never going to get there - they are just going to turn on the PC they bought in a store and keep clicking "OK" until they get to a normal desktop.The "principle of least privilege" is the #1 most effective defence against viruses and malware (at least, in 2007 it was), since they typically run with the privilege of the logged-on user, and if (s)he can't write to the registry or boot record, nor can the virus.Now that we have (hopefully) purged out all the old Windows 95 programs that kept user data in C:\Progam Files and wrote to the framebuffer directly, it's time to grow up and do things properly, like mainframes have done since about 1966.(similar rant posted to Security forum)

The account created is only added to the administrators group but when logged on it is running as a "standard user"unless you have turned off UAC or when you run elevated ("run as administrator", etc...)

Have you used Vista at all? If not, then you are basing your post on old, XP era information. Starting with Vista, Microsoft made accounts with administrative rights pretty much run under a standard user account token. Only when an operation requires elevated rights, do he or she receive elevated, full admin rights after acknowledgement of a UAC prompt (in some cases, multiple UAC prompts). It is similar, although not the same, as issuing a SUDO command in Linux to accomplish administrative related tasks. Here are some good reads about UAC implementation: http://technet.microsoft.com/en-us/library/cc709691.aspxhttp://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

You are right; I have not used Vista much although I have it on a laptop. We have not generally not deployed Vista onsite and have continued to install XP with a site licence.I am familiar with sudo but I have more trust in the legacy method - su with a password when I need it - and that's what I do on XP.Thank you for the links.From what I have seen of UAC in the administrator account, it does not ask for a password to request elevated privilege, it only asks the user to click "OK". Which would seem vulnerable to clickjacking and just plain user "OK fatigue". Despite UAC, I think there is still some benefit in encouraging users to use a standard account. For instance, as administrator I can delete a file under \Program Files\xxx just by clicking "continue", while as a standard user I have to give a password (certainly more convenient than having to switch user for the whole desktop, incidentally).

In that regard, you are right. OK fatigue can easily kick in. Unfortunately, there are big differences between Linux and Windows users. Those of us who use Linux on a regular basis dont mind the UAC promptsI have actually reset my Windows 7 boxes to emulate the default behavior in Windows Vista. A user running under an account with a true standard token will be presented with a dialog box asking for Administrative credentials when invoking an administrative task. Again, this is good for us power usersI know of a couple people who have created an account named root so that it further emulates Linux behaviorbut a normal user would just ask around for a method to turn it off. Normally, when that happens, UAC gets turned off altogether, which then makes the box as vulnerable as pre-Vista releases. One of the great things about having systems on a domain in a work environment is that operating procedures usually are on our side, thus forcing the users to have to live with the elevated credentials prompt where it asks for an username and password.

I guess I had hoped that we could finally wean home users off running privileged. I set up my daughter's XP system with a 'limited account"and all the new stuff (FireFox, OpenOffice etc.) works fine. I was able to get some older programs (the Sims, Babylon dictionary) to run just by loosening some file access permissions under \Program Files\Vendor\program, and don't need administrator access for months at a time. The Vista beta was actually more difficult since it added access control on execution too; I gave up on trying to get PuTTy to work.I realize "root" is a bit simple-minded (1970's I think) compared to things like UAC, SELinux, ACLs in VMS etc, but I trust it. SELinux I had to turn off, pending finding time to understand it enough to get my mail to work.

SELinux is a real PITA. No argument here. There is one thing about the Vista/7 version I have found. You mention that you are able to modify permissions on selected folder under c:\program files to get some applications to work while running as a standard user under XP. Yes, that works greatfor XP. This DOES NOT work for Vista/7 due to folder virtualization. What I have found (at least what I had to do), was create a folder named c:\application files (or anything you want as the name is not important) and install some troublesome applications there. Since it is not a system folder, permissions can be modified easily if necessary w/out affecting system integrity and while not having to tamper with UAC.

UAC is NOT a solution to least privilege. Least privilege is defined for all users, not just admins. Yes, UAC can be used by Admins to come close to Least privilege, but it does fall short when it comes to the overall definition of least privilege. for standard users, UAC is not even close to solving least privilege. To solve least privilege for XP, Vista, and 7 (even with UAC running), you need a program like BeyondTrust Privilege Manager. This is a Group Policy extension that elevates the application, while still running under the user context! Not a RunAs... no AD hacks, No schema changes! Also, there is a free version! DerekMVP and "MSPress Group Policy Resource Kit" author