As I go back and forth between Vista and OS X, I’ve been trying to map out the similarities and differences of their respective security models.
On both systems you can be either the administrator or a standard user, but you are never the fully-privileged root, or superuser.
When you want to change a secure setting (like the firewall), or install an application, you have to temporarily elevate your privileges.
On a default OS X system, the administrator can write a secure file or alter a secure setting without being prompted. A standard user who tries to do these things is prompted for an administrator’s name and password.
On my OS X system, as administrator, I’m prompted for name/password even to change a secure system setting, because I’ve checked the Require password to unlock each secure system preference option. Because I’d forgetten that I’d done that, the Apple ads dinging Vista for its chatty security prompts initially made no sense. From my perspective OS X was chattier than Vista.
On a default Vista system, the administrator and standard users are both prompted, but in different ways. For the administrator it’s a click-through dialog, for the standard user it requires (as on OS X) an admin’s name and password.
On my Vista system I’d prefer to mimic the OS X behavior and require a full name/password challenge. I believe that’s possible using the Local Security Policy editor but in my case, since my system is part of a managed domain, I might not be able to make that change myself.
Another thing that initially made no sense to me was that the account on my freshly-installed Vista system came up as an administrator, not as a standard user. That’s because I’d made a faulty conceptual mapping between XP and Vista. On XP, you can try to implement the old Unix best practice of creating and mostly running as a standard user, reserving the root account for occasional privilege elevation. That strategy rarely works, though, and I had initially thought that Vista’s User Account Control (UAC) system was a way to remove the obstacles that prevent it from working.
In fact Vista’s model is less like Unix or XP, where root and administrator mean basically the same thing, and more like OS X where they mean different things.
It would be extremely helpful to me, and I’m sure to many others, to see a comparative chart of exactly what those meanings are. If someone can point to one, that’d be great, because there’s been some confusing semantic drift. That word ‘administrator’: I do not think it means what you think it means.
Despite the separation of root and administrator, the old best practice of relinquishing the administrative account remains available on both OS X and Vista. Given that it’s not the default on either system this is mostly an academic question, but does anyone think that it should still be a best practice? If so, why?
On interesting data point comes from a recent interview in which Charles Torre speaks with UAC gurus Jon Schwartz and Chris Corio. (If, like me, you don’t have 65 minutes of viewing time but do have 65 minutes of listening time, you can find just the audio here.) Towards the end of the interview Jon Schwartz mentions that he considered, and rejected, the idea of setting up his parents’ machine so they’d only be able to log in to user accounts.
Because I’ve lived through the evolution of all this stuff, I still feel a twinge of guilt for running as administrator on both OS X and Vista. But most people never knew why that might be a problem, and now it’s water under the bridge — with one huge exception. There are hordes of people on XP today who will be there for years to come. So while it’s difficult to use standard accounts routinely on XP, anything that can be done to make that strategy more viable will be a huge benefit to everyone.