Sunday, July 25, 2010

Windows Support Mode

After spending several hours repairing my wife's grandmother's computer from a trojan infection, I realized that, unless I want to spend more time on support, there needs to be a better solution for helping family members on their computers.

In this case, me wife's Grandmother has several behaviors that increase the likelihood that she will be infected.

  1. She installs random software that she downloads from the Internet.

  2. She often runs her programs using "Run as Administrator"


I am tempted to remove Windows from these computers, and install Ubuntu, but I think that this would be a steep learning curve for her, and I would still need to set up a way for her to run windows programs (Wine or VMWare)

If I had more time to dedicate to support, I could change her account to a non-Administrator account level.  But then, everytime she wanted to install some softeare, or run a Windows Update that prompts for administrator access, I would have to do that.  Unfortunately, we are local to her, and I don't have the time to manage all of these things remotely.There are several things that Microsoft could do to make this type of support easier

  • Create a new type of user, lets call it "sub-administrator".  This user would have the following behaviors

    • Would not be able to use the "Run as Adminstrator" command

    • Would only be able to install applications that are signed

      • The developer would sign their app with a private key, where the public key is registered with Microsoft.

      • Microsoft would only allow public keys to be registered from "reputable" developers

      • The application would only install if the signature matches what is expected



    • This user wouldn't be able to modify backup or virus scanner settings



  • Create a new "Safe-mode" setting.  In addition to the Safe-mode with Networking, there would be a "Safe-mode with Networking and secure-RDP".  This would allow the person responsible for support to be able to log in, even when in safe mode

  • Allow an administrator to specify that "Safe-mode" should be entered on the next boot.  This would eliminate the need to be physically present to enter "Safe-Mode"


Even with this scare, I don't think that she will change her behavior, unless Microsoft adds some features that I listed above, I am thinking that either I will have to revoke administrator privileges from her account, or stop offering support.