Administrator vs. Administrateur, et. al.

by Michael S. Kaplan, published on 2005/12/27 03:01 -05:00, original URI: http://blogs.msdn.com/b/michkap/archive/2005/12/27/507404.aspx


Yesterday, Ashutosh Galande blogged a bit about the dangers of using the string version of the Administrator account.

The reasons that it is a bad idea are numerous, but I thought I might explain a bit more about the particular problem behing bugs like the one that is described in MSKB article 258163 and how MUI has an interesting effect here on some code.

Now the MUI version of Windows always has some base language (usually English but for some languages, other base languages are used).

And I am sure you can imagine the havoc that it would wreak on a computer if literal account names used for logging into the machine could change just by changing the UI language.

So, there are at least alternate three potential implementation choices here:

Now there are many reasons that the first two choices can be incredibly problematic and even dangerous from a security perspective, so the third choice is the one that is done.

HOWEVER, the localized account names (e.g. Administrateur for Administrator) are in the localized resources in many cases, which is probably a bad idea since the localized strings are chosen by UI language even though the account names are not. This mismatch is indeed the cause behind the problem described in 258163, although it probably could have been worded a little more clearly. :-)

The safest answer is just as Ashutosh indicated -- using the SID to get the name rather than assuming a particular localized string....

For the actual bug, it is a simple case of misunderstanding one of the subtle (and usually obscure) differences between the MUI version of Windows and the localized version, and of course the problem that happens any time you rely on localization content to control what happens when code executes.

 

This post brought to you by "" (U+189a, MONGOLIAN LETTER MANCHU ALI GALI GHA)


# Fred on 27 Dec 2005 9:48 AM:

Microsoft itself advises administrators to rename the administrator account anyway, so any software should IMO take this into account and use the SID to do the translation. Actually, I wouldn't be surprised this to be requirement for the Windows certification program, or whatever microsoft calls it these days. Now if only Microsoft would also follow their own guidelines, things would be very nice indeed.

# Michael S. Kaplan on 27 Dec 2005 10:12 AM:

In the words of Arkady Renko, slightly munged -- 'A company is like a body. First the muscle, later the hair lotion'

In other words, I agree with you, but assuming it is as simple as an "if only..." wish implies is ignoring some of the complexities....

:-)

# Fred on 28 Dec 2005 8:45 AM:

I agree, it isn't as easy as someone High Up[TM] decreeing compliance to whatever standard du jour is in fashion :) But hey, it'd be a nice dream anyway!

I work in a company of only 1000 people. And even there it's pretty much impossible to get project and development teams to comply to agreed upon standards. It must a royal disaster to try and make a company the size of Microsoft do it...

referenced by

2011/02/10 A design flaw not being fixed is not a bug. And it's not "By Design", either.

2008/06/24 Everyone knows that SID, he is a laugh riot

2008/06/11 You almost want a cease-and-desist order put out about the docs

2008/05/06 By some accounts, the names can be changed

2006/12/01 What's in a name? (once more)

go to newer or older post, or back to index or month or day