I ordered a data-logger for a work-related project, Which comes with windows software and need admin priviledge (that I don’t have due to corporate IT policies). So I lost 2h going to the IT department trying to get someone with admin right installing this driver :(
What’s the reason hardware come mostly with Windows driver (rather than Linux) and why do these software/driver need admin privilege for installation where their customer base are professional who often don’t have the right privilege on their PC ? Is there something technically forcing the privilege elevation to install a driver ?
Windows has the market share and linux dev time means extra cost for a small market.
Workers not having the ability to install any old software that they want is a feature. It’s so dumb old Timmy can’t compromise the entire companies network of devices by opening OneNightInParis.mp4.exe.
Also, you asked 3 completely different and unrelated questions:
- Why do drivers need admin permissions?
- Why do devices only come with Windows drivers?
- Why are corporate IT policies the way they are?
#3 could be broken down even further, covering how/when admin is granted, as well as how devices are procured.
At my (large) employer, we absolutely would’ve told you to pound sand for getting that device outside of official channels and bypassing a security review. Especially since you described it as a data logger.
Why are corporate IT policies the way they are?
I thought about this the other day when asking my IT department why they won’t let me carry a USB stick between home and work to be able to work from home and instead lock down the USB access and instruct me to use Google Drive instead…
I decided that most corporations only cosplay their IT security inasmuch as it only matters up to and not beyond the point of economic convenience.
If any of these companies truly cared about security, they would at the very least be using a hardened fork of Chrome with Google Services stripped out. They’d be self-hosting their own servers connected only via a VPN or some sort, etc… etc…
But that shit takes money and staff to maintain it. So they’ll give everything to third parties to manage instead and then send out pop-quiz emails about phishing every couple of weeks followed by sternly worded emails when a person fails it.
(Sorry…off my anti-depressants until pay day, so I have a lot of micro rants that have built up…haha)
Microsoft and cos security is infinitely better than 99.99% of companies can manage self hosting their own stuff. They give guarantees too.
Is there something technically forcing the privilege elevation to install a driver ?
Yes. With few exceptions, drivers need admin permissions to be installed. In part that’s because they need admin permissions to run, and malicious drivers have absolutely been exploited in the past.
Some hardware (e.g. mice, keyboards, storage) don’t need additional drivers to be installed, but that’s because the OS uses generic drivers, or has a whitelisted source (e.g. Windows Update)
Even if it didn’t, you can bet your IT department would have a GPO or policy preventing its installation. Why do you think that you can bring and hook up a piece of unapproved hardware that may do more than what it says without the company (who owns the device) vets it?
If it was Linux, you’d still need sudo rights to install a driver and you’ll have to run through the same mousetrap, just Linux not Windows.
Though Linux has a MUCH bigger list of inbuilt drivers ready to go in the kernel
Linux distros have to ship all these drivers because otherwise someone would try that distro and say “nothing works, this sucks” if they had to go hunt for drivers to install. Windows computers really are the same way, but they’re almost always preconfigured.
Market share. Basic permissions model.
Which is less time consuming and therefore cheaper.
due to corporate IT policies
I think that answers your question right there. If you got the device outside of that realm, you’d probably have no issues. Talk to your security and IT people about why that is. There are huge security risks for people being admin over their systems.
For context, I run my home computer as a non-admin user most of the time, unless I need to make some deep changes, which is not often. Maybe once a month. This saves me from accidentally installing a rootkit or other software. I run my children and wife under the same context so they don’t need to worry either. Yes, it takes me a bit of time to go through and approve some updates, but that’s worth it to not need to worry as much about viruses and keeping data secure.
The amount of time it takes your IT department to do something is another complaint that should be directed at them. We get those kinds of complaints constantly, but it’s the fact we have everyone asking the same things or completely meaningless ones. You’re in the queue, please give us patience.
This saves me from accidentally installing a rootkit or other software.
This sentence surprised me a bit. When and how often do you run that risk?
Before the last few years, I was on a lot of torrenting sites. Really before a lot of software became what we now know as FOSS, it was the way we traded software. So, there was a potential much higher then than now. I’ve been doing this computer thing for closer to 30+ years, so my habits come from headaches and other learned lessons.
The customer for anyone selling PC components or accessories is whomever owns the PC. And if you dont have admin rights, you essentially don’t own the PC.
Would you let your teenage kid approve a mechanic you don’t know making changes to your car?
Actually, this isn’t my question, I totally understand why I don’t have admin right but I am a wondering why tool manufacturer don’t have a way to run “stand-alone”. There is tools I need to my job, and other that I need to qualify/evaluate for my job…
It’s new hardware. It needs to interact with Windows or Linux at a level that gives it hardware access. That requires admin (Windows) or Root (Linux) for software to be installed that has the ability to interact with new hardware that neither Windows nor Linux knows about.
Software talks to the Operating System. The Operating System talks to drivers (small programs that understand the hardware). Drivers talk to hardware. Windows and Linux come bundled with hundreds of drivers. But they don’t come bundled with drivers for everything. That’s why you need to install the driver. If software could access hardware directly as a stand alone program, then anything you click on or run on the internet could also directly access hardware and install viruses, Trojans, spyware, etc.
Software that could run stand alone and directly access hardware is how PC’s running DOS worked.
Laziness usually. Most people give it when pushed.
Good thing is most of these will work inside of a virtual machine. So it becomes kind of a moot issue
Gross. Tell your IT director about solutions to this problem, like autoelevate or similar. I mean there’s a security tradeoff but, you can have windows prompts for admins automatically prompt an IT admin to review and enter their credentials or deny and request more info. And it’s a very easy deployment for any intermediate IT person.
Edit: autoelevate DOES NOT AUTOMATICALLY ALLOW.
Christ. I mean, bad job on the devs naming it but don’t downvote me based on a couple dumbass knee jerk responses. It does this appropriately. Lemmy sucks sometimes.
No competent IT director would allow that.
Maybe google it before pretending you know what it does based on the name?
Talk about something no competent IT director would do 🙄.
No change control on admin privileges… that can’t be bad right lol
Actually, we do have now an approved way to get admin privileges through a dedicated application. However, on my experience if you run one installer it works, but if the installer calls for a second installer (let’s say one for the driver and a ne for the software). So I end up having to still bother IT.
there’s software to do this appropriately like ThreatLocker for example but in most cases Auto elevation is a horrible idea from a security standpoint
Autoelevate does handle this appropriately.
It automatically sends the prompt to a designated group of admin users for review. It 100% removes admin rights from end user machines.
It doesn’t automatically allow anything.
So many people in this thread responding to text without looking into anything – talk about bad security practices.
I think there are multiple things called autoelevate then.
Top Google result.
that means fucking nothing these days
