2005/06/15 LUA (Least-Privilege User Account, Limited User Account)
© Tony Lawrence, aplawrence.com
More recent news about Longhorn/Vista: Microsoft 'fesses up
With the advent of Longhorn (later note, now called Vista), Microsoft is getting more serious about security. Everyone (well, everyone but your typical Microsoft user) knows what the problem is: Windows almost always runs with admin privileges because it's basically impossible to run it any other way. Longhorn intends to change that. Personally, I don't think it's going to fly because the ingrained culture is going to fight it and pervert it right back to insecurity, but that's yet to be seen. Let's look at their intentions first.
Actually, before we do that, we need to get mention the other LUA. Microsoft unfortunately overloaded this acronym. At http://msdn.microsoft.com you'll find:
The Windows logical unit application (LUA) programming interface enables multithreaded Windows-based processes.
That has absolutely nothing to do with the LUA we're talking about here, but if you go Googling for LUA, you will find links to that other usage.
Back to least privilege: Unix folk understand this easily, because this is the default for Unix users. A Unix user typically gets almost no power. If you need to install programs that modify system files, you'll need to gain root (admin) powers to do so. However, many Unix programs can be installed and used by a specific non-privileged user, simply because they don't need access to system files. Amusingly enough, many Windows programs really don't need access to system files either, but they are stupidly written. Most Windows programs require write access to the "Program Files" directory and write their registry keys to HKEY_LOCAL_MACHINE. They COULD have been written to store data in the user's Profile directory and use HKEY_CURRENT_USER for registry keys, but very few are. Therefore they need admin priviliges to install.
Worse, they almost always need admin privileges to run. Windows XP can (sometimes) detect that you need more privilege and pop up a box asking for an administrative login and password. Feels almost like Unix, doesn't it? Ayup, except that in XP this doesn't work well and usually won't work at all: you might get the program installed that way, but it's unlikely you'll be able to actually use it because the problems just run too deep.
Longhorn intends to change that. Microsoft is telling application developers to write for non-admin accounts whenever possible. They've even eliminated the Power Users group: users are going to be ordinary, least privilege accounts or full blown administrators, and the developers are supposed to assume that they won't be administrators unless they are really installing system software. So that's the end of that: the developers will rewrite all their code, Longhorn will be a smashing success, and Microsoft will continue toward Galactic domination.
Yeah, right. That's not going to happen. Even Microsoft knows the developers aren't going to rewrite much of anything. They've had the tools to let developers use LUA accounts for years and almost nobody does; Longhorn won't change anything. They therefore have something else in the mix: AIM, or Application Impact Management. This will sandbox the app, and let it think it is happily writing in system space. AIM instead will have given it a virtual copy of what it wants to muck with, and will store that for the apps use. Great idea? Maybe, but there's a flaw here: apps can have deep dependencies on other data in system space, or may really need access to the real system data. I'll bet at least some apps will be broken by AIM.
But Microsoft realizes that, too. They have added a "Protected Administrator" capability for installing software. This is probably what Power User should have been: you run as administrator, but applications you run as such don't necessarily have the same privileges you do. An app has to be "blessed" to get admin powers with this feature turned on. I'm not convinced this is going to work well, and the illusion of safety will probably cause users to not use ordinary, non-empowered accounts. No doubt everyone will use this Protected Admin function and login with administrator accounts. How long will it be before someone writes something that finds a way to bless itself and/or other programs? I suspect it won't be long, but then I'm the pessimistic sort.
I also bet that those who use the PA mode will end up "blessing" any app that misbehaves in the slightest - in fact, I bet that becomes standard tech advice: "Hmm, you say it isn't working? Have you blessed the app?" so shortly it will make no difference whatsoever - EVERYTHING will run with full privileges. Of course the (uninformed) Unix/Linux world often does similar things: I see "chmod 777" employed as a trouble-shooting technique far too often. But this "blessing" is more like "chown root someapp; chmod 4755 someapp" - way more dangerous (though at least a little less than that would be).
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version