2005/06/15 LUA (Least-Privilege User Account, Limited User Account)

More recent news about Longhorn/Vista: Microsoft 'fesses up

With the advent of Longhorn (later note, now called Vista), Microsoft is getting more serious about security. Everyone (well, everyone but your typical Microsoft user) knows what the problem is: Windows almost always runs with admin privileges because it's basically impossible to run it any other way. Longhorn intends to change that. Personally, I don't think it's going to fly because the ingrained culture is going to fight it and pervert it right back to insecurity, but that's yet to be seen. Let's look at their intentions first.

Actually, before we do that, we need to get mention the other LUA. Microsoft unfortunately overloaded this acronym. At http://msdn.microsoft.com you'll find:

The Windows logical unit application (LUA) programming interface
enables multithreaded Windows-based processes.

That has absolutely nothing to do with the LUA we're talking about here, but if you go Googling for LUA, you will find links to that other usage.

Back to least privilege: Unix folk understand this easily, because this is the default for Unix users. A Unix user typically gets almost no power. If you need to install programs that modify system files, you'll need to gain root (admin) powers to do so. However, many Unix programs can be installed and used by a specific non-privileged user, simply because they don't need access to system files. Amusingly enough, many Windows programs really don't need access to system files either, but they are stupidly written. Most Windows programs require write access to the "Program Files" directory and write their registry keys to HKEY_LOCAL_MACHINE. They COULD have been written to store data in the user's Profile directory and use HKEY_CURRENT_USER for registry keys, but very few are. Therefore they need admin priviliges to install.

Worse, they almost always need admin privileges to run. Windows XP can (sometimes) detect that you need more privilege and pop up a box asking for an administrative login and password. Feels almost like Unix, doesn't it? Ayup, except that in XP this doesn't work well and usually won't work at all: you might get the program installed that way, but it's unlikely you'll be able to actually use it because the problems just run too deep.

Longhorn intends to change that. Microsoft is telling application developers to write for non-admin accounts whenever possible. They've even eliminated the Power Users group: users are going to be ordinary, least privilege accounts or full blown administrators, and the developers are supposed to assume that they won't be administrators unless they are really installing system software. So that's the end of that: the developers will rewrite all their code, Longhorn will be a smashing success, and Microsoft will continue toward Galactic domination.

Yeah, right. That's not going to happen. Even Microsoft knows the developers aren't going to rewrite much of anything. They've had the tools to let developers use LUA accounts for years and almost nobody does; Longhorn won't change anything. They therefore have something else in the mix: AIM, or Application Impact Management. This will sandbox the app, and let it think it is happily writing in system space. AIM instead will have given it a virtual copy of what it wants to muck with, and will store that for the apps use. Great idea? Maybe, but there's a flaw here: apps can have deep dependencies on other data in system space, or may really need access to the real system data. I'll bet at least some apps will be broken by AIM.

But Microsoft realizes that, too. They have added a "Protected Administrator" capability for installing software. This is probably what Power User should have been: you run as administrator, but applications you run as such don't necessarily have the same privileges you do. An app has to be "blessed" to get admin powers with this feature turned on. I'm not convinced this is going to work well, and the illusion of safety will probably cause users to not use ordinary, non-empowered accounts. No doubt everyone will use this Protected Admin function and login with administrator accounts. How long will it be before someone writes something that finds a way to bless itself and/or other programs? I suspect it won't be long, but then I'm the pessimistic sort.

I also bet that those who use the PA mode will end up "blessing" any app that misbehaves in the slightest - in fact, I bet that becomes standard tech advice: "Hmm, you say it isn't working? Have you blessed the app?" so shortly it will make no difference whatsoever - EVERYTHING will run with full privileges. Of course the (uninformed) Unix/Linux world often does similar things: I see "chmod 777" employed as a trouble-shooting technique far too often. But this "blessing" is more like "chown root someapp; chmod 4755 someapp" - way more dangerous (though at least a little less than that would be).

Read more at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> 2005/06/15 LUA (Least-Privilege User Account, Limited User Account)


More Articles by

Find me on Google+

© Tony Lawrence

Sun Jun 26 14:09:08 2005: 718   TonyLawrence

A slashdot thread ( (link) )
discusses this subject also.

Tue Jun 28 13:35:11 2005: 730   TonyLawrence

A Wiki at (link) has a lot of good tips and resources
about things you can do now to improve admin access security.

Sun Oct 2 16:23:38 2005: 1145   BigDumbDinosaur

Finally got around to reading this -- too much work and not enough goof-off time, I guess.

Back to least privilege: Unix folk understand this easily, because this is the default for Unix users

Every time I have to work on a Windows 2000/XP box I get so annoyed with the stupidity of the "security model" that Microsoft has put together. Leave it to Redmond to take a basically simple concept of controlling and limiting ordinary user access and make it a gigantic and complicated mess. Why, oh why, are there so many user groups? In the UNIX world, users either have system privileges or they don't. In the overwhelming majority of cases, that is all that is needed! With Windows, things are the exact opposite: a confusing mish-mash of groups (power users, etc.) and no easy way to grant one specific privilege to one specific user. What a friggin' mess!

Of course, with the stupid design that Microsoft has developed, where ordinary software has to write keys into the registry using administrator level access, or in some cases, supplant or replace DLLs in the system subdir, you might as well run everyone as an administrator. Otherwise, you'll be constantly tripping over annoying little problems when the non-administrator tries to actually get any work done.

Fri Apr 4 12:43:16 2008: 3941   TonyLawrence

As I thought, Vista security is annoying the Windows folks, so know they are telling you how to disable it: (link)

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

privacy policy