APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed
RSS Feeds RSS Feeds











(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
->
-> 2005/06/15 LUA (Least-Privilege User Account, Limited User Account)


LUA (Least-Privilege User Account, Limited User Account)



More recent news about Longhorn/Vista: Microsoft 'fesses up

With the advent of Longhorn (later note, now called Vista), Microsoft is getting more serious about security. Everyone (well, everyone but your typical Microsoft user) knows what the problem is: Windows almost always runs with admin privileges because it's basically impossible to run it any other way. Longhorn intends to change that. Personally, I don't think it's going to fly because the ingrained culture is going to fight it and pervert it right back to insecurity, but that's yet to be seen. Let's look at their intentions first.

Actually, before we do that, we need to get mention the other LUA. Microsoft unfortunately overloaded this acronym. At http://msdn.microsoft.com you'll find:


The Windows logical unit application (LUA) programming interface
enables multithreaded Windows-based processes.

That has absolutely nothing to do with the LUA we're talking about here, but if you go Googling for LUA, you will find links to that other usage.

Back to least privilege: Unix folk understand this easily, because this is the default for Unix users. A Unix user typically gets almost no power. If you need to install programs that modify system files, you'll need to gain root (admin) powers to do so. However, many Unix programs can be installed and used by a specific non-privileged user, simply because they don't need access to system files. Amusingly enough, many Windows programs really don't need access to system files either, but they are stupidly written. Most Windows programs require write access to the "Program Files" directory and write their registry keys to HKEY_LOCAL_MACHINE. They COULD have been written to store data in the user's Profile directory and use HKEY_CURRENT_USER for registry keys, but very few are. Therefore they need admin priviliges to install.

Worse, they almost always need admin privileges to run. Windows XP can (sometimes) detect that you need more privilege and pop up a box asking for an administrative login and password. Feels almost like Unix, doesn't it? Ayup, except that in XP this doesn't work well and usually won't work at all: you might get the program installed that way, but it's unlikely you'll be able to actually use it because the problems just run too deep.

Longhorn intends to change that. Microsoft is telling application developers to write for non-admin accounts whenever possible. They've even eliminated the Power Users group: users are going to be ordinary, least privilege accounts or full blown administrators, and the developers are supposed to assume that they won't be administrators unless they are really installing system software. So that's the end of that: the developers will rewrite all their code, Longhorn will be a smashing success, and Microsoft will continue toward Galactic domination.

Yeah, right. That's not going to happen. Even Microsoft knows the developers aren't going to rewrite much of anything. They've had the tools to let developers use LUA accounts for years and almost nobody does; Longhorn won't change anything. They therefore have something else in the mix: AIM, or Application Impact Management. This will sandbox the app, and let it think it is happily writing in system space. AIM instead will have given it a virtual copy of what it wants to muck with, and will store that for the apps use. Great idea? Maybe, but there's a flaw here: apps can have deep dependencies on other data in system space, or may really need access to the real system data. I'll bet at least some apps will be broken by AIM.

But Microsoft realizes that, too. They have added a "Protected Administrator" capability for installing software. This is probably what Power User should have been: you run as administrator, but applications you run as such don't necessarily have the same privileges you do. An app has to be "blessed" to get admin powers with this feature turned on. I'm not convinced this is going to work well, and the illusion of safety will probably cause users to not use ordinary, non-empowered accounts. No doubt everyone will use this Protected Admin function and login with administrator accounts. How long will it be before someone writes something that finds a way to bless itself and/or other programs? I suspect it won't be long, but then I'm the pessimistic sort.

I also bet that those who use the PA mode will end up "blessing" any app that misbehaves in the slightest - in fact, I bet that becomes standard tech advice: "Hmm, you say it isn't working? Have you blessed the app?" so shortly it will make no difference whatsoever - EVERYTHING will run with full privileges. Of course the (uninformed) Unix/Linux world often does similar things: I see "chmod 777" employed as a trouble-shooting technique far too often. But this "blessing" is more like "chown root someapp; chmod 4755 someapp" - way more dangerous (though at least a little less than that would be).

Read more at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp.




If this page was useful to you, please help others find it:  





4 comments




More Articles by - Find me on Google+



Click here to add your comments
- no registration needed!




Sun Jun 26 14:09:08 2005: 718   TonyLawrence

gravatar
A slashdot thread ( http://it.slashdot.org/article.pl?sid=05/06/26/072203 )
discusses this subject also.





Tue Jun 28 13:35:11 2005: 730   TonyLawrence

gravatar
A Wiki at http://nonadmin.editme.com/ has a lot of good tips and resources
about things you can do now to improve admin access security.



Sun Oct 2 16:23:38 2005: 1145   BigDumbDinosaur


Finally got around to reading this -- too much work and not enough goof-off time, I guess.

Back to least privilege: Unix folk understand this easily, because this is the default for Unix users

Every time I have to work on a Windows 2000/XP box I get so annoyed with the stupidity of the "security model" that Microsoft has put together. Leave it to Redmond to take a basically simple concept of controlling and limiting ordinary user access and make it a gigantic and complicated mess. Why, oh why, are there so many user groups? In the UNIX world, users either have system privileges or they don't. In the overwhelming majority of cases, that is all that is needed! With Windows, things are the exact opposite: a confusing mish-mash of groups (power users, etc.) and no easy way to grant one specific privilege to one specific user. What a friggin' mess!

Of course, with the stupid design that Microsoft has developed, where ordinary software has to write keys into the registry using administrator level access, or in some cases, supplant or replace DLLs in the system subdir, you might as well run everyone as an administrator. Otherwise, you'll be constantly tripping over annoying little problems when the non-administrator tries to actually get any work done.



Fri Apr 4 12:43:16 2008: 3941   TonyLawrence

gravatar
As I thought, Vista security is annoying the Windows folks, so know they are telling you how to disable it: http://shippingseven.blogspot.com/2008/04/okso.html

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments


If you want a picture to show with your comment, go get a Gravatar

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

pavatar.jpg

This post tagged:

       - Microsoft
       - Security















My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!


book graphic unix and linux troubleshooting guide



Buy Kerio from a dealer
who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals



Click and enter your name and phone number to call me about Kerio® products right now (Flash required)