2005/06/15 LUA (Least-Privilege User Account, Limited User Account)
More recent news about Longhorn/Vista: Microsoft 'fesses up
With the advent of Longhorn (later note, now called Vista), Microsoft is getting more serious about
security. Everyone (well, everyone but your typical Microsoft user)
knows what the problem is: Windows almost always runs with
admin privileges because it's basically impossible to run it
any other way. Longhorn intends to change that. Personally, I
don't think it's going to fly because the ingrained culture is going to
fight it and pervert it right back to insecurity, but that's
yet to be seen. Let's look at their intentions first.
Actually, before we do that, we need to get mention the other
LUA. Microsoft unfortunately overloaded this acronym. At
http://msdn.microsoft.com you'll find:
The Windows logical unit application (LUA) programming interface
enables multithreaded Windows-based processes.
That has absolutely nothing to do with the LUA we're talking about here, but if you go Googling for LUA, you will find links to that other usage.
Back to least privilege: Unix folk understand this easily, because
this is the default for Unix users. A Unix user typically gets
almost no power. If you need to install programs that modify system
files, you'll need to gain root (admin) powers to do so. However,
many Unix programs can be installed and used by a specific non-privileged
user, simply because they don't need access to system files. Amusingly
enough, many Windows programs really don't need access to system files
either, but they are stupidly written. Most Windows programs
require write access to the "Program Files" directory and write their
registry keys to HKEY_LOCAL_MACHINE. They
COULD have been written to store data in the user's Profile
directory and use HKEY_CURRENT_USER for registry keys, but very few are.
Therefore they need admin priviliges to install.
Worse, they almost always need admin privileges to run. Windows
XP can (sometimes) detect that you need more privilege and pop up
a box asking for an administrative login and password. Feels
almost like Unix, doesn't it? Ayup, except that in XP this
doesn't work well and usually won't work at all: you might
get the program installed that way, but it's unlikely you'll
be able to actually use it because the problems just run too deep.
Longhorn intends to change that. Microsoft is telling
application developers to write for non-admin accounts whenever
possible. They've even eliminated the Power Users group: users
are going to be ordinary, least privilege accounts or full blown
administrators, and the developers are supposed to assume that
they won't be administrators unless they are really installing
system software. So that's the end of that: the developers
will rewrite all their code, Longhorn will be a smashing success,
and Microsoft will continue toward Galactic domination.
Yeah, right. That's not going to happen. Even Microsoft
knows the developers aren't going to rewrite much of anything.
They've had the tools to let developers use LUA accounts for
years and almost nobody does; Longhorn won't change anything.
They therefore have something else in the mix: AIM, or
Application Impact Management. This will sandbox the
app, and let it think it is happily writing in system
space. AIM instead will have given it a virtual copy
of what it wants to muck with, and will store that for the apps
use. Great idea? Maybe, but there's a flaw here: apps
can have deep dependencies on other data in system space, or
may really need access to the real system data. I'll bet
at least some apps will be broken by AIM.
But Microsoft realizes that, too. They have added a
"Protected Administrator" capability for installing software.
This is probably what Power User should have been: you
run as administrator, but applications you run as such
don't necessarily have the same privileges you do. An
app has to be "blessed" to get admin powers with this
feature turned on. I'm not convinced this is going to
work well, and the illusion of safety will probably
cause users to not use ordinary, non-empowered accounts. No
doubt everyone will use this Protected Admin function and
login with administrator accounts. How long will
it be before someone writes something that finds a way to
bless itself and/or other programs? I suspect it won't
be long, but then I'm the pessimistic sort.
I also bet that those who use the PA mode will end up "blessing"
any app that misbehaves in the slightest - in fact, I bet that
becomes standard tech advice: "Hmm, you say it isn't working? Have
you blessed the app?" so shortly it will make no difference whatsoever
- EVERYTHING will run with full privileges. Of course the (uninformed)
Unix/Linux world often does similar things: I see "chmod 777"
employed as a trouble-shooting technique far too often. But this
"blessing" is more like "chown root someapp; chmod 4755 someapp" - way more dangerous (though at least a little less than that would be).
Read more at
Got something to add? Send me email.
More Articles by Tony Lawrence
Find me on Google+
© 2009-11-07 Tony Lawrence