Windows Users Ignoring LUA Security

blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"

doh

most likely because this option breaks most applications

Re:doh

[blackpaw]

You can start a Administrator cmd prompt in windows without logging off:

runas /profile /user:Administrator cmd.exe

Or any other program can be launched.

Re:doh

[darkitecture]

Exactly. Even the most mundane and trivial application or game these days tends to require some sort of adminstrative privileges or access during install and commonly also during use. Numerous small business accounting packages require adminstrator privileges, especially a much-maligned yet inexplicably common package that requires online activation.

Look, I can understand that low-access user accounts are the way to go, but when the most common programs require admin rights to use and install, how can you expect the "average user" (who, by the way still is oblivious as to why their computer runs as slow as a sloth when Fast User Switching is enabled and the other user has 24 programs running) not to see a low-access user account as some sort of ugly restriction, an unfairly imposed shackle on their own private usage of their own computer?

When your average word processing application and camera-photo applications (I'm looking at you, Nikon) stops requiring access to the internet (Net Limiter saw those dubious packets being sent back and forth, HP photo software) and important registry areas (fuck you, Hitachi DVD-RAM video camera proprietary software), then maybe we can honestly expect the average user to be happy with user rights.

Re:doh

[Curien]

Fast user switching doesn't work when your system is connected to a Windows domain.

Cluelessness at Microsoft

[ts0003]

There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.

Re:Cluelessness at Microsoft

[beetle99]

When creating the installation package you can offer the person performing the installation a choice - install for "All Users", or just the current user.

If you install for "All Users" in your example, the program won't be "gone" when you log in as a regular user.

So its not the installation model that's flawed, its the installation packages that (some) software developers choose to create. It's really a problem of education (of developers and users).

Non-admin Wiki!

[sandstorming]

Everything you need to know http://nonadmin.editme.com/

Too many apps won't run without Administrator Priv

[freeio]

One big obstacle is that too many applications I see require administrator privileges not just to install but also to run. Your end users figure that out, set themselves up as administrators, and leave it at that.

This is nothing new...

Re:It's also ignored by developers

[Tim+C]

Actually, in the case of a lot of games, the reason a non-admin account can't install or execute it is because of the moronic copy prevention scheme used, not because of the moronic game devs. (The scheme is also generally insisted upon by the publisher, not the game studio, so it's not even their boss's fault a lot of the time)

Re:It's also ignored by developers

[Cyberax]

It's not just developers, unfortunately. Some important things just can't be done under normal account. For example: COM-server registration (and consequently ActiveX controls) requires admin access , because permission to access HKCR and HKLM is neccesary.

Most software can't install without admin privs

[SiGiN]

"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."

I wonder, if Michael Howard is aware, that most of windows software requires admin priviledge to be succesfully installed?

Is it somehow also users problem, not architecture problem?

Reminds me of Red Hat...

[Mister+Impressive]

... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.

M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.

An Example

[Maljin+Jolt]

On Windows 2000 fresh system installation, a game title Star Wars Galactic Battlegrounds (running on Age of Empires engine), published by Microsoft executes only in administrator account, not in user. Many other games of other publishers doing cd check or strange networking too.

Re:I wonder why

[jd142]

It isn't the unfriendliness of the UI or the help file.

By default, new accounts created during a windows install/first use interface are administrator accounts. As are new accounts created through the generic, task view Control Panel interface for account management.

It's one of the reasons that Windows is unsecure out of the box.

If MS merely made accounts user only be default, that would take care of it.

Of course, then you'd have to fix all of the crappy software out there that can only run as admin. And there's a lot of it. Major software packages like WordPerfect still don't handle user accounts and preferences correctly and it's a very simple thing to do.

Re:Tell that to the developers

[value_added]

Hell, tell that to Microsoft.

Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

Microsoft Flight Simulator 98
Microsoft Flight Simulator 2000
Microsoft Flight Simulator 2002 Professional
Microsoft Flight Simulator 2004 Century of Flight
Microsoft Train Simulator 1.x
Microsoft Money 2000
Microsoft Money 2001
Microsoft Money 2002
Microsoft Money 2003
MSN Messenger Service

Microsoft seems to have discovered the command-line, so maybe they'll discover the root account? Maybe they can fix their broken 'runas' soon thereafter.

Re:Longhorn should implement these

[Tiberius_Fel]

Actually, there was a /. article saying that Longhorn will implement these: http://it.slashdot.org/article.pl?sid=05/04/08/147 237&tid=201&tid=172&tid=130&tid=218

How well it works remains to be seen. ;-)

Acronymtastic!

[Hal_Porter]

That site is great. It has articles on SUS/WSUS and LUA written my MVPs. They also have links to using FUS to flip between a LUA account and a DA or LA one. /If you understood what these meant, you'd stop complaining about how Windows doesn't have SU.

Re:I wonder why

I know this story is about end-users and not professionals, but I'd just like to point out that in Windows Server 2003, new accounts are LUA by default, and further priviliges have to be added manually.

Re:It could be the default option during install

[bhtooefr]

Try something next time...

Change the shortcut to point to "runas /u Administator /p (the admin password) /e (the path to the exe) /a (whatever the arguments are)". That should let you run something as an Admin while still being an LU.

Re:I wonder why

[Transcendent]

Even a lot of MICROSOFT games (Age of Mythology, for example) don't work unless you have admin rights...

Re:It's also ignored by developers

[kamsin]

First off, this is true of *nix as well. Remember that lest step of installing new software, 'make install'? That one usually has to be done as a super-user, as it installs into common areas.

*Bzzt* wrong. While many game installers *default* to /usr/local, they don't require it. You can easily change the destination to someplace where you have write access. Once installed, the game will work just fine as a normal user. I run all my games on Linux this way. (Doom3, UT, NWN, etc...) It is also quite easy to redirect the destination of 'make install'.

LUA hahaha..

[naelurec]

I've had the enjoyment of learning all about LUA about two months ago. A very umm.. textbook example of a small network -- Win2k3 server, WinXP Pro clients.

Needless to say, this was not even CLOSE to what a UNIX user account is like.

Few thoughts..

1. App compatibility - very annoying. While some apps are kind enough to out-right say they suck and are not compatible, there are LOTS of apps that fail in *silent* ways. Mostly writing to folders and registry w/o checking for access rights. There are many apps that attempt to write temporary files outside of user folders (ie the Program Files folder) or even store user prefs in the system registry.

2. Along with #1 -- there are many things INSIDE WinXP that fail. One very annoying example is msconfig .. it throws up a dialog after an admin does some changes but for a user and does not acknowledge the user's response (silently fails when writing to a system registry key). I have no idea why a user is prompted when an admin does a modification. Same thing with user defaults -- the system, even though it prompts to set a browser as default, silently fails when setting registry keys (again, not a user registry key). Apparently there is no way to adjust registry key security from a GPO or script to grant users this access (w/o going to each system manually)..

3. runas .. hehe.. that is so not even close to su/sudo -- while there appears to be lots of little workarounds (ie logging into administrative network shares of drives) its cumbersome and adds so much extra time to troubleshooting.

4. Fonts .. I really don't understand why users don't have their own fonts folder. I had to manually go into each computer, modify the registry to give permission to add fonts, adjust the fonts folder permissions, yada yada.. PITA. A user font folder (that follows them if roaming profiles is enabled) would have been a piece-of-cake while leaving the system font folder small and fast.

Re:It's Intentional

[TrekkieGod]

Most people just don't want to have to deal with the hassle of switching between two user accounts or learning to use "runas". It will always be this way. End users need full privs on their boxes.

Well, you appear to pretty knowledgeable about windows, but I'm going to guess you don't have much linux experience (and there's nothing wrong with that).

I'm not going to claim linux user-friendliness for end users, but at least you can still run every program you need under the non-admin accounts (and the programs still can't do system-level damage due to file permissions). You don't even need to be switching to the other admin account if you set up a sudoers file. I don't have a mac, but I hear OS X does this in a user-friendly way.

Oh, and about your friend and the windows firewall preventing him from running games. Since Service Pack 2, you can add programs to the exception list, and the ports that program is listening to will get opened up. That means that those ports will be nice and closed when he's not gaming (or more speficially, hosting a game), and will open up when he needs them.

bah, I just ran out of mod points. :(

[numbski]

Mod that man up.

Intuit is criminal number 1 in this area (this month anyway, I have my targets change from time to time...)

Get this: The "enterprise" version of QuickBooks that will allow you to run in terminal services (gotta spend that extra cash to run the same software remotely you know!), requires that you have Power Users or Administrator priveleges.

Here's the catch however: I have a client running Small Business Server 2003, and they just went through a company restructuring where the CFO is going to be 200 miles away for the next few months, and needs to be able to hit QuickBooks from a terminal server session (yes, I know, VNC, PC Anywhere, bitmap pusher x..., work with me here though).

So, on an SBS, you can't have any trusts, no member servers (I might be wrong on that last one, apparently there'a hack that allows this, but again...), so the only server on the domain is the DC. You DC does not have "local" accounts and groups, only the AD users and groups. So a local power user doesn't exist. The only rights I can give them to be able to work is Admin.

The whole point of remote users is to.....access things remotely. You're requiring that every one of my users that wishes to use QuickBooks have Admin rights, and if they want to run in term serv, I have to allow dial in rights to that Admin account.

So I got on the phone with them. I suggested the following workaround:

"What if I just create a domain account, say ""QuickBooks User"". Set it to an obscenely secure password that no one but the admins could possibly know. Make it long, make it random, make it not-so-easy to remember. Grant that account Admin rights. Set Quickbooks to "Run As..." that user. Now Quickbooks gets the Admin privs it needs, but not the user."

After going through a supervisor, I was explained that this wouldn't work, and in fact they misconstrued it as an attempt on my part to subvert their licensing (because now I only have a single Quickbooks user, and we're supposed to pay per-seat for the license), and "Run As..." is intentionally broken to prevent this, along with the ability to run in Terminal Server if you haven't purchased the enterprise version.

Wow.

Cash more important than security.

Hey guys? What is so important at the system level that the *user* needs to make modifications to the OS? Why not store the data in the user's profile? Or in a shared directory with rights granted to the users in the "QuickBooks Users" group?

I just don't get it. :\

It certainly isn't easy

[DragonHawk]

"Running windows without admin rights is a nightmare."

It certainly isn't easy, unless you're willing to invest significant technical time and effort into the project -- which is, I'm sure, a big part of the reason why most people don't do it.

That being said, I'm the admin for an organization with about 60 or so Windoze stations, and I can say that it can be done for most things. It most often involves figuring out what the defective program is trying to do, and then allowing it access to just where it needs.

The two most vital tools are FileMon and RegMon, both free from SysInternals (http://www.sysinternals.com/). They monitor file system or registry accesses. In the vast majority of programs can be made to work just by applying some ACLs on program-specific registry or filesystem branches.

There's no way in hell your "typical home user" could do this, though, which is, I expect, the problem and point.

Re:It certainly isn't easy

No way in hell can anyone use RegMon from my experience with it.
The windows registry is constantly being written to so fast you'd have to be that fellow in the matrix who doesn't even see the code anymore, all he sees is blonde, brunette, redhead.
What you need is Dependency Walker. http://www.dependencywalker.com/
Select the exe, dll, ocx, sys, etc. of the program in question and use dependency walker on it. It's sure a hell of a lot faster than trying to keep up to changes in the windows registry.
I've never used FileMon, but I can tell you RegMon is next to useless in my book.

Re:It could be the default option during install

[blincoln]

About 2/3 of my programs won't operate (I'm a software developer) at all.

As others have said, this is the fault of the developers of that software.

Microsoft has been telling developers for at least five years now to put user data/config/whatever in the My Documents folder for whoever is running it. *Not* doing this is really stupid, because as soon as you install an app that writes config data or whatever to its install folder, you run into problems on multi-user machines like termservers.

I work in IT for a fairly large corporation. Most of our users do not have admin rights, and their apps work just fine.

These are the kind of apps we've had problems with:

- Software from "Enterprise"-only vendors like BMC, Quest, Niku, Merant, and Attachmate. This is because they refuse to follow good coding practices, much like they refuse to design decent UIs. Some of these we've found workarounds for, like giving the Users group write or modify access to the install folder.

- Legacy internal applications. This is because they were written in the Windows 95 era by people who didn't think they'd still be in use ten years later. Usually we add a wrapper to run these in the context of a privileged user.

Re:It could be the default option during install

[Osty]

IE runs fine with non-elevated privileges (I'm doing it right now). Since a lot of malware takes advantage of vulnerabilities in IE his suggestion would improve security a lot...even if almost every other program was run as an administrator using his method.

Except that many plugins for IE that people would want to use don't play nicely with non-admin users (think popup blockers, search toolbars, or Turnabout, though to be fair the latest Turnabout code does support non-admin use if you recompile it with an additional flag, and hopefully that will become standard). If apps would simply use HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE when writing to the registry and %APPDATA% or %USERPROFILE% (%ALLUSERSPROFILE% is available for shared data) when writing to the filesystem, 99% of all non-admin problems would be solved.

Microsoft has published the guidelines on how to do this for over five years. It's now 2005 and programs still don't follow those guidelines. What should Microsoft do?

They've done more than just passively publish guidelines. Non-admin support is part of the winxp/win2k3 logo program requirements. However, the worst abusers of admin rights are those apps that aren't logo-certified and never will be -- budget shovelware software, personal projects, and often open source software (not because the authors don't understand the least-privilege principle, but because they often come from a non-Windows background and don't know how to write least-privilege-safe software on the Windows platform, and often don't even care). Maybe Microsoft should make the default user non-admin. They already have several elevated-right groups that are still non-admin (Power Users, for example). The thing is, most people don't install Windows themselves. What's it matter what Microsoft does to the installer when the assembler of your PC pre-installs windows with a default user as admin anyway?