Slashdot Mirror
Windows Users Ignoring LUA Security
blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"
How about, embracing and extending good practice...
Deleted
Could it be "the sad reality" because Windows up until XP (ignoring 2000 and NT) there was no user-priviledges differences?
Maybe MS should start educating the population and force them to create passworded least-priviledged accounts and choose a password for the administrator account when installing or booting an OEM for the first time. Maybe also the administrator should be blocked out of surfing the web and playing games so that people just don't use the admin account for everything.
As much as I'd like to use a more restrictive account on my Windows box, I find it absolutely impossible to do so with many games and various other applications.
One typical example is Dark Age of Camelot by Mythic Entertainment. The game itself is installed to a C:\Mythic\ directory usually, as well as all the profiles for every character. Even World of Warcraft is just as bad, all the profiles are stored in a subdirectory in the C:\Program Files\World of Warcraft\!
Until developers start supporting limited user accounts with their games/applications, people will just be lazy and stick to an admin account - which will always work.
If so many Windows developers weren't so utterly lazy, and learned how to code an application that doesn't require administrator rights to run, things would be a lot easier. As it is, there are so many poorly-written apps out there that write to admin-only places in the registry, or dump files that need to be modified into system folders, that in a lot of large companies with a plethora of apps it's almost impossible to switch to a true LUA security model.
Of course, a lot of the blame goes to Microsoft for encouraging the idiotic "everyone's an admin!" mentality.
This is why during the set-up of Longhorn it'd be a really cool idea to create all the accounts for the welcome screen, or it's equivelent, as non-adminstrative users. In fact, it should go further than this, it shouldn't give you the option of creating an administrative account at all on this screen. The administrative user should be banned from internet access by default (with the exception of Windows Update) and if you decide to add another administrive account it should warn you profusely that this isn't a smart idea.
In .NET there are attributes that allow you to define permissions on methods. For example, if I know that my method only
ever does algebra then I can ban it from network IO, File IO etc. It'd be a good idea to make these attributes required before the source will actually compile. You could have intellisense in Visual Studio autogenerate the most restrictive settings whenever you create a new method.
Some security counter-measures can be really a pain in the ass but these couple i've mentioned here would really help bring windows security under control. Windows security is not bad, per se, it just needs more configuration than we can expect from Joe Sixpack. We need to make security easier for them and that's in everyones best interest, Microsoft included.
Simon.
"xxx requires your administrator password to install"
;)
"ok" "cancel" at bottom there is a tiny triangle can be opened and shows full path to whatever needs it.
As they steal everything, why not steal that scheme of OS X so at least we mac users have a "more free" port 135?
I second that one... I have everyone in my family (myself included) setup as limited users but most of my games, my palm sync software, and every single childrens' educational game I have will not run unless admin. So every time my kids want to play Blue's Clues I have to come up, use "Run as..." and enter my admin password. Pain in the arse.
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
It's a fault that non-util software also requires admin to run, but whether that's Windows' fault or the developer of the software is open to question at best. Personally I'd say that's the developer's fault. A great example of this is Quicken - I have to run from an admin account just to do my accounts? Nope, I don't blame Microsoft for that. I blame Intuit.
Cheers,
Ian
Huh? Apple didn't do this... BSD did. Lets give credit where it is due.
And... No, I am not new here....
DOS 3.3 was the first MS OS I understood, so much so that, when the first DOSSHELL came out, I asked why would someone need that? I jumped on the NT technology because, when it first came out, it was well documented, (vis a vis my experience) and it allowed a whole new playing field. When NT 4 came out MS moved Video and Printer drivers from User mode to kernel mode. This was, IIRC, about the time Bill Gates had his vision of the PC integrated multi media household. I believe the PC version of Windows has persued this vision of multimedia OS to the point of having become in WinXP an ugly, bloated kludge, but it does, as much as possible, deliver in an ugly way, as a backward compatible multimedia OS.
Win 2K was the last OS to maintain the promise that Win New Technology brought with it. Win XP saw the culimnation of MS' effort to integrate Win95/98/ME with some of the benefits of NT, but the end result is an all and everything everyman's stew meant to satisfy the cravings of the masses.
I run WinXP on a web box for multimedia but thanks to the lessons gleaned online (/.:) I'm moving on to a *BSD, or one of the upcoming microkernel OSes to do research.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
most likely because this option breaks most applications
This is why most people don't know about it; developers and vendors barely understand Windows security, so it's ignored. The users instinctively know this and they play along, ignoring the existing capabilities.
The Microsoft platform is closed, poorly designed, obscure and ambiguous. Side effects are common and difficult to prevent or correct. Frobbing things that vendors aren't paying close attention to is a good way to invent new breakage.
Go ahead, be the first on your block to harden Windows with naive LUA. Spend the next two years chasing down truly arcane breakage. Teach Microsoft and third party vendors how to promulgate securable products. Meanwhile, I'll be using software on platforms that figured out most of this stuff a decade ago.
Lurking at the bottom of the gravity well, getting old
I personally use Windows (2000) for one thing and one thing only anymore: AutoCAD. You simply can NOT fully _use_ (not install) AutoCAD without admin privileges. XP or 2K. I venomously use 2000 over XP for one reason: take the _same_ hardware (P4 @ +3Ghz with 2G of memory and 256M video) and compare the two side by side: XP is noticeably slower and offers NOTHING in the way of me getting my job done, but that's of another issue.
:).
:) to Puma, Jaguar, Panther, and now Tiger.
[Yes, I do have to admit -- that for the home user all the fluff can be very useful]
"Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
I say most users just don't know that other operating systems exist today that can easily out-perform anything Windows can offer with less setup time, daily hick-ups, and of course the BSOD still pops up every so often. That's just a sad reality.
Now imagine a world where I may _have_ to use Windows for some awful task -- a world where I have one computer (not two) with VMWare style software helping run OS.X and 2K side by side. Just image (it's coming
The sad part (with Windows bloat)? It is that I've watched old Mac hardware get FASTER with each release of OS X -- starting from the beta [Cheetah] (paid for it, disagreed, but paid
I will say -- I wish I could tell you how nicely Leopard runs on the MacTel box... Longhorn? Ha!
Actually the best way is to use Fast User Switching. Have an Admin account and your normal one. Do Adminy stuff in the Admin account and everything else in the normal one. Once you get used to it, it's a couple of keystrokes to flip between the two. Unlike Run As, the two zones are on different desktops, which means that you're invulnerable to Shatter attacks windows running with admin privileges
Here's a good blog with much more info
Some people even prefer this to su.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I think you're over-simplifying this. The Windows NT kernel and core services were designed with security in mind. The real issue is that the shell, UI, and API's do a really poor job of enforcing and providing convenient access to that model. MS made a tough choice when they created they Win32 API; they kept developer compatability and convenience but made security a whole lot harder. There are too many default behaviors in Windows that are just dangerous.
Look how CreateProcess will progressively search for an executable at each space delimited chunk in an unquoted path; that makes a great trojan attack. Consider the shatter vulnerability and associated dangers that result from simple window input; that's why services have to be run on a seperate ACL'd desktop to be safe. Consider how trivially a power user can escalate to admin; look at how many apps need at least that privelege. Look how much code you have to write to set a simple multi-user DACL on an object.
The fact is that security is very hard to do properly in an MS environment, and historically MS has done a very poor job of promoting and simplifying it. I audit security software now, but when I wrote software I had a ton of homegrown libraries to handle things shouldn't have been necessary. So while I agree the tools are there, you almost have to be a security expert to use them properly.
Yeah? That's because Unix type systems have had multiple users since, well, ever.
/'s, she's only going to take her stuff out, and maybe other people who share her group.
You have to accept the fact that certian people shouldn't do certian things on computers.
The fas is that it should be dead simple for a grandma so able to do so, to install a card game in her home directory, without bothering anyone else on a system--a unix system. It goes there, and, what? There's no issue. Quake 3 has the ability to install into a non-root privlidged user's account. If grandma rm -rf
In Windows land, that card game may well have a fit if it dosen't get installed to c:\program files\bullshit cards. If it dosen't work that way on any system, the program is b0rked. Written by an idjet. It dosen't help that MS has programmed people and software writers to behave this way since, well, ever.
****EVERY**** MS home directory should by default have a My Programs folder, and software installed by that user should end up there--unless it really, really does need administrator access, or it needs to be shared by multiple users. Otherwise, who cares if grandma installs bonsai buddy, it's only going to affect her account and not spread to administrator--where everything can be gleefully cleaned.
This is how microsoft could fix this at a api level without breaking legacy code Step 1: When a non-privledged user installs a application install it the users space and create the req keys prefixed into the users area in the registry. A warning to the user when installing stating it will only be available to their account will be needed Step 2: When running a application first check the current user virtual registry then the true global registry Step 3: Add the rights necisary for accelorated video to work under the default user rights Step 4: Switch to linux/unix because they got this right 20 years ago!
Unfortunately, there are a bunch of applications for which this doesn't work right, including iTunes - the first piece of Apple software I've used that didn't "just work". When I installed iTunes, as root, it created an iTunes config for root, but when I logged in as myself, it created a separate iTunes config for me, and I not only had to input lots of long registration numbers again (:-), but the tunes I'd downloaded to root's account aren't accessible from my account and vice versa (or at least, it's well hidden if they are.) Very annoying.
Some things are worse about multiple users - my USB scanner gets hopelessly confused by having multiple people logged in. As far as I can tell, when I first log in as one user, its software scans the USB and finds it, and when I log in as a different user, it does the same thing, except something's locked up to the first person who logged in.
(As somebody else said about their home setup, I've got three accounts on the machine - root, my non-admin account, and my wife's account, which has admin privileges so she can install software and run picky software, and we use fast-user-switching between them.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Well, Firefox doesn't write global registry keys and it still won't run with "Protect my computer" min privileges. There's a bug filed for it but no action. The workaround is to run with normal privs.
3 3
https://bugzilla.mozilla.org/show_bug.cgi?id=2665
(Copy/paste since Bugzilla blocks Slashdot)