Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Users Ignoring LUA Security

Posted by timothy on from the until-it's-easy-it's-hard dept.

blankify writes "eWeek is running a story about the least-privilege, no-admin option available in Windows (2000/XP/2003) that has been mostly ignored by end users. From the article: '"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."'"

29 of 522 comments (clear)

  1. It could be the default option during install by Colin+Smith · · Score: 5, Interesting

    How about, embracing and extending good practice...

    --
    Deleted
    1. Re:It could be the default option during install by BoomerSooner · · Score: 5, Insightful

      Try it yourself some time. Running windows without admin rights is a nightmare. About 2/3 of my programs won't operate (I'm a software developer) at all. I've fixed almost everyones computers that knows me (I hate being free tech support but anything for a friend) and stupid programs like a damn cat breeding program this one girl had wouldn't run without admin rights (after fixing her computer 3-4 times I tried the No Admin route to no avail).

      Until programs run without being admin this whole arguement is pointless.

      OS X does it perfectly.

    2. Re:It could be the default option during install by crazyphilman · · Score: 4, Insightful

      Not to overdo the "sympathy for the devil" thing here, but I've been thinking about how screwed poor Microsoft is. Think about this; they've managed to paint themselves into a corner on security and stability issues, and they may not have any way to get out of it. Consider:

      1. They carried the same codebase forward from Windows 3.1, never completely scrapping it, always just bolting new parts on. This has caused Windows to end up like a Rube Goldberg machine, so complicated on the inside that "they" say nobody at Microsoft really knows what everything in there actually DOES.

      2. They really pounded the nails in the coffin when they deliberately bound IE into the O/S to frustrate the DOJ during the browser wars. By binding so many things right into the O/S, they glued themselves to their codebase. Can they even separate their GUI from the underlying O/S anymore?

      3. Given that this monstrous, mammoth codebase is a hideous nightmare to try and "fix", obviously the smart thing is to pull a Steve Jobs: scrap the whole beast and glue a beaufitul, stable frontend onto a FreeBSD backend with a Mach Microkernel. This would turn Windows into a thing of beauty and stability, like the Mac O/S. But, CAN they? Is it even possible?

      4. And, if they did that, they might face a revolt as virtually every software company, corporate IT department, and end user went completely ballistic. It could be suicide.

      So, think this over: Microsoft is pretty much screwed, locked utterly into the codebase they've got. If they stick with it, eventually they'll be replaced by more secure, stable alternatives. If they try to save themselves the Apple way, the end could come sooner instead of later.

      If YOU were Gates and Ballmer, what would YOU do?

      Aside from spending the weekend on the yacht, I mean... ;)

      --
      Farewell! It's been a fine buncha years!
  2. doh by Anonymous Coward · · Score: 5, Informative

    most likely because this option breaks most applications

    1. Re:doh by deutschemonte · · Score: 5, Insightful

      Too bad you posted as AC because that's exactly why I don't use it.

      A limited account in linux still allows you to do most things without a hitch. Plus, when you need root access, you can do that within the logged on account without logging off.

      I also tried setting up my SO's account as limited but she ran into problems all the time. It is hard to explain (excuse?) something as a feature when it is such a pain in the ass.

      Hopefully, they will get this one thing right in Longhorn.

      --
      The preceding message was based on actual events. Only the names, locations and events have been changed.
    2. Re:doh by blackpaw · · Score: 5, Informative

      You can start a Administrator cmd prompt in windows without logging off:

      runas /profile /user:Administrator cmd.exe

      Or any other program can be launched.

    3. Re:doh by TopSpin · · Score: 4, Interesting

      most likely because this option breaks most applications

      This is why most people don't know about it; developers and vendors barely understand Windows security, so it's ignored. The users instinctively know this and they play along, ignoring the existing capabilities.

      The Microsoft platform is closed, poorly designed, obscure and ambiguous. Side effects are common and difficult to prevent or correct. Frobbing things that vendors aren't paying close attention to is a good way to invent new breakage.

      Go ahead, be the first on your block to harden Windows with naive LUA. Spend the next two years chasing down truly arcane breakage. Teach Microsoft and third party vendors how to promulgate securable products. Meanwhile, I'll be using software on platforms that figured out most of this stuff a decade ago.

      --
      Lurking at the bottom of the gravity well, getting old
    4. Re:doh by Curien · · Score: 4, Informative

      Fast user switching doesn't work when your system is connected to a Windows domain.

      --
      It's always a long day... 86400 doesn't fit into a short.
  3. Cluelessness at Microsoft by ts0003 · · Score: 5, Informative

    There's a reason why most people don't use it. Microsoft's implementation is flawed to say the least. When a user sets themselves up this way and then installs programs as an Administrator, they find that they can't run the programs completely or correctly as the lower privilege user. Some of this is due to Windows application programmers doing boneheaded things. Much of it has to do with the programming practices Microsoft has fostered - like writing to global registry keys in the Windows 95 and 98 days. Contrast this will Apple which has gotten the APIs right, put out tutorials on how to do this and most importantly made the whole process of installing as Administrator but running as a User as painless as possible.

  4. Tell that to the developers by dduardo · · Score: 5, Insightful

    If their software doesn't work in least priveleged mode doesn't it defeat the whole purpose of the system?

    1. Re:Tell that to the developers by value_added · · Score: 5, Informative
      Hell, tell that to Microsoft.

      Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account

      Microsoft Flight Simulator 98
      Microsoft Flight Simulator 2000
      Microsoft Flight Simulator 2002 Professional
      Microsoft Flight Simulator 2004 Century of Flight
      Microsoft Train Simulator 1.x
      Microsoft Money 2000
      Microsoft Money 2001
      Microsoft Money 2002
      Microsoft Money 2003
      MSN Messenger Service

      Microsoft seems to have discovered the command-line, so maybe they'll discover the root account? Maybe they can fix their broken 'runas' soon thereafter.

  5. It's also ignored by developers by Jarnis · · Score: 4, Insightful

    Users ignore it, because it's a horrible pain to use XP using a normal user account.

    There are numerous games that cannot be installed without admin rights, and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.

    Same goes with numerous applications.

    Not to mention the fact that in many case applications break in random ways, without actually telling why they break.

    So right now if you actually want to use XP, you pretty much are stuck with admin mode (or you have way more patience than I do in using 'run as..' or switching users)

    1. Re:It's also ignored by developers by Cyberax · · Score: 4, Informative

      It's not just developers, unfortunately. Some important things just can't be done under normal account. For example: COM-server registration (and consequently ActiveX controls) requires admin access , because permission to access HKCR and HKLM is neccesary.

    2. Re:It's also ignored by developers by daVinci1980 · · Score: 4, Insightful
      There are numerous games that cannot be installed without admin rights
      First off, this is true of *nix as well. Remember that lest step of installing new software, 'make install'? That one usually has to be done as a super-user, as it installs into common areas.

      and plenty who cannot even be EXECUTED without admin rights. All because the devs are lazy morons.
      Actually, this has nothing to do with the developers being lazy morons (which they're not). It has to do with MS' broken security model. The place where they chose to draw the line between user and admin restrictions in the API is so asinine that it's virtually impossible to write any sort of complex app that *doesn't* require some admin functionality to run.

      But to be honest, why does it even matter? A lot of the vulnerabilities on Windows have nothing to do with installing software, or who has the permissions to run operations. They have to do with services' exploits and buffer overruns, which are already running as 'System' level (super-user) in the background.
      --
      I currently have no clever signature witicism to add here.
  6. Non-admin Wiki! by sandstorming · · Score: 5, Informative

    Everything you need to know http://nonadmin.editme.com/

    --
    http://www.sandstorming.com
  7. Windows' fault by Dacmot · · Score: 5, Interesting

    Could it be "the sad reality" because Windows up until XP (ignoring 2000 and NT) there was no user-priviledges differences?

    Maybe MS should start educating the population and force them to create passworded least-priviledged accounts and choose a password for the administrator account when installing or booting an OEM for the first time. Maybe also the administrator should be blocked out of surfing the web and playing games so that people just don't use the admin account for everything.

  8. Too many apps won't run without Administrator Priv by freeio · · Score: 4, Informative

    One big obstacle is that too many applications I see require administrator privileges not just to install but also to run. Your end users figure that out, set themselves up as administrators, and leave it at that.

    This is nothing new...

    --
    Soli Deo Gloria
  9. Reminds me of Red Hat... by Mister+Impressive · · Score: 5, Informative

    ... I'm a true blue Windows user, but I've tried linux. Red Hat 8, to be specific. I remember the FIRST thing it told when I logged in as root, was to create a new non-power account. It even showed me how to. Whenever I wanted to change/install something, a nice prompty would come up asking for my password to give it the proper priviliges.

    M$ should learn from this, and their little article there, that instead of the stupid tour that appears when you first login after a fresh install, there should be a message alerting the user to create a new account.

    --
    Let the commencement BEGINULATE!
  10. Re:I wonder why by dnoyeb · · Score: 5, Insightful

    Or the fact that 1/2 the programs only work with Admin rights.

  11. Re:I wonder why by jd142 · · Score: 4, Informative

    It isn't the unfriendliness of the UI or the help file.

    By default, new accounts created during a windows install/first use interface are administrator accounts. As are new accounts created through the generic, task view Control Panel interface for account management.

    It's one of the reasons that Windows is unsecure out of the box.

    If MS merely made accounts user only be default, that would take care of it.

    Of course, then you'd have to fix all of the crappy software out there that can only run as admin. And there's a lot of it. Major software packages like WordPerfect still don't handle user accounts and preferences correctly and it's a very simple thing to do.

  12. Re:I wonder why by n0-0p · · Score: 5, Insightful

    Lets not forget software just failing to work. Most third party applications simply will not run correctly in an LUA environment. Honestly, most MS software couldn't run this way before 2000. I run LUA and I have to use runas admin on far too many applications; how is that really LUA? And lets not forget that running IE with reduced rights will also cause many IE plugins and any IStream handoffs (like Media Player) to fail without explanation.

    Of course, I totally agree that they claim of lack of user awareness when it is really a lack of MS support. Microsoft has also done nothing to simplify this issue for developers. There are no simple "test and prompt for elevation" routines. It's not a general Windows logo requirement; in fact it's buried in one paragraph in the enterprise logo. And to top it all off, aside from a few proactive devs making blog entries, there's been no attempt to educate users.

    Way to go MS, blame user apathy for your own poor performance.

  13. closer still... by ecalkin · · Score: 4, Insightful

    It's partially driven by software that won't install as a regular user (i can kinda live with that) and/or won't run as a regular user (unacceptable except for system utilities).

    I can't even count right now how many clients I have running users with admin membership because of crappy software.

    And the kicker is, it's not that hard a programming task to make software run in the regular user context! argh!

    eric

    1. Re:closer still... by Anonymous Coward · · Score: 4, Interesting

      Yeah? That's because Unix type systems have had multiple users since, well, ever.

      You have to accept the fact that certian people shouldn't do certian things on computers.

      The fas is that it should be dead simple for a grandma so able to do so, to install a card game in her home directory, without bothering anyone else on a system--a unix system. It goes there, and, what? There's no issue. Quake 3 has the ability to install into a non-root privlidged user's account. If grandma rm -rf /'s, she's only going to take her stuff out, and maybe other people who share her group.

      In Windows land, that card game may well have a fit if it dosen't get installed to c:\program files\bullshit cards. If it dosen't work that way on any system, the program is b0rked. Written by an idjet. It dosen't help that MS has programmed people and software writers to behave this way since, well, ever.

      ****EVERY**** MS home directory should by default have a My Programs folder, and software installed by that user should end up there--unless it really, really does need administrator access, or it needs to be shared by multiple users. Otherwise, who cares if grandma installs bonsai buddy, it's only going to affect her account and not spread to administrator--where everything can be gleefully cleaned.

  14. This is not too hard to figure out by ellem · · Score: 4, Funny

    MS - Hello intrepid user. I know I've always allowed you to run as root before but check this out! You computing experience could be filled with and endless array of confusing dialogue boxes all basically telling you you're not root.

    User - That sounds like it might suck.

    MS - No no no, it's great! And it's pretty hard to implement. Oh and a whole shitload of legacy apps won't even install.

    User - Why would I want that?

    MS - It's safer.

    User - Do you still let programs run as System?

    MS - Well yes.

    User - Why?

    MS - Symantec asked us to support the Open Source Virus Community and we are!

    --
    This .sig is fake but accurate.
  15. Re:Some reasons... by drsmithy · · Score: 4, Insightful
    Sure, adding Office or Baldurs Gate should require admin, changing screen resolution? Hell no.

    Changing the screen resolution in Windows does not require admin privileges.

    Half the spyware normal users get uses privledge escalation holes anyway so it does not keep that crap down.

    Which ones ? Privilege escalation bugs aren't exactly common.

    Anyway, I have been told (but have not tried) that making the "temp" folder trees "Everyone" read/write explicitly, and adding each account explicitly fixes most of the "run as admin" problems.

    You've been told wrong. For starters, every user on the machine can create new files and modify existing files that belong to them in C:\Windows\Temp. Secondly, most all apps (even the badly written ones) use the per-user TMP variables that point to directories within the users profile (that they have "Full Control" over).

    Most programs dont do much registry editing, but a lot need scratch space and if they use the temp folders, they need access to them.

    No, in fact the most common problem is applications that try to store things that *should* go in HKEY_CURRENT_USER in HKEY_LOCAL_MACHINE. Bugs like this are actually a good indicator of the developer's lack of interest in updating their product, because per-user registry hives were introduced to Windows 9x back with Windows 98 (they've always been in NT AFAIK).

    The second most common problem is stupid developers trying to write to files (often user or application preferences) in either their program's directory or the Windows directory (DOOM 3 has this problem).

  16. Re:I wonder why by Transcendent · · Score: 4, Informative

    Even a lot of MICROSOFT games (Age of Mythology, for example) don't work unless you have admin rights...

  17. Re:Duh by n0-0p · · Score: 4, Interesting

    I think you're over-simplifying this. The Windows NT kernel and core services were designed with security in mind. The real issue is that the shell, UI, and API's do a really poor job of enforcing and providing convenient access to that model. MS made a tough choice when they created they Win32 API; they kept developer compatability and convenience but made security a whole lot harder. There are too many default behaviors in Windows that are just dangerous.

    Look how CreateProcess will progressively search for an executable at each space delimited chunk in an unquoted path; that makes a great trojan attack. Consider the shatter vulnerability and associated dangers that result from simple window input; that's why services have to be run on a seperate ACL'd desktop to be safe. Consider how trivially a power user can escalate to admin; look at how many apps need at least that privelege. Look how much code you have to write to set a simple multi-user DACL on an object.

    The fact is that security is very hard to do properly in an MS environment, and historically MS has done a very poor job of promoting and simplifying it. I audit security software now, but when I wrote software I had a ton of homegrown libraries to handle things shouldn't have been necessary. So while I agree the tools are there, you almost have to be a security expert to use them properly.

  18. bah, I just ran out of mod points. :( by numbski · · Score: 4, Informative

    Mod that man up.

    Intuit is criminal number 1 in this area (this month anyway, I have my targets change from time to time...)

    Get this: The "enterprise" version of QuickBooks that will allow you to run in terminal services (gotta spend that extra cash to run the same software remotely you know!), requires that you have Power Users or Administrator priveleges.

    Here's the catch however: I have a client running Small Business Server 2003, and they just went through a company restructuring where the CFO is going to be 200 miles away for the next few months, and needs to be able to hit QuickBooks from a terminal server session (yes, I know, VNC, PC Anywhere, bitmap pusher x..., work with me here though).

    So, on an SBS, you can't have any trusts, no member servers (I might be wrong on that last one, apparently there'a hack that allows this, but again...), so the only server on the domain is the DC. You DC does not have "local" accounts and groups, only the AD users and groups. So a local power user doesn't exist. The only rights I can give them to be able to work is Admin.

    The whole point of remote users is to.....access things remotely. You're requiring that every one of my users that wishes to use QuickBooks have Admin rights, and if they want to run in term serv, I have to allow dial in rights to that Admin account.

    So I got on the phone with them. I suggested the following workaround:

    "What if I just create a domain account, say ""QuickBooks User"". Set it to an obscenely secure password that no one but the admins could possibly know. Make it long, make it random, make it not-so-easy to remember. Grant that account Admin rights. Set Quickbooks to "Run As..." that user. Now Quickbooks gets the Admin privs it needs, but not the user."

    After going through a supervisor, I was explained that this wouldn't work, and in fact they misconstrued it as an attempt on my part to subvert their licensing (because now I only have a single Quickbooks user, and we're supposed to pay per-seat for the license), and "Run As..." is intentionally broken to prevent this, along with the ability to run in Terminal Server if you haven't purchased the enterprise version.

    Wow.

    Cash more important than security.

    Hey guys? What is so important at the system level that the *user* needs to make modifications to the OS? Why not store the data in the user's profile? Or in a shared directory with rights granted to the users in the "QuickBooks Users" group?

    I just don't get it. :\

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

  19. It certainly isn't easy by DragonHawk · · Score: 4, Informative

    "Running windows without admin rights is a nightmare."

    It certainly isn't easy, unless you're willing to invest significant technical time and effort into the project -- which is, I'm sure, a big part of the reason why most people don't do it.

    That being said, I'm the admin for an organization with about 60 or so Windoze stations, and I can say that it can be done for most things. It most often involves figuring out what the defective program is trying to do, and then allowing it access to just where it needs.

    The two most vital tools are FileMon and RegMon, both free from SysInternals (http://www.sysinternals.com/). They monitor file system or registry accesses. In the vast majority of programs can be made to work just by applying some ACLs on program-specific registry or filesystem branches.

    There's no way in hell your "typical home user" could do this, though, which is, I expect, the problem and point.

    --

    dragonhawk@iname.microsoft.com
    I do not like Microsoft. Remove them from my email address.