Slashdot Mirror
Microsoft Pitches LUA Security Repository
corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."
I'd like to sign Adobe up to that right away.
Those who do not understand unix are condemned to reinvent it, poorly.
I dont' think I've ever seen a more apt example of this aphorism.
Made me instantly think of the Lua programming language.
The filesystem is the package manager
"Those who do not understand unix are condemned to reinvent it, poorly."
So when's Unix going to invent "capabilities", and why did it take the NSA to "invent" SELinux?
Oh right, Unix security is perfect. That's why we keep hearing that damn saying every time we have a Windows story.
Is ridiculous how one app can screw your whole managed environment.
Some applications wont run if the user is not local admin and you know how much users can be trusted.
The best test environment is production. - Me
chrome://browser/content/browser.xul
Or at least a less priveleged account? With a password popup box whenever you want to install drivers etc akin to Mac OS X or somesuch?
Or are they going the same route as before with the default user being an admin?
I'd hope they did, it'd probably help reduce people installing rootkits with certain audio cd's although I doubt it'd eliminate it, there'd still be people who blindly type in their password (if they'd bothered to enter one in the first place).
Also, on a sidenote.. MS aren't exactly standing on the moral superiority high ground here (I skimmed the article), how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows and so far the only program which is supposed to use LUA is IE7 which isn't even released yet?
It's odd, on /. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on /. crowd at somepoint...
So, how is this going to be compability with older programs that require admin priveleges?
The first bit of that plan went down very well - they love having their own user accounts. However almost none of their games/software run as anything except Administrator, even games which say on the box "designed for windows XP".
I end up having to make a custom runas command for each one with /savecred - the windows equivalent to chmod u+s. This is a PITA to setup, insecure and doesn't work for all their software. There is some we've just had to abandon since it just won't work like that.
So please, software developers, check your software works without admin priviledges!
Every man for himself, all in favour say "I"
From
http://www.winvistaforums.com/viewtopic.php?t=35http://news.zdnet.com/2100-1009_22-5998726.html
Of course. Read the replies on the MONAD and "MS moving graphics out of kernel" stories.
/. crowd at somepoint... "
"I think the blast Microsoft for everything they do may backfire on
Not really. Part of being a zealot means that one has the capability of ignoring reality even when it's in your face.
Lots of things a software should be able to do can't happen in LUA mode. So we have few solutions, like popping up admin password boxes (which can be exploited on its own with fake pop-up boxes prompting us to enter our admin login/pass), or having broker processes with higher privileges do the job. But it's important to understand that low-privilege IE and LUA for users is not removing the attack surface, just recucing it significantly and presenting few new ways to exploit the situation... Also it'll be significantly more annoying to deal with it when performing regular operations, like install/update software.
The two chief problems with LUA in Windows are:
- The Windows programming culture assumes a single user, single tasking computer.
- Users on Windows are administrator by default
The first is the developers fault, the second is Microsoft's. At least Microsoft are trying to fix their end. But even 4 years after Windows XP was released, software is being released by developers who should know better that still require either admin rights or much tinkering to get to run as non-admin. The most recent one I encountered was an application for BACS payments a couple of weeks ago - their tech support's answer was "run as admin". I managed to get it to work for non admins (since this was on a Windows domain) only by caclsing (aka chmodding) the application's directory writeable by all!
It's obvious that the developer had simply not tested the program as non admin.
Oolite: Elite-like game. For Mac, Linux and Windows
Logo Cert. should require games and most apps to work with Power Users or equ.
Just the other day I tried to guide someone through setting up a new account and e-mail settings on XP SP2 over the phone. I decided to play it safe and told them to create a limited account. But when you log into the new account and try to run Outlook Express you get this error message, which I couldn't get them past to configure e-mail. I later worked out that you must first run Internet Explorer at least once on the new account before the e-mail setup wizard will come up when Outlook Express is run.
did you run tools like Filemon from Sysinternals http://sysinternals.com/ to see what was failing when running as a pleb? Too often the answer is to run everything as admin when all that is required is write access to some folder under "C:\PROGRA~1"
First all this malware spreading around was because we didn't have firewalls. Now it's because we're all running with admin rights. Never mind that it's the OS default, it's obviously our fault that all these bugs keep surfacing.
Of course, the next whipping boy is that faceless developer out there who wakes up one morning and decides to violate basic programming principles like Least Privelege. But it's not the developer's fault.
The problem for the developer is that Windows makes it difficult to do anything but run as admin. The environment assumes single-user, multiple apps, but not multiple users. It was designed with one user in mind, and the multi-user stuff layered on later.
But the real problem with complaining that we're violating Least Privilege is that it's a Redmond Herring (TM). It's ignoring the big problem, which is that since Windows source code is closed, no one without a vested interest in keeping bugs hidden can look at it.
You want a security principle violation? Hiding your code is the biggest one there is.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Briefly this matches my experience - if I could be bothered I could create a long list of reason Microsoft in reality make it difficult to run anything without full admin rights.
I only need to mention two where end users and 1st/2nd line support for SMEs will struggle without admin privlages - Windows Updates and Remote Assistance. If the techies can't work without full privlages how are end users expected to cope.
Sorry but this an old story and its time MS got its on house in order first and stop wasting sales and consultancy time on things that are accepted as standard outside of the cuddly MS world.
Businesses really want the desktop locked down out of the box and then to have the ability to choose during install whether to risk opening up the box. Give the home users a choice - locked down or easy to use. They'll get the message eventually without damaging the brand. Time to drop the one size fits all concept.
Start with the concept of more secure versions or configurations (lock down) then explain LUA for those who need detail. It should be built into the help systems and wizards far more explicity than that provided for the roll-out of SP2 did for the Firewall. Simple on or off choice - don't try to force it on for everyone.
btw: not really an anonymous coward just not the the time to waste creating yet another login account.
Wow. Just like those who know real operating systems said a decade ago.
Your "small changes" can also be called "back doors".
Once more again Microsoft is being insensitive to real world needs.
Quote from their website:
/ security/mssecbp.mspx
::shudders::
"Most Microsoft employees are highly technology literate and routinely explore the limits of the tools available to them in order to improve product quality. For example more than 95 percent of Microsoft employees have local administrator rights to their desktops."
http://www.microsoft.com/technet/itsolutions/msit
And Microsoft's martketing people are bragging about this as SECURITY FEATURES.
Better:
/Myfiles -name \*.mp3 -exec mv {} /MyMP3s \;
find
games copy protection needs admin to run
Ever tried running Google Earth in non-admin mode? I hate software like that.
From what I remember of QuickBooks (at least, a recent version) it must be run as administrator. This was a huge issue with some computers we were setting up at a small office... trying to maintain some level of security and this just blew that out of the water.
What is so special about QuickBooks that it needs to be an administrator? Were the Intuit programmers just lazy or do you really need root to balance a checkbook?
-David
How about updateing apps thay all use there own ways. We need a to come out with a common update system that is easy for games and other apps to use and make free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need admin to run that common update system or even let it be setup to auto run in the back round at system level.
I use XP largely to play games, and find that even on games that can be played in underprivileged mode, bugs pop up more frequently. Just a couple nights ago I had a problem with a Microsoft title (AOE3) and finally was able to net connect when switching to an admin account. The developers simply don't test in this mode enough.
Here's a response from Atari when I complained about having to play UT2004 in my admin account. You can't win when this is they don't even consider this a bug:
From: Tech4 Subject: RE: Unreal Tournament 2004 - Windows XP : USA : This game, like most of its type, requires Full admin access to play, and can often conflict with third party software such as firewalls or virus scanners. We recommend disabling those items when the game is in use, and turning them back on afterwards. MarkL Atari Support www.atarisupport.comwell put! way too much scandalous crap has been going on way to long.. maybe it's time to fire the federal government.. We do pay their salaries (think april 15th)
iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
daddy, what was the constitution?
iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
If the issue is that nearly everything needs admin, and it does, and, admin itself is pocked with problems then the answer is to build a better admin with better protections so that you can have the rights without the wide open problems associated with it.
Look at a built in Windows equivalent of Sudo with as many of the good rights you need and as few of the bad ones you don't need.
The Microsoft "Designed for Windows XP" logo program requires that Applications that are designed to work with the Windows XP infrastructure for state separation of data will work correctly under Limited User accounts. So if the application breaks under a limited user, report this to Microsoft logo control. Tell the vendor you did this. This scares some vendors; there's a risk of having their Windows logo pulled.
wow...this is really dumb. why the fuck would microsoft ever do something like this.
holy cow...this is the shit....Linux is teh r0x0rzzzz
Just went through this with both companies software. However they and most other apps can be tamed. Sysinternals freeware Filemon and Regmon are your friends. Just fire them up and find out which registry entries and files it is trying to read/write and give Authenticated users access to that and only that. Doesn't take to long but it is a pain in the ass. Let the dev's of LUA offenders know about your displeasure, as I did, it's the only way to get them stop being lazy and testing everything as admin. Rarely is there a technical reason for apps to run as admin, usually it is just poor coding practices.
the whole thing is MS's fault. not the users. The app developers have secondary responsibility but MS caused the problem in the first place. Their developer resources promote doing all kinds of bogus things in their apps. For years MSDN has gone out of its way to promote all the OS level hooks that are available to developers, many of which only work as admin.
here's an example from a couple of months ago:How to capture the print screen key and totally change how your user's GUI works. Just what I want, the ability for some random application to subvert basic elements of the system interface.
UT2004 plays with no problems on a non-admin, non-poweruser account on Windows 2000. Perhaps you really do have a conflict with some other software?
Their line about "most of its type" is bogus. In fact, the only game I can remember having to play as admin was the Battlefield 2 demo (it needs it for the cheat protection software in multiplayer). That can be fixed with a "runas adminstrator" link.
Actually many program actually do not require admin right but check this by default before they run... It would be nice if there is an option, instead of "run as", we can have a "pretend as"?
Oh. a little bit OT but I run my wine inside Linux and programs are all seen to be running as admin... surely I am logged in as a normal account.
We are here on the authority of a multinational force, that can no longer stand by and watch one of their greatest allies falling into darkness and despair. We are here on behalf on the thousands of civilians murdered under the current administration, who have no else to speak for them, and on behalf of the US units that have joined us to oppose the tyranny that has darkened USA, ever since the fraudulent elections five years ago. We are here to place President Bush under arrest, to stop state sponsored terrorization of our own citizens and return our government to the hands of her people. We know that many in the government have wanted to act but have been intimidated by threats of retaliation against your families, your friends. You are not alone anymore. We call upon you to rise up and do what's right. We have drawn their forces away and disabled them. The time to act is now. This is not the voice of treason. These are your sons, your daughters, whose loyalties have never wavered, whose beliefs in this alliance has forces us to take extraordinary means. For justice, for peace, for the future...we have come home.
We are the GNAA.
The fix is simple. Microsoft need a logo program. I would call it "LUA Secure" and have a well recognisable logo. Developers could get their apps "LUA Secure" compliant and then be able to market this with their products. A "Designed for Windows Vista" would imply that it is LUA Secure.
Then have new users created in Vista as non-privledged user accounts and enforce LUA, with a dialog box for an admin user account and password when needing to do adminy things.
The problem is two-fold: lazy app writers, and lazy administrators.
Fixing these problems is usually not difficult. Most of these programs just need write access to a particular folder, or registry key, and they work fine. You can use FileMon and RegMon to figure out which resources these broken apps require, and then assign specific privileges to users accordingly. NT has AMAZING object-level security granularity built-in (more sophisticated than traditional Unix), but most administrators only understand 2 modes: privileged and unprivileged. They just add people to the Administrators group. It's easier, and administrators are lazy.
And even to this day, app vendors don't test their software properly under LUA. This is laziness as well.
Everyone jumps on Microsoft for these problems. But yet, everyone jumps on Microsoft if it doesn't maintain backwards compatibility. It's a Catch-22 for them.
My advice to you is, boycott ALL software that can't work under LUA. Demand that it be fixed immediately. If you MUST install it, then don't be lazy by giving out Administrator privileges. Figure out why the app is failing, and assign privileges as needed!
And that latter sentence is not something to be bragging about when the topic is security, because it means that in order for an app to have access to one small, well-defined resource (a particular port), it needs to be given uncontrolled access to all of the computer. That is, the granularity of permissions is not fine enough.
Are you adequate?