Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Pitches LUA Security Repository

Posted by ryuzaki0 on from the come-together dept.

corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."

2 of 158 comments (clear)

  1. Re:Managed PCs by Justin_Schuh · · Score: 5, Informative

    Solving the problem by making the directory writable basically defeats the purpose. Write access to the content means that you can replace essential files, such as the executables themselves. Even if write permissions are not allowed to the contained files, you can still use DLL redirection to trojan the executables. So basically, they need to fix the app.

    As for the specific issue, based on what you've written there are three likely scenarios that cause this problem. The first is that they're not separating system and user specific config data, and it's all being stored in the application directory. That's a big no-no and it can require some significant effort to fix. The remaining possibilities are easier. They may just be creating temp files under the application directory, in which case they just need to use the system provided temp path for the current user. The last one is that they're opening files under the application directory as writeable, when they only need read access. This one happens a lot, and the fix is to just make sure the file is opened as read-only if it only needs to be read.

    If you are interested in finding the actual cause of the problem, you can probably diagnose it with Filemon (freeware) from Sysinternals. Who knows, you may be able to sway their developers to fix it with some specific information.

  2. Report noncompliant apps to Microsoft by Animats · · Score: 3, Informative

    The Microsoft "Designed for Windows XP" logo program requires that Applications that are designed to work with the Windows XP infrastructure for state separation of data will work correctly under Limited User accounts. So if the application breaks under a limited user, report this to Microsoft logo control. Tell the vendor you did this. This scares some vendors; there's a risk of having their Windows logo pulled.