Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Pitches LUA Security Repository

Posted by ryuzaki0 on from the come-together dept.

corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."

2 of 158 comments (clear)

  1. LUA ignored by developers too by ncw · · Score: 4, Insightful
    From the article :-

    The LUA principle, which promotes the use of accounts with fewer access rights than Administrator accounts, has been largely ignored by end users, but if Aaron Margosis and Shelly Bird have their way, code writers will have a central place to get tools and training to create least-privilege applications.
    Coming from a unix background, when I set up a computer for my children with Windows XP, I decided to make sure that the children each had their own user account, and that none of those user accounts had administrator priviledges.

    The first bit of that plan went down very well - they love having their own user accounts. However almost none of their games/software run as anything except Administrator, even games which say on the box "designed for windows XP".

    I end up having to make a custom runas command for each one with /savecred - the windows equivalent to chmod u+s. This is a PITA to setup, insecure and doesn't work for all their software. There is some we've just had to abandon since it just won't work like that.

    So please, software developers, check your software works without admin priviledges!

    --
    Every man for himself, all in favour say "I"
  2. The two chief problems by Alioth · · Score: 4, Insightful

    The two chief problems with LUA in Windows are:

    - The Windows programming culture assumes a single user, single tasking computer.
    - Users on Windows are administrator by default

    The first is the developers fault, the second is Microsoft's. At least Microsoft are trying to fix their end. But even 4 years after Windows XP was released, software is being released by developers who should know better that still require either admin rights or much tinkering to get to run as non-admin. The most recent one I encountered was an application for BACS payments a couple of weeks ago - their tech support's answer was "run as admin". I managed to get it to work for non admins (since this was on a Windows domain) only by caclsing (aka chmodding) the application's directory writeable by all!

    It's obvious that the developer had simply not tested the program as non admin.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows