Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Pitches LUA Security Repository

Posted by ryuzaki0 on from the come-together dept.

corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."

11 of 158 comments (clear)

  1. Is this the default in Vista? by EvilMonkeySlayer · · Score: 3, Interesting

    Or at least a less priveleged account? With a password popup box whenever you want to install drivers etc akin to Mac OS X or somesuch?
    Or are they going the same route as before with the default user being an admin?
    I'd hope they did, it'd probably help reduce people installing rootkits with certain audio cd's although I doubt it'd eliminate it, there'd still be people who blindly type in their password (if they'd bothered to enter one in the first place).

    Also, on a sidenote.. MS aren't exactly standing on the moral superiority high ground here (I skimmed the article), how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows and so far the only program which is supposed to use LUA is IE7 which isn't even released yet?

    1. Re:Is this the default in Vista? by Justin_Schuh · · Score: 3, Interesting

      I used to manage the base software image for a very large network. That often entailed profiling apps to identify excessive permission requirements and finding ways to fix these issues. I can honestly say that pretty much all enterprise level software I saw worked fine in an LUA environment by 2000. For example, a lot of massaging was necessary for MS Office 96 (changing reg keys to alter file paths, opening write permission on application directories, etc.). Office 2K however, worked out of the box and separated user and system specific data properly. In general, I've found that you're fine with any application released in the last 5 years that is Windows logo compliant for enterprises.

      The real issue here is that developers are pushing this practice out to all applications, and MS will be enforcing it in Vista.

  2. Good start by MandoSKippy · · Score: 4, Interesting

    It's odd, on /. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on /. crowd at somepoint...

  3. Old Applications by dduardo · · Score: 2, Interesting

    So, how is this going to be compability with older programs that require admin priveleges?

    1. Re:Old Applications by GIL_Dude · · Score: 3, Interesting

      It isn't TOO bad because of the built in file and registry virtualization in Vista. If a program running with a LUA token tries to write to say the "C:\Program Files\PoorlyWrittenApp" folder, that write will result in a copy of the file (if it already existed) being made and placed in a location under the user's profile. Then the write to that file will succeed in the new location in the user profile. The OS will preferentially read that new file whenever the file in program files is being "read" by the app.

      The same thing works for registry entries.
      There are certain files (like .exe, etc.) that are never virtualized to make sure people don't get DoS attacked by "replacing" their exe files. There are API's for application developers to specify that they don't want certain files, folders, or registry keys to virtualize. All in all, it makes the app compat story pretty robust.

  4. Windows 2K Power Users? by Anonymous Coward · · Score: 2, Interesting
    What happened to the Windows 2000 Power Users type in XP? Had they kept that and used it as the default in XP, we'd be in a lot better shape today.


    Logo Cert. should require games and most apps to work with Power Users or equ.

  5. Not easy to create limited accounts on Windows XP by Mandrel · · Score: 4, Interesting

    Just the other day I tried to guide someone through setting up a new account and e-mail settings on XP SP2 over the phone. I decided to play it safe and told them to create a limited account. But when you log into the new account and try to run Outlook Express you get this error message, which I couldn't get them past to configure e-mail. I later worked out that you must first run Internet Explorer at least once on the new account before the e-mail setup wizard will come up when Outlook Express is run.

  6. Re:The two chief problems by pe1chl · · Score: 2, Interesting

    We have been running Windows 2000 workstations with ordinary "user" privileges and toughened filesystem security settings at work for several years now.
    What you describe is becoming less and less common, but it happens. Interestingly enough, one of the worst applications at work is an electronic banking program.
    Apparently banks don't care about security. We got the same response from their helpdesk.

    But otherwise, it really is possible to do it. Requires some extra effort, but so does security on Unix/Linux systems.
    We even run an extra service called "TrustNoExe" that allows you to restrict the location of executable programs to e.g. C:\Program Files and C:\Windows, where users cannot write. This even more prevents downloading and "accidentally" running unapproved programs.

  7. For everybody attempting to defend MS... by Anonymous Coward · · Score: 1, Interesting

    Quote from their website:

    "Most Microsoft employees are highly technology literate and routinely explore the limits of the tools available to them in order to improve product quality. For example more than 95 percent of Microsoft employees have local administrator rights to their desktops."

    http://www.microsoft.com/technet/itsolutions/msit/ security/mssecbp.mspx

    And Microsoft's martketing people are bragging about this as SECURITY FEATURES. ::shudders::

  8. Even "aware" users have to use admin accounts by bender647 · · Score: 2, Interesting

    I use XP largely to play games, and find that even on games that can be played in underprivileged mode, bugs pop up more frequently. Just a couple nights ago I had a problem with a Microsoft title (AOE3) and finally was able to net connect when switching to an admin account. The developers simply don't test in this mode enough.

    Here's a response from Atari when I complained about having to play UT2004 in my admin account. You can't win when this is they don't even consider this a bug:

    From: Tech4 Subject: RE: Unreal Tournament 2004 - Windows XP : USA : This game, like most of its type, requires Full admin access to play, and can often conflict with third party software such as firewalls or virus scanners. We recommend disabling those items when the game is in use, and turning them back on afterwards. MarkL Atari Support www.atarisupport.com
  9. Re:Those who do not understand unix... by Frumious+Wombat · · Score: 4, Interesting

    Unfortunately, since the OS we're talking about is NT-based, the aphorism should read:

    Those who do not understand VMS are condemned to reimplement it, poorly

    This is what amazes me about these discussions: they hired Cutler, the architect of a very successful OS, that had all of the necessary security features. They updated and reimplemented his architecture for modern PC hardware. They then mangled it beyond all recognition by insisting that programs written for Win 3.1 and later Win95 run under NT/2K/XP as if they were still on single-user, no priv separation, versions, and we're still living with that behaviour today.

    I tried to run my users with no privs on the last job, and always got bitten by programs such as WordPerfect, which insisted they had to run with PowerUser privs. Meanwhile, complex, computationaly demanding, graphics-heavy programs such as Spartan (visual environment for quantum chemistry), quietly installed in their own folder, didn't write to the registry, and could be moved without breaking because they didn't install anything to the system directories.

    The second one is no less complex than WP, yet it behaved for non-priv'd users while popular programs with large development teams funded by reasonable-sized corporations, didn't.

    Personally, I think there needs to be a local copy or version of the registry and system folders for such programs, so that they can write to it and be happy, without the user actually having manager privs. That way people with software written for 95/98/ME that they aren't ready to give up can still run it, while the administrator can screw down their machines and keep them relatively safe. This is probably better than the real solution, which would be MS deciding with Vista: Normal users will run as non-priv'd users, and have no write access to system folder or registry. Older programs expecting that ability will simply not run.

    The Truly Best Answer would be someone at Redmond deciding, "hey, the next version of our OS will be Microsoft VMS!" Just put the Vista graphical environment on top of a real VMS core, remember that the default SYSTEM account should not ship with password MANAGER, and finally do it right.

    --
    the more accurate the calculations became, the more the concepts tended to vanish into thin air. R. S. Mulliken