Slashdot Mirror
Microsoft Pitches LUA Security Repository
corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."
Or at least a less priveleged account? With a password popup box whenever you want to install drivers etc akin to Mac OS X or somesuch?
Or are they going the same route as before with the default user being an admin?
I'd hope they did, it'd probably help reduce people installing rootkits with certain audio cd's although I doubt it'd eliminate it, there'd still be people who blindly type in their password (if they'd bothered to enter one in the first place).
Also, on a sidenote.. MS aren't exactly standing on the moral superiority high ground here (I skimmed the article), how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows and so far the only program which is supposed to use LUA is IE7 which isn't even released yet?
It's odd, on /. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on /. crowd at somepoint...
It isn't TOO bad because of the built in file and registry virtualization in Vista. If a program running with a LUA token tries to write to say the "C:\Program Files\PoorlyWrittenApp" folder, that write will result in a copy of the file (if it already existed) being made and placed in a location under the user's profile. Then the write to that file will succeed in the new location in the user profile. The OS will preferentially read that new file whenever the file in program files is being "read" by the app.
.exe, etc.) that are never virtualized to make sure people don't get DoS attacked by "replacing" their exe files. There are API's for application developers to specify that they don't want certain files, folders, or registry keys to virtualize. All in all, it makes the app compat story pretty robust.
The same thing works for registry entries.
There are certain files (like
Just the other day I tried to guide someone through setting up a new account and e-mail settings on XP SP2 over the phone. I decided to play it safe and told them to create a limited account. But when you log into the new account and try to run Outlook Express you get this error message, which I couldn't get them past to configure e-mail. I later worked out that you must first run Internet Explorer at least once on the new account before the e-mail setup wizard will come up when Outlook Express is run.
Unfortunately, since the OS we're talking about is NT-based, the aphorism should read:
Those who do not understand VMS are condemned to reimplement it, poorly
This is what amazes me about these discussions: they hired Cutler, the architect of a very successful OS, that had all of the necessary security features. They updated and reimplemented his architecture for modern PC hardware. They then mangled it beyond all recognition by insisting that programs written for Win 3.1 and later Win95 run under NT/2K/XP as if they were still on single-user, no priv separation, versions, and we're still living with that behaviour today.
I tried to run my users with no privs on the last job, and always got bitten by programs such as WordPerfect, which insisted they had to run with PowerUser privs. Meanwhile, complex, computationaly demanding, graphics-heavy programs such as Spartan (visual environment for quantum chemistry), quietly installed in their own folder, didn't write to the registry, and could be moved without breaking because they didn't install anything to the system directories.
The second one is no less complex than WP, yet it behaved for non-priv'd users while popular programs with large development teams funded by reasonable-sized corporations, didn't.
Personally, I think there needs to be a local copy or version of the registry and system folders for such programs, so that they can write to it and be happy, without the user actually having manager privs. That way people with software written for 95/98/ME that they aren't ready to give up can still run it, while the administrator can screw down their machines and keep them relatively safe. This is probably better than the real solution, which would be MS deciding with Vista: Normal users will run as non-priv'd users, and have no write access to system folder or registry. Older programs expecting that ability will simply not run.
The Truly Best Answer would be someone at Redmond deciding, "hey, the next version of our OS will be Microsoft VMS!" Just put the Vista graphical environment on top of a real VMS core, remember that the default SYSTEM account should not ship with password MANAGER, and finally do it right.
the more accurate the calculations became, the more the concepts tended to vanish into thin air. R. S. Mulliken