Microsoft Pitches LUA Security Repository

← Back to Stories (view on slashdot.org)

Microsoft Pitches LUA Security Repository

Posted by ryuzaki0 on Saturday December 17, 2005 @02:24AM from the come-together dept.

corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."

125 of 158 comments (clear)

Min score:

Reason:

Sort:

Adobe by thegoldenear · 2005-12-17 02:26 · Score: 1, Insightful

I'd like to sign Adobe up to that right away.
1. Re:Adobe by kfuq · 2005-12-17 05:00 · Score: 1
  
  Don't forget intiut too (the makers of quickbooks and the like)
  
  who in the fuck thought it was a good idea to let end user software run with ADMINISTRATOR access?
  
  Let's all use IRC as root/administrator too.. that's just a really good idea as well...
  
  WHAT IN THE HELL EVER HAPPENED TO JUST A LITTLE SHRED OF COMMON SENSE???
  
  --
  iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
2. Re:Adobe by thegoldenear · 2005-12-17 06:03 · Score: 1
  
  yup, well said, I forgot them. first against the wall with Adobe.
  And its not as if you can wean people off-of Quickbooks, at this point in time.
3. Re:Adobe by jZnat · 2005-12-17 07:43 · Score: 1
  
  Back in ye olden days of Windows 9x, there wasn't an available multi-user concept featured in Unix for at least 25+ years at the time. When win9x went away in favour of a Windows NT kernel and environment, the multi-user environment was a completely new concept to hundreds of inexperienced programmers. To this day, several commonly-used programs still depend on Administrator access due to its development under an originally single-user environment or out of plain ignorance/stupidity.
  
  --
  'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
4. Re:Adobe by drsmithy · 2005-12-18 15:34 · Score: 1
  
  When win9x went away in favour of a Windows NT kernel and environment, the multi-user environment was a completely new concept to hundreds of inexperienced programmers.
  It's worth pointing out that NT has been around since 1993 and even Windows 9x has supported APIs and similar (eg: per user registries, per-user home directories/profiles, etc) to develop "multiuser friendly" applications since Windows 95 OSR2 (ca. 1996 - 97).
  Software developers have had everything they need for around a decade to create Windows applications that don't needlessly require Administrator privileges. Those that haven't have no excuse.
  To this day, several commonly-used programs still depend on Administrator access due to its development under an originally single-user environment or out of plain ignorance/stupidity.
  Even today, supposedly top-notch developers are releasing software with needlessly idiotic implementations that "require" administrator privileges to run (I'm looking at you, id software).
5. Re:Adobe by jZnat · 2005-12-18 19:04 · Score: 1
  
  I also recall that in the past (don't know if it holds true to date), Microsoft's APIs didn't give a clear line between Administrator and User functionality, so developers would just go ahead and used whatever was most convenient for them. Of course, that meant a lot of unnecessary admin-level functionality being implemented into common userspace programs, so now we have this admin hell that Microsoft accidently (I wouldn't say they did it on purpose...) created. Good thing Unix had this all figured out some thirty years ago, so we never really have this problem on Linux and the BSDs.
  
  --
  'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
6. Re:Adobe by darkpixel2k · 2005-12-21 19:49 · Score: 1
  
  http://www.gnucash.org/
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
Those who do not understand unix... by Saint+Stephen · 2005-12-17 02:28 · Score: 3, Insightful

Those who do not understand unix are condemned to reinvent it, poorly.

I dont' think I've ever seen a more apt example of this aphorism.
1. Re:Those who do not understand unix... by cnettel · 2005-12-17 02:39 · Score: 2, Insightful
  
  How so? Existing programs that want to be able to write to a specific HKLM key or "needs" to write to a specific file are a significant problem. The total security can sometimes be kept, while accomodating some small changes for specific apps.
  No one would write a UNIX app that required root to run, but if there were a bunch of such apps, what would you do about it?
  (The other option is some kind of charade where old apps would get a virtual file system and registry. That would have some advantages, but it would also be a total mess to know where something presented by an application is a real path or a virtual path in the private filesystem.)
2. Re:Those who do not understand unix... by TallMatthew · 2005-12-17 02:49 · Score: 1
  
  No one would write a UNIX app that required root to run, but if there were a bunch of such apps, what would you do about it?
  Many people have written such apps, they are called servers. Anything that binds on a privileged port requires root access.
  The other option is some kind of charade where old apps would get a virtual file system and registry. That would have some advantages, but it would also be a total mess to know where something presented by an application is a real path or a virtual path in the private filesystem.
  We call that "charade" chrooting and it works quite well. It's pretty messy with the pointy and the clicky but from the command line it's easy to manage, assuming you know what you're doing.
3. Re:Those who do not understand unix... by heinousjay · 2005-12-17 03:25 · Score: 1
  
  It's pretty messy with the pointy and the clicky but from the command line it's easy to manage, assuming you know what you're doing.
  
  I'm going off the topic and on a rant
  
  In general, that's never true. Visual UI is a much more intuitive and manageable metaphor for several reasons, not the least of which that it enables feedback to user without displacing things. The problem you've experienced is likely the result of a poor GUI, not GUI in general. Since you appear to be a UNIX user, I'm not surprised. The weakest guis tends to appear there. I've found, however, that with thought into how the work is accomplished, nothing beats a well designed graphical interface.
  
  --
  Slashdot - where whining about luck is the new way to make the world you want.
4. Re:Those who do not understand unix... by peragrin · 2005-12-17 03:52 · Score: 2, Informative
  
  I can do more with a command line, scripting and a text editor faster and easier than I can with a gui.
  
  simple situation. I store my Browser bookmarks on my website so I always have a backup copy them.
  
  GUI. "OS X" Windows or KDE aren't a lot different here
  right click on applications folder in dock, (it opens a contextual menu of all items inside, think start menu, kde menu)
  find ftp program and open it.
  click on on appropriate bookmark,
  type in password,
  drag file from local to remote directory.(this assuming it opens up to the right directories to begin with)
  let it work
  close everything
  
  From command line Home direcory
  type in ~/Applications/ftpbookmarks (bash script)
  type in password when prompted
  let it work.
  
  Now, which is easier? The command line. Of course you have to know what you are doing to begin with in order to use it. I might be able to do the above with apple scripting the gui but why when the bash one is literally 10 lines of script and can easily be changed.
  
  what is needed is a new method for working with computers. Some way of working the gui with both a mouse and a quick command line that can deal with both text and other items. Apple's Open command is a start. as it will load the default program for images/movies to show them(open -e somemovie.mov wil launch the movie in quicktime). Maybe Microsoft's new shell will actually be cool. It's supposed to deal with objects instead of text.
  
  --
  i thought once I was found, but it was only a dream.
5. Re:Those who do not understand unix... by ilikejam · 2005-12-17 03:58 · Score: 1
  
  Have a koan.
  
  --
  C-x C-s C-x k
6. Re:Those who do not understand unix... by deaddrunk · 2005-12-17 04:00 · Score: 1
  
  GUIs may be better than command lines for desktop apps but the power of shell scripting and the like makes it a poor fit for a server. There are no intuitive GUIs anyway, they all have quirks that catch out the unwary user. Personally I don't find KDE any more difficult to use than Windows, and speaking as someone who provides regular tech support to non-techies I doubt they would too.
  
  --
  Does a Christian soccer team even need a goalkeeper?
7. Re:Those who do not understand unix... by TallMatthew · 2005-12-17 04:08 · Score: 1
  
  In general, that's never true.
  Ok, let's have a race. I want you to find all the MP3s in a directory tree /Myfiles (or \MyFiles) and move them to a new directory, excuse me folder, called "MyMP3s".
  Ready.... Go!
  find /Myfiles -name *.mp3 -exec mv {} /MyMP3s \;
  I'm done! You done yet?
  Ok, that was obnoxious but my point was setting up a chroot jail is easier with command-line utilities. If you don't know of anything that's easier with a command line tool, then you haven't done everything yet.
8. Re:Those who do not understand unix... by Anonymous Coward · 2005-12-17 05:04 · Score: 1, Insightful
  
  You did not prove that a command line was easier. All you really said is that you have created a script that makes ftping your bookmarks easier and you execute your program via the commandline.
9. Re:Those who do not understand unix... by Frumious+Wombat · 2005-12-17 05:12 · Score: 4, Interesting
  
  Unfortunately, since the OS we're talking about is NT-based, the aphorism should read:
  
  Those who do not understand VMS are condemned to reimplement it, poorly
  
  This is what amazes me about these discussions: they hired Cutler, the architect of a very successful OS, that had all of the necessary security features. They updated and reimplemented his architecture for modern PC hardware. They then mangled it beyond all recognition by insisting that programs written for Win 3.1 and later Win95 run under NT/2K/XP as if they were still on single-user, no priv separation, versions, and we're still living with that behaviour today.
  
  I tried to run my users with no privs on the last job, and always got bitten by programs such as WordPerfect, which insisted they had to run with PowerUser privs. Meanwhile, complex, computationaly demanding, graphics-heavy programs such as Spartan (visual environment for quantum chemistry), quietly installed in their own folder, didn't write to the registry, and could be moved without breaking because they didn't install anything to the system directories.
  
  The second one is no less complex than WP, yet it behaved for non-priv'd users while popular programs with large development teams funded by reasonable-sized corporations, didn't.
  
  Personally, I think there needs to be a local copy or version of the registry and system folders for such programs, so that they can write to it and be happy, without the user actually having manager privs. That way people with software written for 95/98/ME that they aren't ready to give up can still run it, while the administrator can screw down their machines and keep them relatively safe. This is probably better than the real solution, which would be MS deciding with Vista: Normal users will run as non-priv'd users, and have no write access to system folder or registry. Older programs expecting that ability will simply not run.
  
  The Truly Best Answer would be someone at Redmond deciding, "hey, the next version of our OS will be Microsoft VMS!" Just put the Vista graphical environment on top of a real VMS core, remember that the default SYSTEM account should not ship with password MANAGER, and finally do it right.
  
  --
  the more accurate the calculations became, the more the concepts tended to vanish into thin air. R. S. Mulliken
10. Re:Those who do not understand unix... by cortana · 2005-12-17 05:26 · Score: 1
  
  Aren't MS planning to do the virtual filesystem thing in Vista? So an app thinks it's writing to \Windows but really it writes to Documents\user\Windows or similar?
  
  The registry already has virtual roots: HKEY_CURRENT_USER, HKEY_CLASSES_ROOT(*) and HKEY_CURRENT_CONFIG. Also, on amd64, registry operations from 32-bit software are (sometimes) redirected to HKEY_LOCAL_MACHINE\Software\WOW6432.
  
  * especially nasty since this merges information from the per-user classes key with the local machine classes key--not such a problem except that it is also updateable. The net result is that programs never bother to store file/class/app association information in the correct place--they just dump it all in HKEY_CLASSES_ROOT, which usually requires the privilige to write to HKEY_LOCAL_MACHINE.
11. Re:Those who do not understand unix... by Foolhardy · 2005-12-17 05:29 · Score: 1
  
  I'm not ready to pass judgement on GUI vs command line in general, but in this case on Windows, I'd hit WindowsKey+F to open a search box, put *.mp3 in the find description, ALT+L for location, type \MyFiles, enter, wait for the results, hit CTRL+A to select all, CTRL+X to cut, hit ALT+A to focus the address bar, stick \MyMP3s in there, hit enter, SHIFT+TAB to refocus the files pane, and CTRL+V to paste.
  
  There are several steps, but fewer overall keypresses. (35 vs 49) One major disadvantage is that I'd have to wait for the search to complete before I could copy anything, whereas you can enter the entire command at once.
12. Re:Those who do not understand unix... by cortana · 2005-12-17 05:36 · Score: 1
  
  "Meanwhile, complex, computationaly demanding, graphics-heavy programs such as Spartan (visual environment for quantum chemistry), quietly installed in their own folder, didn't write to the registry, and could be moved without breaking because they didn't install anything to the system directories."
  This is not really a great deal better; your user account (and hence an attacker who has compromised your account, manual cracking or automatic worm/virus alike) is still able to alter the application.
  Personally, I think there needs to be a local copy or version of the registry and system folders for such programs, so that they can write to it and be happy, without the user actually having manager privs.
  Oh god no, we'll be back at square one! Now an attacker does not need to bother gaining the privilige necessary to alter installed program files, system libraries, and so on; he can merely dump a file somewhere in your $HOME, and have his malicious code run undetected.
13. Re:Those who do not understand unix... by rolfwind · 2005-12-17 05:48 · Score: 1
  
  Reinvent unix, you mean like Linux?
  
  http://www.cs.bell-labs.com/wiki/plan9/plan_9_wiki /
  
  http://www.cs.bell-labs.com/plan9dist/
  
  (Sorry, I'm not attacking Linux, I just find your post ironic....)
14. Re:Those who do not understand unix... by mpe · 2005-12-17 05:51 · Score: 1
  
  GUIs may be better than command lines for desktop apps but the power of shell scripting and the like makes it a poor fit for a server.
  
  There are plenty of non-server situations where a GUI can be clumsy. e.g. for complex find/replace on a document GUI tools can be inadequte (can't use regular expressions) or very complex (lots of clicking as opposed to typing a few symbols).
15. Re:Those who do not understand unix... by cortana · 2005-12-17 05:58 · Score: 1
  
  It is not, because it is completley unpredictable. The destination that your writes end up in (and hence the privilige required to write) are determined by what data are already present in the local machine classes, and current user classes.
  
  The correct way to do it is to put per-user settings in HKEY_CURRENT_USER\Software\Classes, and to put all-user default settings in HKEY_LOCAL_MACHINE\Software\Classes. It's hardly rocket science!
16. Re:Those who do not understand unix... by $pace6host · 2005-12-17 06:03 · Score: 1
  
  OTOH, the GP's solution doesn't require switching back and forth from keyboard to mouse (and so is probably faster, at least for the touch typist), is scriptable, doesn't require the use of the mouse or screen, sends less useless output (important if you're remote admining over a dial-up line), and is possible to initiate remotely from practically any kind of PC that has networking, if you have SSH set up. Now I could do your solution remotely with if I install a WinVNC server and use any browser that has Java support, but it would still suck royally over dial-up. And I couldn't set it up to happen automatically every day at 0300h, because there's no one there to clicky the mousey. I think the key here is that GUIs have their place making the common activities easy. Command lines have their place making the more complicated, probably less common activities easy (or at least possible). GUIs usually sacrifice flexibility and require greater resources to do even simple tasks, but they're easy for the novice. Command lines usually sacrifice simplicity for flexibility, and require fewer resources.
17. Re:Those who do not understand unix... by mpe · 2005-12-17 06:12 · Score: 1
  
  This is what amazes me about these discussions: they hired Cutler, the architect of a very successful OS, that had all of the necessary security features. They updated and reimplemented his architecture for modern PC hardware. They then mangled it beyond all recognition by insisting that programs written for Win 3.1 and later Win95 run under NT/2K/XP as if they were still on single-user, no priv separation, versions, and we're still living with that behaviour today.
  
  Gutting the OS security model is not the only way to do this. Indeed disabling the OS security model to deal with a few (or one) misbehaving apps is almost certainly not the right way to go about things. Better is to be able to assign elevated privileges to applications, rather than users. So far as legacy applications go the obvious solution is to use a virtual machine.
  
  I tried to run my users with no privs on the last job, and always got bitten by programs such as WordPerfect, which insisted they had to run with PowerUser privs. Meanwhile, complex, computationaly demanding, graphics-heavy programs such as Spartan
  
  Quite an apt name for a program which is neat and tidy in terms of it's file system use.
  
  (visual environment for quantum chemistry), quietly installed in their own folder, didn't write to the registry, and could be moved without breaking because they didn't install anything to the system directories.
  The second one is no less complex than WP, yet it behaved for non-priv'd users while popular programs with large development teams funded by reasonable-sized corporations, didn't.
  
  It isn't the complexity of the program, so much as the competance of the programmers. By the sound of things "Spartan" was written by scientists and engineers. But is the average corporate coder required to hold a degree (in any subject)?
  
  The Truly Best Answer would be someone at Redmond deciding, "hey, the next version of our OS will be Microsoft VMS!" Just put the Vista graphical environment on top of a real VMS core, remember that the default SYSTEM account should not ship with password MANAGER,
  
  Nor should the SYSTEM password in ALTUAF be blank :)
18. Re:Those who do not understand unix... by TallMatthew · 2005-12-17 06:17 · Score: 1
  
  'm not ready to pass judgement on GUI vs command line in general, but in this case on Windows, I'd hit WindowsKey+F to open a search box, put *.mp3 in the find description, ALT+L for location, type \MyFiles, enter, wait for the results, hit CTRL+A to select all, CTRL+X to cut, hit ALT+A to focus the address bar, stick \MyMP3s in there, hit enter, SHIFT+TAB to refocus the files pane, and CTRL+V to paste.
  Nice. If you ever do decide to become a Unix user, you'll be a natural for emacs.
19. Re:Those who do not understand unix... by $pace6host · 2005-12-17 06:38 · Score: 1
  
  And of course, your solution was all keystrokes too. D'OH!
  <Hangs head in shame>
  Still, the other remarks about output, remoting, scriptability, scheduling when no user is logged in, they still stand. Just ignore the part where I skipped the obvious.
20. Re:Those who do not understand unix... by Foolhardy · 2005-12-17 06:58 · Score: 1
  
  Nice. If you ever do decide to become a Unix user, you'll be a natural for emacs.
  I'm afraid it's too late; I'm already using Emacs on Linux and Windows. It's too bad the topic wasn't Emacs Lisp scripting...
21. Re:Those who do not understand unix... by croddy · 2005-12-17 07:07 · Score: 1
  
  The last time I let Windows XP SP2 find 20,000 MP3's and put them in that search results box, the system churned for 80 minutes and then locked up without so much as a blue screen. Since it was a dual-processor P4 with 2GB of memory, I assumed it had to be an OS problem. So, I re-imaged the machine and applied the latest patches again. Send the Windows file search tool on its merry way, and sure enough, it churned for 80 minutes and then died.
  This time, I rebooted it, installed cygwin, used find(1) to move the files, and went to lunch. When I got back it was done.
22. Re:Those who do not understand unix... by Frumious+Wombat · 2005-12-17 08:33 · Score: 1
  
  Presumably, though, the system versions of programs and system-wide configurations remain untouched elsewhere on the machine. In this scenario, you can hurt yourself, but not anyone else. To clean up a virus/worm in this environment, I delete your account, and leave the machine and all of the officially installed programs alone.
  
  So, as long as the user doesn't rewrite their path (defined by the administrator and stored in the system registry), they may not even have a problem beyond the next reboot. Programs such as WP would still be installed system-wide by someone with admin privs, but would then run for each user as if they have exclusive access.
  
  Ideally, this hack would have never been necessary, as the people writing the NT code-base would have had the political throw to make the hacks over in 95-land be forward compatible. In reality, this solution is easier to implement than either time-travel or scrapping the entire edifice.
  
  --
  the more accurate the calculations became, the more the concepts tended to vanish into thin air. R. S. Mulliken
23. Re:Those who do not understand unix... by Foolhardy · 2005-12-17 09:05 · Score: 1
  
  Far be it for me to diminish your story, but I did an F3 search for all my SID files (20327 of em, more files than any other music type) in the entire music directory, and it took about 15 seconds. Now that it's cached it takes about 3 seconds for successive searches on those directories. Most of the CPU time is spent in Explorer doing file name matching. dir \music\*.sid /s is similar. This is on an Athlon XP 2800, 1GB RAM, nVidia chipset, a 100GB NTFS volume and Windows Server 2003 sp1. Are you sure your filesystem isn't corrupted? What FS are you using, btw? You may need to defrag the MFT. When you say it hangs, do you mean the entire OS or just Explorer? Also, Explorer (shell) type searches will also search the index of ZIP files, so if you have a large or damaged ZIP file, Explorer might be choking on it. If you want the shell to quit doing that, unregister the zip folder support library:
  regsvr32 /u %windir%\system32\zipfldr.dll
24. Re:Those who do not understand unix... by croddy · 2005-12-17 09:45 · Score: 1
  
  I don't know. Honestly, I'm not too interested in Windows Tricks & Tips anymore. I didn't have that machine for too long. I gave it back to desktop support and pulled an old 700MHz P3 off the discard pile and stuck Debian on it. Smooth sailing ever since.
25. Re:Those who do not understand unix... by yo_tuco · 2005-12-17 10:29 · Score: 1
  
  This CLI/GUI argument is old as the hills. If you can't see the value in both of these interfaces, you have spent too much time in only one, IMHO.
26. Re:Those who do not understand unix... by Foolhardy · 2005-12-17 11:48 · Score: 1
  
  Hey, whatever works.
27. Re:Those who do not understand unix... by woolio · 2005-12-17 19:24 · Score: 1
  
  How so? Existing programs that want to be able to write to a specific HKLM key or "needs" to write to a specific file are a significant problem.
  
  Well, can't regedt32.exe be used to set per-user permissions on registry keys???
  
  And Windows-style file persmissions can be used to allow only certain users to write/modify certain files/directories...
  
  The Real Problem is that most people don't bother to properly configure this stuff... Even parts of the OS don't even properly use these features. (Look at how many services are running as "SYSTEM" rather than something else). Most off-the-shelf software only installs under an admin account.
  
  I think a virtual fs/registry would have the same problems as "chroot" environments do in Linux... Great idea, great security, but damn hard to implement correctly for most apps. And then upgrades become a real pain... (What an upgrade to a library causes a file in a chroot to have unresolved dependencies!?!)
28. Re:Those who do not understand unix... by drsmithy · 2005-12-18 15:39 · Score: 1
  
  Ok, that was obnoxious but my point was setting up a chroot jail is easier with command-line utilities.
  Only if the GUI sucks.
  If you don't know of anything that's easier with a command line tool, then you haven't done everything yet.
  I know of a few things that are "easier" with a commandline (and many, many things that are "quicker"). However, 90% of them are only "easier" because a GUI interface either doesn't exist, or is extremely poorly designed.
29. Re:Those who do not understand unix... by drsmithy · 2005-12-18 15:55 · Score: 1
  
  This is what amazes me about these discussions: they hired Cutler, the architect of a very successful OS, that had all of the necessary security features. They updated and reimplemented his architecture for modern PC hardware. They then mangled it beyond all recognition by insisting that programs written for Win 3.1 and later Win95 run under NT/2K/XP as if they were still on single-user, no priv separation, versions, and we're still living with that behaviour today.
  No they didn't. Microsoft have been telling developers to write applications so they worked in regular user accounts for a decade.
  Hell, the even implemented many of the "multiuser" features like per-user registries, home directories, etc on their single-user OS (Windows 9x) to make it easier for developers to write software that would run equally well as a regular user on NT as it did in Windows 9x.
Bad acronym by HishamMuhammad · 2005-12-17 02:30 · Score: 2, Informative

Made me instantly think of the Lua programming language.

--
The filesystem is the package manager
1. Re:Bad acronym by leonmergen · 2005-12-17 02:37 · Score: 1
  
  Made me instantly think of the Lua programming language.
  
  Thank god there's something like context, in which LUA the programming language wouldn't make sense... :-)
  
  --
  - Leon Mergen
  http://www.solatis.com
2. Re:Bad acronym by HishamMuhammad · 2005-12-17 02:53 · Score: 1
  
  True, but I was referring to the title. Think "Microsoft Pitches PHP Security Repository". Disclaimer: I work with Lua, so the association was probably more natural for me than for most.
  
  --
  The filesystem is the package manager
3. Re:Bad acronym by tiredwired · 2005-12-17 03:04 · Score: 1
  
  LUA is an acronym. Lua is not. Lua means moon in Portuguese and is pronounced LOO-ah.
4. Re:Bad acronym by millennial · 2005-12-17 05:00 · Score: 1
  
  Your point? Many people write Perl as PERL. Perl is an acronym. So is PERL. The difference between LUA and Lua is not one most people would think significant.
  
  --
  I am scientifically inaccurate.
5. Re:Bad acronym by 0xygen · 2005-12-17 05:06 · Score: 1
  
  To be honest this very acronym has been annoying me in exactly the same way, the recent Microsoft LUA headlines has been somewhat disturbing. Every time I see MS mention it, they clarify the acronym with Least Priveleged User Account - surely LPUA? I suspect there's a surprising proportion of Slashdotters out there also aware of the acronym clash. (I came across LUA in a game scripting context a few months ago)
6. Re:Bad acronym by cortana · 2005-12-17 05:40 · Score: 1
  
  Marketing studies indicate that TLAs have 80% more 'sticking' power than FLAs, when PHBs perform memory tests ones week after exposure to marketing material.
Those who do not understand allagories. by Anonymous Coward · 2005-12-17 02:36 · Score: 2, Insightful

"Those who do not understand unix are condemned to reinvent it, poorly."

So when's Unix going to invent "capabilities", and why did it take the NSA to "invent" SELinux?

Oh right, Unix security is perfect. That's why we keep hearing that damn saying every time we have a Windows story.
1. Re:Those who do not understand allagories. by gbjbaanb · 2005-12-17 02:49 · Score: 1
  
  The issue is never because of the old 'unix is perfect' argument. Even Unix has evolved in its security capabilities - eg. SELinux, filesystem ACLs, but I still have to spend an hour running through my checklist to harden the webservers I put together. Including removing obsolete users that are installed by default! who uses gopher anymore, yet there's the user account ready to be attacked.
  
  In this case, the issue is about developer coding. I don't care that it is about admin/user rights and not buffer overflows - if its poor code, it can apply to unix just as much as windows. (look at all the new versions of unix software that keep coming out - one of my checklists is to get a later kernel for the security bugfixes, and I have to make sure there's not a newer one available... oh yes. 2.6.14.4 is out this week.)
2. Re:Those who do not understand allagories. by jZnat · 2005-12-17 07:45 · Score: 1
  
  Aren't kernel releases like 2.6.14-4 a Debian and other distro maintainers sort of thing to do? Or is this done by the official Torvalds&co team?
  
  --
  'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
3. Re:Those who do not understand allagories. by gbjbaanb · 2005-12-17 10:47 · Score: 1
  
  From what I know.... yes and no.
  
  I use CentOS, and the latest kernel you get from them (ie Redhat) is 2.6.9.22, so if I want a much later (and therefore untested version), I have to compile it myself from kernel.org
  
  I would love if the CentOS team did the compiling for me and release the latest stable kernel as a yum-installable module.
Managed PCs by brenddie · 2005-12-17 02:36 · Score: 2, Insightful

Is ridiculous how one app can screw your whole managed environment.
Some applications wont run if the user is not local admin and you know how much users can be trusted.

--
The best test environment is production. - Me
chrome://browser/content/browser.xul
1. Re:Managed PCs by Jaseoldboss · 2005-12-17 03:54 · Score: 1
  
  You can sometimes solve the problem with individual apps by allowing everyone full control of the c:\Program Files\BadApp This works with Sonar4.
  
  However, don't get me started on copy controlled apps. How about this error message from my sons workstation whilst trying to copy his roaming profile:
  
  Windows cannot copy file C:\Documents and Settings\user\Application Data\SecuROM\UserData\???????????p???????? to location \\Server\Home\user\Profile\Application Data\SecuROM\UserData\???????????p????????
  
  The company concerned were very friendly but the only solution they could offer was to delete the directory and not use the application. Shouldn't it then say on the box, "not compatible with PCs that are part of a domain?"
2. Re:Managed PCs by Justin_Schuh · 2005-12-17 04:22 · Score: 5, Informative
  
  Solving the problem by making the directory writable basically defeats the purpose. Write access to the content means that you can replace essential files, such as the executables themselves. Even if write permissions are not allowed to the contained files, you can still use DLL redirection to trojan the executables. So basically, they need to fix the app.
  
  As for the specific issue, based on what you've written there are three likely scenarios that cause this problem. The first is that they're not separating system and user specific config data, and it's all being stored in the application directory. That's a big no-no and it can require some significant effort to fix. The remaining possibilities are easier. They may just be creating temp files under the application directory, in which case they just need to use the system provided temp path for the current user. The last one is that they're opening files under the application directory as writeable, when they only need read access. This one happens a lot, and the fix is to just make sure the file is opened as read-only if it only needs to be read.
  
  If you are interested in finding the actual cause of the problem, you can probably diagnose it with Filemon (freeware) from Sysinternals. Who knows, you may be able to sway their developers to fix it with some specific information.
3. Re:Managed PCs by Jaseoldboss · 2005-12-17 05:09 · Score: 1
  
  Ah it's a bit simpler than that. The ? characters are unicode garbage. You can't even delete the files in explorer or from the command prompt due to the weird name.
  
  Of course, if explorer could manipulate the files that would defeat the copy protection so they have to break the filesystem to make the system secure. Now in any normal windows directory that would be fine, except roaming profiles ships application data to and from the server, hence the error.
4. Re:Managed PCs by Justin_Schuh · 2005-12-17 05:30 · Score: 1
  
  Sorry, I was only addressing the issue of opening write permission on the application directory. I should have been more specific in stating that I was not answering the question concerning the malformed file path. Though in retrospect, I wouldn't be surprised if the copy protection is the cause of the write permission requirement also.
5. Re:Managed PCs by mpe · 2005-12-17 06:39 · Score: 1
  
  However, don't get me started on copy controlled apps. How about this error message from my sons workstation whilst trying to copy his roaming profile:
  Windows cannot copy file C:\Documents and Settings\user\Application Data\SecuROM\UserData\???????????p???????? to location \\Server\Home\user\Profile\Application Data\SecuROM\UserData\???????????p????????
  The company concerned were very friendly but the only solution they could offer was to delete the directory and not use the application.
  
  What happens if you use "Folder Redirection" on the "Application Data" folder (remembering to add "Application Data" to the profile copy excludes)?
6. Re:Managed PCs by Jaseoldboss · 2005-12-18 20:38 · Score: 1
  
  Dunno, haven't tried that, I'll give it a go. cheers, J
Is this the default in Vista? by EvilMonkeySlayer · 2005-12-17 02:38 · Score: 3, Interesting

Or at least a less priveleged account? With a password popup box whenever you want to install drivers etc akin to Mac OS X or somesuch?
Or are they going the same route as before with the default user being an admin?
I'd hope they did, it'd probably help reduce people installing rootkits with certain audio cd's although I doubt it'd eliminate it, there'd still be people who blindly type in their password (if they'd bothered to enter one in the first place).

Also, on a sidenote.. MS aren't exactly standing on the moral superiority high ground here (I skimmed the article), how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows and so far the only program which is supposed to use LUA is IE7 which isn't even released yet?
1. Re:Is this the default in Vista? by DogDude · 2005-12-17 02:56 · Score: 1
  
  how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows
  
  Developers should be able to click "users", "groups", and figure it out themselves. The "default" that you describe has nothing at all to do with how developers develop code. And after development, testers are supposed to also try these things out. This has nothing to do with Windows, and everything to do with bad developers (same thing with .dll hell... bad install tool).
  
  --
  I don't respond to AC's.
2. Re:Is this the default in Vista? by GIL_Dude · 2005-12-17 03:20 · Score: 1
  
  No, that's not right. For instance Office 2003 runs fine as a LUA user. There are many apps that do, it just isn't enough yet. There are some cool technologies in Vista to allow more apps to work as LUA though. File and Registry virtualization will allow writes to protected locations to succeed - but virtualize it to a place under the user profile and then preferentially read from there. Obviously this comes with its own set of problems but overall will help to make apps that still are badly behaved able to run as LUA. So far, the default user account in Vista is a "Protected Admin" which would be a user with a LUA token who can get a popup box asking them to "elevate" when performing an admin task. If they choose to elevate, the process requiring the extra rights will use a token with admin rights. I'm still hoping that they go to full LUA (person who can only elevate with another account and password), because people may start clicking "Yes, elevate" all the time. The situation looks to be much, much better than it was with older versions of Windows though.
3. Re:Is this the default in Vista? by Inaffect · 2005-12-17 03:23 · Score: 2, Insightful
  
  Perhaps I'm ignorant, but I have never understood the situation you describe either. In XP, a limited user account does not seem to offer any protection - files can be installed, executed, and removed at will. It seems that some software installation and deletion methods are blocked for limited users, but most aren't. This leads system admins (in corps and uni's), with large numbers of computers on their hands, to use third party software to get the security job done effectively.
  Also, what is the point of the pre-generated Administrator account for which you can place a password, or not, during OS installation? ...By default the user account you create already has admin privileges.
  It leads me to believe that the system was either (1) not well thought out, or (2) not finished. I don't fault them for trying to improve the situation, though.
4. Re:Is this the default in Vista? by Keebler71 · 2005-12-17 03:46 · Score: 1
  
  I think you are wrong... I run XP home on my home pc and only use it from a limited account. I can not complete and install without running the setup program as admin and there are many directories I can not acccess with switching accounts. Most setup programs fail if you try to install them from a limited account - others automaticly pop up a dialog box asking for the admin password to continue.
  It sounds to me that you are running a limited account that may have once been an admin account or that you have given yourself rwx access to various directories.
  
  --
  "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
5. Re:Is this the default in Vista? by Justin_Schuh · 2005-12-17 03:55 · Score: 3, Interesting
  
  I used to manage the base software image for a very large network. That often entailed profiling apps to identify excessive permission requirements and finding ways to fix these issues. I can honestly say that pretty much all enterprise level software I saw worked fine in an LUA environment by 2000. For example, a lot of massaging was necessary for MS Office 96 (changing reg keys to alter file paths, opening write permission on application directories, etc.). Office 2K however, worked out of the box and separated user and system specific data properly. In general, I've found that you're fine with any application released in the last 5 years that is Windows logo compliant for enterprises.
  
  The real issue here is that developers are pushing this practice out to all applications, and MS will be enforcing it in Vista.
6. Re:Is this the default in Vista? by Inaffect · 2005-12-17 03:56 · Score: 1
  
  No way did I give rwx access to anything. If the software did, thats a major problem. What about software with third-party install methods, self-extracting installers, or no installation method at all (simple extraction) - I have been able to install similar programs under LU accounts in XP without a road block.
  It is definately not a safe standard of protection.
7. Re:Is this the default in Vista? by deaddrunk · 2005-12-17 04:04 · Score: 1
  
  Elevate? You mean like the new Daleks?
  
  --
  Does a Christian soccer team even need a goalkeeper?
8. Re:Is this the default in Vista? by I'm+Don+Giovanni · 2005-12-17 04:34 · Score: 1
  
  "Protected Admin" sounds like the Mac OS X example where the default account is admin, but you need to enter your password to do admin stuff like change particular system settings (but you can still access the entire file system and wreak havoc without any such password prompt).
  
  --
  -- "I never gave these stories much credence." - HAL 9000
9. Re:Is this the default in Vista? by I'm+Don+Giovanni · 2005-12-17 04:45 · Score: 1
  
  Under XP a limited account does not have write access to any of the system directories (i.e. c:\windows) nor the "programs" directory (i.e. c:\Program Files (or whatever it's called (I'm typing this from a Mac and don't feel like booting my windows machine to find out ;-))), nor does it have read or write access to any other user's directories.
  
  Limited accounts also don't allow access to many system settings (too many, IMO, such as the Power Management), and don't allow access to registry settings beyond those of the current user (those under HKEY_CURRENT_USER).
  
  Because a limited account cannot write to the programs directory, such an account cannot install programs on a "system-wide" basis (i.e., install them into the Programs directory for all users to use). A limited user can install programs into his own user directory, if the program's installer allows such or if the program doesn't require an installation program (so the user could just place the program in his user directory hierarchy).
  
  --
  -- "I never gave these stories much credence." - HAL 9000
10. Re:Is this the default in Vista? by tsaler · 2005-12-17 04:48 · Score: 1
  
  With a password popup box whenever you want to install drivers etc akin to Mac OS X or somesuch?
  
  I think this would be ideal. It's one of the things that I most appreciated when I migrated from Windows XP to Mac OS X this past summer.
11. Re:Is this the default in Vista? by Tony+Hoyle · 2005-12-17 04:52 · Score: 1
  
  That could solve a bunch of things too.
  
  Windows currently has the problem that it still mostly thinks of itself as a single user system - if you install an app, it'll put some stuff in HKLM, some other stuff in HKCU... and then a large number of apps won't work if you then log into another user. This destroys the concept of the admin inistalling apps for the unprivileged users to use.
  
  It's not just apps writing to privileged locations, it's apps relying on the existence of configuration in HKCU - they should read it from HKLM or automatically create defaults.. precious few apps do this.
12. Re:Is this the default in Vista? by Gnavpot · 2005-12-17 05:07 · Score: 1
  
  In XP, a limited user account does not seem to offer any protection - files can be installed, executed, and removed at will.
  
  Let me guess: You are running XP with FAT32 partitions?
  
  FAT32 does not support any kind of access restrictions (except a few attributes, but any user can change those too).
  
  So if you want security in XP, you have to use NTFS. Then you will get security like:
  - restricted users cannot write to C:\Program Files
  - restricted users cannot write to C:\Windows
  - restricted users cannot read or write other users' personal folders
13. Re:Is this the default in Vista? by Green+Salad · 2005-12-17 06:20 · Score: 1
  
  a lot of massaging was necessary for MS Office 96
  
  I've had my issues with Microsoft products but I must admit, I've never had even a single problem with Office '96...especially running on Windows '99. ;^)
14. Re:Is this the default in Vista? by mpe · 2005-12-17 06:26 · Score: 1
  
  Windows currently has the problem that it still mostly thinks of itself as a single user system
  
  This is more a problem with people writing Windows applications...
  
  if you install an app, it'll put some stuff in HKLM, some other stuff in HKCU... and then a large number of apps won't work if you then log into another user. This destroys the concept of the admin inistalling apps for the unprivileged users to use.
  It's not just apps writing to privileged locations, it's apps relying on the existence of configuration in HKCU - they should read it from HKLM or automatically create defaults.. precious few apps do this.
  
  The other way developers tend to mess things up is assuming they can always write to HKLM, rather than realising that this should be considered as much a privileged location as parts of the file system.
15. Re:Is this the default in Vista? by mikek3332002 · 2005-12-17 11:47 · Score: 1
  
  On my xp home pc the default permissions seemed to be everyone has full control.
  Though why have an admin acount with no password by default
16. Re:Is this the default in Vista? by drsmithy · 2005-12-18 16:05 · Score: 1
  
  MS aren't exactly standing on the moral superiority high ground here (I skimmed the article), how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows and so far the only program which is supposed to use LUA is IE7 which isn't even released yet?
  Microsoft have been giving developers the necessary information and tools to write "LUA-friendly" applications for about ten years now. Why is it their fault if application developers ignore it ? Is it Linus's fault if idiot Linux developers write apps that can only run as root ?
17. Re:Is this the default in Vista? by guy-in-corner · 2005-12-19 03:41 · Score: 1
  
  If your user account was previously in the Administrators group, then Windows will, by default, have made you the owner of any files/directories/registry keys that you created with that account.
  
  This behaviour is controlled by the "System objects: Default owner for objects created by members of the Administrators group" setting, which you'll find in secpol.msc, under Security Settings -> Local Policies -> Security Options.
  
  On Windows XP, this defaults to "Object creator". On Windows 2003, it defaults to "Administrators group".
  
  See Aaron Margosis' blog for more information about this setting.
  
  I've been running as LUA at work for a month or so now, and I just reinstalled my home machine, setting my account up as LUA. Fast User Switching makes it easy to flip over to the admin account to install things.
  
  Most things work fine w/o admin privileges. Of the applications I can't live without, Steam is the only one that won't work under LUA. I had to fix it by granting myself full control over C:\Program Files\Steam.
Good start by MandoSKippy · 2005-12-17 02:40 · Score: 4, Interesting

It's odd, on /. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on /. crowd at somepoint...
1. Re:Good start by deaddrunk · 2005-12-17 02:52 · Score: 1, Insightful
  
  Because as the world's biggest software company they should have done something like this a very long time ago instead of bullying everyone else in the PC industry, breaking the law and pointlessly fighting a court case instead of settling and behaving at least a bit co-operatively with the people that are stuck with their shoddy software.
  
  --
  Does a Christian soccer team even need a goalkeeper?
2. Re:Good start by drivekiller · 2005-12-17 03:05 · Score: 1
  
  If you understood the article (oh, this is slashdot, maybe you didn't read it), you'd note that it isn't about Microsoft pushing LUA for XP. It's about some consultants who have an app that can find LUA bugs, and who want to create a central repository to document them. I enjoyed the second comment over at the article; an entertaining rant about how Microsoft shouldn't be signing code that requires the administrator account to run.
  
  I've always tried to do the LUA thing with my clients. For the most part I've succeeded, although it always pisses off laptop owners that I want them to spend money to have me install drivers for their home printers. The thing that gets me is the programs that need to write to a directory in Program Files (Palm, Meetingmaker, some third party database applications). Storing user data with the executable is so Windows 98, but the developers don't seem to even recognize this is a problem. Despite the article's claim that LUA will prevent rootkits and trojan horses, I've found that an unprivileged user who is determined to go to porn sites will still get all kinda weird crap -- This effort isn't going to put the antivirus companies out of business.
3. Re:Good start by deaddrunk · 2005-12-17 03:15 · Score: 1
  
  It was an attempt more to point out that Microsoft are really unpopular for a lot of good reasons, and people do say that to smokers who quit.
  
  --
  Does a Christian soccer team even need a goalkeeper?
4. Re:Good start by Alioth · 2005-12-17 03:23 · Score: 1
  
  Slashdot is comprised of more than one person. The people complaining about "reimplementing Unix, poorly" are not necessarily the same people who complain that Windows is insecure.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
5. Re:Good start by kfuq · 2005-12-17 05:06 · Score: 1
  
  UNIX is very user friendly... It is just very picky about who it is friends with.. :-D
  
  --
  iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
6. Re:Good start by mpe · 2005-12-17 06:31 · Score: 1
  
  Storing user data with the executable is so Windows 98, but the developers don't seem to even recognize this is a problem.
  
  %USERPROFILE%/Application Data and %USERPROFILE%/My Documents was supported in Windows 98. The last version of Windows which had any reason to store user data with the executable was 3.11
7. Re:Good start by drivekiller · 2005-12-17 06:56 · Score: 1
  
  Point taken.
Old Applications by dduardo · 2005-12-17 02:42 · Score: 2, Interesting

So, how is this going to be compability with older programs that require admin priveleges?
1. Re:Old Applications by lheal · 2005-12-17 03:21 · Score: 1
  
  So, how is this going to be compability with older programs that require admin priveleges?
  
  (I assume you mean "how is this going to be compatible with".)
  
  The point is that older programs should be updated, not that anyone should be try to compatible with them. LUA is a Good Thing.
  
  --
  Raise your children as if you were teaching them to raise your grandchildren, because you are.
2. Re:Old Applications by GIL_Dude · 2005-12-17 03:26 · Score: 3, Interesting
  
  It isn't TOO bad because of the built in file and registry virtualization in Vista. If a program running with a LUA token tries to write to say the "C:\Program Files\PoorlyWrittenApp" folder, that write will result in a copy of the file (if it already existed) being made and placed in a location under the user's profile. Then the write to that file will succeed in the new location in the user profile. The OS will preferentially read that new file whenever the file in program files is being "read" by the app.
  
  The same thing works for registry entries.
  There are certain files (like .exe, etc.) that are never virtualized to make sure people don't get DoS attacked by "replacing" their exe files. There are API's for application developers to specify that they don't want certain files, folders, or registry keys to virtualize. All in all, it makes the app compat story pretty robust.
3. Re:Old Applications by canuck57 · 2005-12-17 03:44 · Score: 1
  
  So, how is this going to be compability with older programs that require admin priveleges?
  Good question but the answer is to create a privelege set with all priveleges and assign it to such applications.
  Now once a admin and then users figure out how to do this, they will simply use the admin-all privelege set for everything.
  Back to square one as the problem is not being addressed.
4. Re:Old Applications by ptr2004 · 2005-12-17 03:51 · Score: 1
  
  The implementation of LUA on Vista has these features to aid LUA apps that I am aware of
  1) If LUA is not enough it prompts you to enter your password for more privileges
  2) When programs running in LUA try to create files at system level. They are allowed to do so but these are virtual folders that appear to as system file/folder for the program but reality aren't so
  3) Even registry particularly the LOCAL MACINE part has a similar feature.
5. Re:Old Applications by Tim+Browse · 2005-12-17 04:15 · Score: 1
  
  Vista also uses the existing app shim technology, which means MS will include shims for existing apps that have problems with LUA. For example, a common problem (apparently) is Application X opening a registry key for read/write, when it only actually reads from it.
  Without a shim, the open call will fail if the key is not writeable with the LUA privileges. However the shim will say "Oh you only want to read from this, so we'll just open it as read-only for you instead." Thus the call succeeds and the app continues on its way.
LUA ignored by developers too by ncw · 2005-12-17 02:44 · Score: 4, Insightful

From the article :-
The LUA principle, which promotes the use of accounts with fewer access rights than Administrator accounts, has been largely ignored by end users, but if Aaron Margosis and Shelly Bird have their way, code writers will have a central place to get tools and training to create least-privilege applications.
Coming from a unix background, when I set up a computer for my children with Windows XP, I decided to make sure that the children each had their own user account, and that none of those user accounts had administrator priviledges.
The first bit of that plan went down very well - they love having their own user accounts. However almost none of their games/software run as anything except Administrator, even games which say on the box "designed for windows XP".
I end up having to make a custom runas command for each one with /savecred - the windows equivalent to chmod u+s. This is a PITA to setup, insecure and doesn't work for all their software. There is some we've just had to abandon since it just won't work like that.
So please, software developers, check your software works without admin priviledges!

--
Every man for himself, all in favour say "I"
1. Re:LUA ignored by developers too by giorgosts · 2005-12-17 11:33 · Score: 1
  
  what about if we elevate priviledges on the named user, install everything we need, and then downgrading the user again? Do we compromise our system in any way?
2. Re:LUA ignored by developers too by eealex · 2005-12-17 12:35 · Score: 1
  
  So please, software developers, check your software works without admin priviledges!
  
  Many developers do checking, but instead seems they just check if the program is runned wtih Admin right at the beginning to avoid any unexpected behaviour in their own program?
3. Re:LUA ignored by developers too by HSpirit · 2005-12-17 12:53 · Score: 1
  My boss brought in his new computer about a year ago for me to set it up securely, as our company is the only one he knows that has not had any kind of downtime due to malicious code/spyware/etc in the last six years (since I've been there).
  
  The reason? Despite all the difficulties associated with it, all user accounts are Standard (Restricted) Users in Windows XP, and Power Users in Windows 2000 (I've found its impossible to iron-out all the kinks when attempting to run as a Restricted User in Windows 2000).
  
  So I give him and his wife Administrator profiles on their brand new Windows XP machine, and his two kids are Restricted Users, and I installed anitvirus for good measure. The result?
  
  For every game he attempts to install the computer needs to be brought in to work for me, as the kids can't run it without implementing some of the usual hacks as specified by the parent post.
  
  He's recently admitted to me that the kids now use the Administrator profiles as they just work, unlike their own Restricted User accounts.
  
  And as a result...
  
  He recently had to bring in his machine which had slowed to a crawl as (surprise, surprise) it had been overriden by spyware.
  
  My conclusion? Windows XP can be used securely, and can be used as a home (as opposed to business) operating system... but it cannot be used as both.
MS is already working on this, apparently by Inaffect · 2005-12-17 02:55 · Score: 1

"The [LUA Buglight] tool is primarily meant for IT professionals who need to fix bugs in corporate or third-party applications, the Microsoft representative said. However, it can also be used by developers to hunt for LUA bugs in their own applications, the representative said." It is currently not available, as of right now, and the release date is unknown.

From
http://www.winvistaforums.com/viewtopic.php?t=35
http://news.zdnet.com/2100-1009_22-5998726.html
1. Re:MS is already working on this, apparently by hahiss · 2005-12-17 04:42 · Score: 1
  
  `` It is currently not available, as of right now, and the release date is unknown."
  
  So it IS going to be a part of Vista. . . .
  
  --
  "Every decent man is ashamed of the government he lives under." - H.L. Mencken
LUA not a panacea by Stan+Vassilev · 2005-12-17 03:15 · Score: 2, Insightful

Lots of things a software should be able to do can't happen in LUA mode. So we have few solutions, like popping up admin password boxes (which can be exploited on its own with fake pop-up boxes prompting us to enter our admin login/pass), or having broker processes with higher privileges do the job. But it's important to understand that low-privilege IE and LUA for users is not removing the attack surface, just recucing it significantly and presenting few new ways to exploit the situation... Also it'll be significantly more annoying to deal with it when performing regular operations, like install/update software.
The two chief problems by Alioth · 2005-12-17 03:20 · Score: 4, Insightful

The two chief problems with LUA in Windows are:

- The Windows programming culture assumes a single user, single tasking computer.
- Users on Windows are administrator by default

The first is the developers fault, the second is Microsoft's. At least Microsoft are trying to fix their end. But even 4 years after Windows XP was released, software is being released by developers who should know better that still require either admin rights or much tinkering to get to run as non-admin. The most recent one I encountered was an application for BACS payments a couple of weeks ago - their tech support's answer was "run as admin". I managed to get it to work for non admins (since this was on a Windows domain) only by caclsing (aka chmodding) the application's directory writeable by all!

It's obvious that the developer had simply not tested the program as non admin.

--
Oolite: Elite-like game. For Mac, Linux and Windows
1. Re:The two chief problems by pe1chl · 2005-12-17 03:34 · Score: 2, Interesting
  
  We have been running Windows 2000 workstations with ordinary "user" privileges and toughened filesystem security settings at work for several years now.
  What you describe is becoming less and less common, but it happens. Interestingly enough, one of the worst applications at work is an electronic banking program.
  Apparently banks don't care about security. We got the same response from their helpdesk.
  
  But otherwise, it really is possible to do it. Requires some extra effort, but so does security on Unix/Linux systems.
  We even run an extra service called "TrustNoExe" that allows you to restrict the location of executable programs to e.g. C:\Program Files and C:\Windows, where users cannot write. This even more prevents downloading and "accidentally" running unapproved programs.
2. Re:The two chief problems by fermion · 2005-12-17 05:03 · Score: 1
  
  One advantage of the MS development environment is that it allows the developers to concentrate on coding the process, and therefore allows more effecient development. Under this premise, it is the responsibility of MS to provide the scafolding so that the developer does not have to waste resources reinventing the wheel.
  On the second issue, XP Home should really set up lower access accounts by defaul, and require a password. It is not like users have a choice of OS, so MS does have the power to enforce this security. It will cost MS more in terms of user support, which is really to say they will have to increase funding to the PC builders and retailers, but that would be a short term expense.
  
  --
  "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
3. Re:The two chief problems by mpe · 2005-12-17 05:42 · Score: 1
  
  - The Windows programming culture assumes a single user, single tasking computer.
  
  Without any effective security. It's not unknown for applications to refuse to open files stored on CDs, unless they are first copied to somewhere else.
  
  - Users on Windows are administrator by default
  
  Only on a standalone Windows machine.
  
  The first is the developers fault, the second is Microsoft's. At least Microsoft are trying to fix their end. But even 4 years after Windows XP was released, software is being released by developers who should know better that still require either admin rights or much tinkering to get to run as non-admin.
  
  The problem is older than 4 years. The same problem was obvious with Windows NT, it could even occur with windows 3.0, when used with a network system supporting a security model.
  
  The most recent one I encountered was an application for BACS payments a couple of weeks ago - their tech support's answer was "run as admin".This is actually a third problem, "support" failing to understand that the software in question is broken.
  
  I managed to get it to work for non admins (since this was on a Windows domain) only by caclsing (aka chmodding) the application's directory writeable by all!
  It's obvious that the developer had simply not tested the program as non admin.
  
  Maybe they hadn't heard of the User Shell Folders registry keys, which have been in Windows for over a decade, either!
4. Re:The two chief problems by pe1chl · 2005-12-17 22:46 · Score: 1
  
  Maybe they hadn't heard of the User Shell Folders registry keys, which have been in Windows for over a decade, either!
  
  There are some pretty dumb developers out there... the developer of the telebanking app of our bank insists on placing temporary files in %windir% instead of %temp%. Maybe he once had the experience that %windir% always exists and so is the best place to write temporary files...
  (similarly, some apps write tempfiles in the root directory, or in %windir%\Temp)
Windows 2K Power Users? by Anonymous Coward · 2005-12-17 03:25 · Score: 2, Interesting

What happened to the Windows 2000 Power Users type in XP? Had they kept that and used it as the default in XP, we'd be in a lot better shape today.

Logo Cert. should require games and most apps to work with Power Users or equ.
1. Re:Windows 2K Power Users? by Tim+Browse · 2005-12-17 04:19 · Score: 1
  
  What happened to the Windows 2000 Power Users type in XP? Had they kept that
  
  Nothing happened. The 'Power Users' group is still there, in XP Pro at least (can't speak for XP Home).
Not easy to create limited accounts on Windows XP by Mandrel · 2005-12-17 03:31 · Score: 4, Interesting

Just the other day I tried to guide someone through setting up a new account and e-mail settings on XP SP2 over the phone. I decided to play it safe and told them to create a limited account. But when you log into the new account and try to run Outlook Express you get this error message, which I couldn't get them past to configure e-mail. I later worked out that you must first run Internet Explorer at least once on the new account before the e-mail setup wizard will come up when Outlook Express is run.
are you sure those games need admin? by ei4anb · 2005-12-17 03:41 · Score: 1

did you run tools like Filemon from Sysinternals http://sysinternals.com/ to see what was failing when running as a pleb? Too often the answer is to run everything as admin when all that is required is write access to some folder under "C:\PROGRA~1"
1. Re:are you sure those games need admin? by MobyDisk · 2005-12-17 04:37 · Score: 1
  
  I do that but it doesn't always work:
  
  1) Lots of things want access to various areas in HKLM or HKCR. They might only read the areas, but the program asks for read/write/delete/create access since it was coded poorly. You can grant the software such rights, but that is a serious change. I want a new access level called "lie" which tells the program that it has write access, but then only fails when it actually tries to write.
  
  2) Some of them just don't work anyway. I've used regmon+filemon on some games, given them everything, but they still refuse to run. Usually those are the ones that fail in a random way (like Tron 2.0 -- the "launch game" button is disabled unless you are in the Administrator group. It doesn't actually ever need Administrator access though.)
2. Re:are you sure those games need admin? by mpe · 2005-12-17 05:31 · Score: 1
  
  1) Lots of things want access to various areas in HKLM or HKCR. They might only read the areas, but the program asks for read/write/delete/create access since it was coded poorly. You can grant the software such rights, but that is a serious change. I want a new access level called "lie" which tells the program that it has write access, but then only fails when it actually tries to write.
  
  Sounds like "Copy On Write", a concept which has been around for quite some time.
Blame the user by lheal · 2005-12-17 03:49 · Score: 3, Insightful

I know running as admin is bad in principle, but from TFA:
Despite the fact that LUA is accepted within software security circles as a key to reducing damage from malicious hacker attacks, Margosis said a large percentage of customers still run Windows with full admin rights, making them sitting ducks for malware attacks that rely on "maximum privileges."

First all this malware spreading around was because we didn't have firewalls. Now it's because we're all running with admin rights. Never mind that it's the OS default, it's obviously our fault that all these bugs keep surfacing.

Of course, the next whipping boy is that faceless developer out there who wakes up one morning and decides to violate basic programming principles like Least Privelege. But it's not the developer's fault.

The problem for the developer is that Windows makes it difficult to do anything but run as admin. The environment assumes single-user, multiple apps, but not multiple users. It was designed with one user in mind, and the multi-user stuff layered on later.

But the real problem with complaining that we're violating Least Privilege is that it's a Redmond Herring (TM). It's ignoring the big problem, which is that since Windows source code is closed, no one without a vested interest in keeping bugs hidden can look at it.

You want a security principle violation? Hiding your code is the biggest one there is.

--
Raise your children as if you were teaching them to raise your grandchildren, because you are.
But what about Root kits? by 0xdeaddead · 2005-12-17 04:23 · Score: 1, Funny

I mean, how can Sony or UBI load their root kits on your box, and trash the system?
Once more again Microsoft is being insensitive to real world needs.
For everybody attempting to defend MS... by Anonymous Coward · 2005-12-17 04:30 · Score: 1, Interesting

Quote from their website:

"Most Microsoft employees are highly technology literate and routinely explore the limits of the tools available to them in order to improve product quality. For example more than 95 percent of Microsoft employees have local administrator rights to their desktops."

http://www.microsoft.com/technet/itsolutions/msit/ security/mssecbp.mspx

And Microsoft's martketing people are bragging about this as SECURITY FEATURES. ::shudders::
1. Re:For everybody attempting to defend MS... by I'm+Don+Giovanni · 2005-12-17 05:15 · Score: 1
  
  Soooooo what?
  
  They have admin rights to their local computers and can turn those rights off if they want to. Microsoft isn't like some typical corp where a self-important IT admin with delusions of grandeur dictates policy for every user.
  
  I'm sure Apple employees had admin rights to their machines too, given that admin is the default account level in OS X.
  
  --
  -- "I never gave these stories much credence." - HAL 9000
2. Re:For everybody attempting to defend MS... by drsmithy · 2005-12-18 16:01 · Score: 1
  
  For example more than 95 percent of Microsoft employees have local administrator rights to their desktops.
  There is a vast gulf of difference between "having local administrator rights" and "running as administrator all the time".
QuickBooks by DavidD_CA · 2005-12-17 04:59 · Score: 1

From what I remember of QuickBooks (at least, a recent version) it must be run as administrator. This was a huge issue with some computers we were setting up at a small office... trying to maintain some level of security and this just blew that out of the water.

What is so special about QuickBooks that it needs to be an administrator? Were the Intuit programmers just lazy or do you really need root to balance a checkbook?

--
-David
1. Re:QuickBooks by DynamicBits · 2005-12-17 06:26 · Score: 2, Informative
  
  They were lazy. It can be run under a Limited account in XP. Here's how I did it:
  
  Fire up the freeware app Regmon, and set the filters to ignore the standard things running in the background (windows services, anti-virus software, and firewall software - A good starting point is as follows: csrss.exe;explorer.exe;LSASS.EXE;Regmon.exe;WINLOG ON.EXE). Just look at the list of processes that are filling up the main window for the names to put in the filter. While you're still in that filter dialog, uncheck "Log successes."
  
  Now, fire up the offending application and wait for it to give you an error. Go back to Regmon and look through the last few entries for one that has "FAILED" in the Result column. Open up regedit, find the key that returned the "FAILED" message and assign full permissions for the limited user account, or the Users group.
  
  Sometimes, a program will need more permision for a directory or single file. For that, use Filemon. The process is very similiar to Regmon.
  
  If that all sounds too tedious for you, you might want to try just changing permissions on the application's install folder (For example: C:\Program Files\Intuit) and HKLM key (For example: HKLM\Software\Intuit). (Although I can say for a fact that QuickBooks requires full permission on one or two keys outside of HKLM\Software\Intuit.)
  
  This process works for every program I have tried running under a limited account.
2. Re:QuickBooks by kfuq · 2005-12-17 06:44 · Score: 1
  
  were you getting a runtime error when you first tried to run QB as a LU? That's what im getting with the pro/warehouse/enterprise edition
  
  --
  iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
3. Re:QuickBooks by CPUGuy · 2005-12-17 09:21 · Score: 1
  
  2003 just tells me I need admin rights.
  
  Being foreced to get 2006 (for the payroll service) as they are retiring 2003. Hopefully they will have fixed the issue.
Even "aware" users have to use admin accounts by bender647 · 2005-12-17 05:00 · Score: 2, Interesting

I use XP largely to play games, and find that even on games that can be played in underprivileged mode, bugs pop up more frequently. Just a couple nights ago I had a problem with a Microsoft title (AOE3) and finally was able to net connect when switching to an admin account. The developers simply don't test in this mode enough.

Here's a response from Atari when I complained about having to play UT2004 in my admin account. You can't win when this is they don't even consider this a bug:
From: Tech4 Subject: RE: Unreal Tournament 2004 - Windows XP : USA : This game, like most of its type, requires Full admin access to play, and can often conflict with third party software such as firewalls or virus scanners. We recommend disabling those items when the game is in use, and turning them back on afterwards. MarkL Atari Support www.atarisupport.com
Build a Windows Sudo by gelfling · 2005-12-17 06:49 · Score: 1

If the issue is that nearly everything needs admin, and it does, and, admin itself is pocked with problems then the answer is to build a better admin with better protections so that you can have the rights without the wide open problems associated with it.

Look at a built in Windows equivalent of Sudo with as many of the good rights you need and as few of the bad ones you don't need.
Report noncompliant apps to Microsoft by Animats · 2005-12-17 07:30 · Score: 3, Informative

The Microsoft "Designed for Windows XP" logo program requires that Applications that are designed to work with the Windows XP infrastructure for state separation of data will work correctly under Limited User accounts. So if the application breaks under a limited user, report this to Microsoft logo control. Tell the vendor you did this. This scares some vendors; there's a risk of having their Windows logo pulled.
MSDN promotes non-LUA features by dmh20002 · 2005-12-17 09:52 · Score: 2, Insightful

Microsoft trumpets this issue like its a new thing, not a 30 year old principle.
the whole thing is MS's fault. not the users. The app developers have secondary responsibility but MS caused the problem in the first place. Their developer resources promote doing all kinds of bogus things in their apps. For years MSDN has gone out of its way to promote all the OS level hooks that are available to developers, many of which only work as admin.

here's an example from a couple of months ago:How to capture the print screen key and totally change how your user's GUI works. Just what I want, the ability for some random application to subvert basic elements of the system interface.
1. Re:MSDN promotes non-LUA features by drsmithy · 2005-12-18 16:10 · Score: 1
  
  the whole thing is MS's fault. not the users. The app developers have secondary responsibility but MS caused the problem in the first place.
  No, it's solely the application developers' fault. Microsoft have been recommending, and providing the necessary resources, to write LUA-friendly applications for a decade or so. It's part of the "Made for Windows XP" sticker requirements.
  Their developer resources promote doing all kinds of bogus things in their apps. For years MSDN has gone out of its way to promote all the OS level hooks that are available to developers, many of which only work as admin.
  And, of course, if they didn't, you'd be screaming about "undocumented APIs" or "Microsoft won't let us control our own computers".
  It's no more Microsoft's fault that developer's write applications requiring admin access than it would be Linus's fault if I wrote an application that only ran as root.
Circumventing Group Policy as a Limited User by NZheretic · 2005-12-17 09:53 · Score: 2, Informative

The problem is that Microsoft's LUA restriction has been broken on all of their platforms.
... Windows administrators should be aware that if a user, even one running with a limited account, can execute just one program of their choice that they also can circumvent many group policy settings, including ones aimed specifically at tightening security such as Software Restriction Policies and Internet Explorer Zones. ...
... It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team.
Options to fake windows? by eealex · 2005-12-17 12:45 · Score: 1

Actually many program actually do not require admin right but check this by default before they run... It would be nice if there is an option, instead of "run as", we can have a "pretend as"?

Oh. a little bit OT but I run my wine inside Linux and programs are all seen to be running as admin... surely I am logged in as a normal account.
I blame lazy sysadmins by kylef · 2005-12-17 14:32 · Score: 1

I tried to run my users with no privs on the last job, and always got bitten by programs such as WordPerfect, which insisted they had to run with PowerUser privs. Meanwhile, complex, computationaly demanding, graphics-heavy programs such as Spartan (visual environment for quantum chemistry), quietly installed in their own folder, didn't write to the registry, and could be moved without breaking because they didn't install anything to the system directories.

The problem is two-fold: lazy app writers, and lazy administrators.

Fixing these problems is usually not difficult. Most of these programs just need write access to a particular folder, or registry key, and they work fine. You can use FileMon and RegMon to figure out which resources these broken apps require, and then assign specific privileges to users accordingly. NT has AMAZING object-level security granularity built-in (more sophisticated than traditional Unix), but most administrators only understand 2 modes: privileged and unprivileged. They just add people to the Administrators group. It's easier, and administrators are lazy.

And even to this day, app vendors don't test their software properly under LUA. This is laziness as well.

Everyone jumps on Microsoft for these problems. But yet, everyone jumps on Microsoft if it doesn't maintain backwards compatibility. It's a Catch-22 for them.

My advice to you is, boycott ALL software that can't work under LUA. Demand that it be fixed immediately. If you MUST install it, then don't be lazy by giving out Administrator privileges. Figure out why the app is failing, and assign privileges as needed!
Servers should *not* require root. by Estanislao+Mart�nez · 2005-12-17 15:53 · Score: 1

Many people have written such apps, they are called servers. Anything that binds on a privileged port requires root access.
And that latter sentence is not something to be bragging about when the topic is security, because it means that in order for an app to have access to one small, well-defined resource (a particular port), it needs to be given uncontrolled access to all of the computer. That is, the granularity of permissions is not fine enough.

--
Are you adequate?
1. Re:Servers should *not* require root. by mvdwege · 2005-12-18 04:46 · Score: 1
  
  Yet when I do a ps aux on my GNU/Linux machine, I see all my servers running under their own user accounts. When I open the Task Manager on my work XP workstation, I see all services running under the SYSTEM account.
  
  Regardless of theory, a fine-grained permission system isn't worth squat if it is not used. Conversely, in the *nix side of the computing universe, we have gotten smart (through painful experience) and wrote our server software to immediately drop permissions after binding to a port.
  
  The problem is social, not technological. Microsoft (and third-party coders who pick up their bad habits) refuses to learn, either because that would mean going against their NIH attitude, or because it would mean admitting past mistakes.
  Mart
  
  --
  "I know I will be modded down for this": where's the option '-1, Asking for it'?
Re:It may not be a bug by bender647 · 2005-12-18 03:54 · Score: 1

UT checks to see if the firewall is open, but the act of checking the firewall is something is doesn't have privileges to do. Perhaps you don't have the Windows XP firewall (I don't know if Win 2k has the firewall or not). Or perhaps its been fixed-- I stopped playing shortly after getting that response.