Slashdot Mirror
Microsoft Pitches LUA Security Repository
corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."
Those who do not understand unix are condemned to reinvent it, poorly.
I dont' think I've ever seen a more apt example of this aphorism.
Made me instantly think of the Lua programming language.
The filesystem is the package manager
"Those who do not understand unix are condemned to reinvent it, poorly."
So when's Unix going to invent "capabilities", and why did it take the NSA to "invent" SELinux?
Oh right, Unix security is perfect. That's why we keep hearing that damn saying every time we have a Windows story.
Is ridiculous how one app can screw your whole managed environment.
Some applications wont run if the user is not local admin and you know how much users can be trusted.
The best test environment is production. - Me
chrome://browser/content/browser.xul
Or at least a less priveleged account? With a password popup box whenever you want to install drivers etc akin to Mac OS X or somesuch?
Or are they going the same route as before with the default user being an admin?
I'd hope they did, it'd probably help reduce people installing rootkits with certain audio cd's although I doubt it'd eliminate it, there'd still be people who blindly type in their password (if they'd bothered to enter one in the first place).
Also, on a sidenote.. MS aren't exactly standing on the moral superiority high ground here (I skimmed the article), how can they expect programmers to implement this with their programs when by default everyone is a local admin in windows and so far the only program which is supposed to use LUA is IE7 which isn't even released yet?
It's odd, on /. everyone complains that on Windows, many programs don't work unless you are administrator. (or have that power) It's something brought up all the time about the inadequecies of Windows. Now, Microsoft is doing something to attempt to change that, and in the first 3 posts, we get something about how they are just "reinventing Unix, poorly" That may be the case, but they are going down that road. Not every admin can run *nix, it is complex, it is hard to learn. Perhaps MS doing things to make their OS more nix like will actually help the adoption of open source *nix variants. I think the blast Microsoft for everything they do may backfire on /. crowd at somepoint...
So, how is this going to be compability with older programs that require admin priveleges?
The first bit of that plan went down very well - they love having their own user accounts. However almost none of their games/software run as anything except Administrator, even games which say on the box "designed for windows XP".
I end up having to make a custom runas command for each one with /savecred - the windows equivalent to chmod u+s. This is a PITA to setup, insecure and doesn't work for all their software. There is some we've just had to abandon since it just won't work like that.
So please, software developers, check your software works without admin priviledges!
Every man for himself, all in favour say "I"
Lots of things a software should be able to do can't happen in LUA mode. So we have few solutions, like popping up admin password boxes (which can be exploited on its own with fake pop-up boxes prompting us to enter our admin login/pass), or having broker processes with higher privileges do the job. But it's important to understand that low-privilege IE and LUA for users is not removing the attack surface, just recucing it significantly and presenting few new ways to exploit the situation... Also it'll be significantly more annoying to deal with it when performing regular operations, like install/update software.
The two chief problems with LUA in Windows are:
- The Windows programming culture assumes a single user, single tasking computer.
- Users on Windows are administrator by default
The first is the developers fault, the second is Microsoft's. At least Microsoft are trying to fix their end. But even 4 years after Windows XP was released, software is being released by developers who should know better that still require either admin rights or much tinkering to get to run as non-admin. The most recent one I encountered was an application for BACS payments a couple of weeks ago - their tech support's answer was "run as admin". I managed to get it to work for non admins (since this was on a Windows domain) only by caclsing (aka chmodding) the application's directory writeable by all!
It's obvious that the developer had simply not tested the program as non admin.
Oolite: Elite-like game. For Mac, Linux and Windows
Logo Cert. should require games and most apps to work with Power Users or equ.
Just the other day I tried to guide someone through setting up a new account and e-mail settings on XP SP2 over the phone. I decided to play it safe and told them to create a limited account. But when you log into the new account and try to run Outlook Express you get this error message, which I couldn't get them past to configure e-mail. I later worked out that you must first run Internet Explorer at least once on the new account before the e-mail setup wizard will come up when Outlook Express is run.
First all this malware spreading around was because we didn't have firewalls. Now it's because we're all running with admin rights. Never mind that it's the OS default, it's obviously our fault that all these bugs keep surfacing.
Of course, the next whipping boy is that faceless developer out there who wakes up one morning and decides to violate basic programming principles like Least Privelege. But it's not the developer's fault.
The problem for the developer is that Windows makes it difficult to do anything but run as admin. The environment assumes single-user, multiple apps, but not multiple users. It was designed with one user in mind, and the multi-user stuff layered on later.
But the real problem with complaining that we're violating Least Privilege is that it's a Redmond Herring (TM). It's ignoring the big problem, which is that since Windows source code is closed, no one without a vested interest in keeping bugs hidden can look at it.
You want a security principle violation? Hiding your code is the biggest one there is.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
I use XP largely to play games, and find that even on games that can be played in underprivileged mode, bugs pop up more frequently. Just a couple nights ago I had a problem with a Microsoft title (AOE3) and finally was able to net connect when switching to an admin account. The developers simply don't test in this mode enough.
Here's a response from Atari when I complained about having to play UT2004 in my admin account. You can't win when this is they don't even consider this a bug:
From: Tech4 Subject: RE: Unreal Tournament 2004 - Windows XP : USA : This game, like most of its type, requires Full admin access to play, and can often conflict with third party software such as firewalls or virus scanners. We recommend disabling those items when the game is in use, and turning them back on afterwards. MarkL Atari Support www.atarisupport.comThey were lazy. It can be run under a Limited account in XP. Here's how I did it:
Fire up the freeware app Regmon, and set the filters to ignore the standard things running in the background (windows services, anti-virus software, and firewall software - A good starting point is as follows: csrss.exe;explorer.exe;LSASS.EXE;Regmon.exe;WINLOG ON.EXE). Just look at the list of processes that are filling up the main window for the names to put in the filter. While you're still in that filter dialog, uncheck "Log successes."
Now, fire up the offending application and wait for it to give you an error. Go back to Regmon and look through the last few entries for one that has "FAILED" in the Result column. Open up regedit, find the key that returned the "FAILED" message and assign full permissions for the limited user account, or the Users group.
Sometimes, a program will need more permision for a directory or single file. For that, use Filemon. The process is very similiar to Regmon.
If that all sounds too tedious for you, you might want to try just changing permissions on the application's install folder (For example: C:\Program Files\Intuit) and HKLM key (For example: HKLM\Software\Intuit). (Although I can say for a fact that QuickBooks requires full permission on one or two keys outside of HKLM\Software\Intuit.)
This process works for every program I have tried running under a limited account.
The Microsoft "Designed for Windows XP" logo program requires that Applications that are designed to work with the Windows XP infrastructure for state separation of data will work correctly under Limited User accounts. So if the application breaks under a limited user, report this to Microsoft logo control. Tell the vendor you did this. This scares some vendors; there's a risk of having their Windows logo pulled.
the whole thing is MS's fault. not the users. The app developers have secondary responsibility but MS caused the problem in the first place. Their developer resources promote doing all kinds of bogus things in their apps. For years MSDN has gone out of its way to promote all the OS level hooks that are available to developers, many of which only work as admin.
here's an example from a couple of months ago:How to capture the print screen key and totally change how your user's GUI works. Just what I want, the ability for some random application to subvert basic elements of the system interface.