Should one use LUA or not?

Due to low contribution I ask this again (tried here https://www.wilderssecurity.com/showthread.php?t=251051 )

Lets forget UAC. Should we tell people to use LUA (limited user account) with Vista/Windows 7?

a) beginner

b) average user

c) expert

 

for 32 bits and Defensewall/sandboxie/malware defender/geswall not need to

 

Actually I thought the response you got from Windchild was pretty comprehensive. Search the forum for postings from Lucy and tlu, they have provided some very good information about LUA and SRP.

As to your question, why not? You can get a lot of protection just by using the features of the OS. It uses no resources, causes no BSODs and it's free. It's there and easily configured, so why not use it?

Of course you are going to now get all kinds of suggestions for everyone's favourite resource hog that you should install instead. Most of the people dissing LUA have probably either not tried it or they tried it for a half an hour and switched back to admin because they couldn't change the system time, or some other silly reason.

Take a look at spycar.org, they have a test to see if your security apps are on the ball. Someone posted this a while back and complained because the AV he was testing didn't detect a few of the exploits. I tried this with LUA, software restriction policy and no autoruns for users and every one of these exploits failed. This is with absolutely no security software running real-time, so yes, LUA really does work.

 

OK, here's your fish <°))XXX><

And if they are running 64-bit?

 

Short answer is YES, we definitely should be telling people to use LUA, or at the very least seriously consider using LUA. Least privilege has been a recognized best practice since the ancient days of multi-user operating systems. There is no question about this issue. Look at Unix and all its derivatives, OS X, Linux - all not only provide the equivalent of Windows limited user accounts but also practically force users to actually use those accounts instead of the superuser account. Pretty much the only people who even ask questions like "Should we run as admin(/root/superuser) or a regular user?" are Windows users - everyone else already knows they should not run with superuser privileges except when those privileges are absolutely required.

A) Yes, we should tell beginners to use LUA.
B) Yes, we should tell average users to use LUA.
C) Yes, we should tell the experts to use LUA.

After we've told them that, then all those users can decide for themselves what to do. One can opt to run as admin and try to fix that issue by installing various complicated security software products. One can choose to use LUA and run some security software to help protect their account and system. One can choose to run completely naked if one feels like it. If one has enough knowledge and/or luck, there are many different ways to do things that can work perfectly well and keep you safe. But it's very clear what people should generally recommend.

That said, LUA is obviously not a panacea. It's a very basic best practice, but it doesn't solve all the world's problems. Just some very big ones.

 

Windchild gave a good answer, just wanted to get as much opinions as possible: should I recommend LUA or not (I personally like it for Vista) for people with different skills.

 

Nice fish!

64 bit? Maybe 2013?

 

.
I would recommend it to anyone who can understand what it means and implies. In other words a user needs to appreciate the way LUA improves security and be willing to change the way he works. If someone has always used an Admin account they are going to bump into the restrictions of a LUA for a while. Eventually they will get comfortable with switching to the Admin account when necessary and then switching back to LUA. If you talk to someone about it for a minute it should become obvious whether it would be too complicated or annoying for them.

 

Hi,

What about people who have been running as Administrators on NT systems who have never ever gotten a virus/malware infection on their PCs/laptops?

Have they just been lucky users or... what have they done?

I've run Windows NT 4, Windows 2000 Pro, Windows XP Pro [and MCE, a variant of Pro], Windows Vista Business [my current OS] and Windows 7 RC all of them as Administrator and I can say that I haven't got a virus/malware infection on any of the PCs I've been running those OS [knock on wood, of course].

I just run a software FW, an A/V and an A/S and keep them up to date; I also do keep my system UP-TO-DATE with the latest Service Packs/security patches as soon as Microsoft releases them, don't visit questionable sites [p0rn/warez], don't open any e-mail attachments that look suspicious and only download software from reputable sources.

Even though I've been running as an Administrator, I haven't got any infections since 1996 [when NT4 was released]. Is it just luck or what?


Regards,


Carlos

 

Well, perhaps we should tell people at least to try it, and if they can't live with it ditch it....

 

Oooooh yeah - it's definitely worth a try. Just think about how much less purpose the malware out there would have if everyone ran under a LUA (ehm, damn you, Microsoft ). - And it's all, freakin', FREE!

 

Obviously it's not just luck. More likely it's just a lot of common sense and understanding how computers, operating systems and malware work.

Like: "Hmm, an unexpected email that claims to be from Microsoft and tells me to install the 'security update' included as an attachment. Most obvious malware spam mail ever."

A lot of people have been using admin accounts for years without getting infected. But that requires either luck, skill or both, and most people have little of those. And even to the people who do have the skill or luck, LUA still has benefits and still improves security.

But obviously one doesn't have to use LUA, if one just really doesn't want to. It's a free world. But as I said previously, if one is interested in security at any level, learning about least privilege and trying out limited user accounts is quite important, really. A security enthusiast who doesn't know LUA is like a car enthusiast who doesn't know manual transmissions.

Further, people who think of themselves as experts or even just advanced users might consider trying to set an example to the newbies. In other words, they ought to recommend basic best practices like LUA instead of acting like the free marketing department of some security software company, giving "recommendations" like: "Just run McAfee's security suite and you'll be safe from everything forever and don't need to bother with no stinking limited user." (Imaginary example. )

 

On XP:
a) beginner YES
b) average user YES
c) expert NO - use Sudown and PGS

On Vista
a) beginner: YES
b) average user: No use UAC + Norton UAC tool + PGS (see https://www.wilderssecurity.com/showthread.php?t=250748)
c) expert: No use UAC + Norton UAC tool + PGS

On Windows7: same as Vista without Norton UAC tool

Never forget UAC in combo with PGS it is so strong and easy to use.

 

This is indeed an extremists approach!

 

I would have reservations about recommending SuDown. Take a look at this (if you read German).

I have a couple of questions. Why is there this general opinion amongst quite a few here that LUA is some sort of digital training wheels for beginners and morons? In real life I find it the other way around, the people who are consciously using LUA are the more experienced. I started using computers in the punch-card days, so I wouldn't exactly call myself a beginner.

The few beginners I know using it are doing so because I set it up for them that way. Left on their own, they would be running as admin and probably be part of a botnet right now.

Concerning Vista and point b., what if you aren't running Norton (and don't want to?).

I'm wondering how people here can claim that LUA is not safer than running as admin. I don't use any real-time security software and my crate is clean but there are enough postings here in the forums from people who have gotten infected running as admin with all of their security apps. There's a lot of talk about "layered approaches", but the simplest layer which is built into the OS and uses no resources gets put off as something for those who don't know what they're doing. I find it very difficult to follow the logic.

 

LOL! Nicely put, Johnny

I agree LUA should be used by beginner, intermediate and expert if it is not hampering the functionality of the programs required for normal day-to-day use, which for all intents and purposes is nearly everything, anyways, so there should be almost no reason not to run under these restrictions.

Administrative accounts have their purpose; usually for installing programs, changing network settings, account settings, and miscellaneous system settings, as well as several other tasks requiring admin privileges. The inconvenience should only be considered as minor as a reasonable trade off for the considerable security LUA accounts provide.

 

Could you provide a brief explanation? The babelfish translation is hard to follow. I use SuRun and am familiar with it, but just downloaded SuDown to give it a try on a new image.

My take is the Norton UAC tool is for convenience and not added security. Is that correct? Wouldn't LUA and SuRun be more secure and just as convenient as Running as admin with the Norton UAC tool?

 

You're right, the automatic translation sucks! In a nutshell, SuDown has a few bugs (or features, depending on how you look at it) which make it possible for someone to run code on your machine with admin rights and you could get pwned. If you are using SuRun and it works well for you, I'd stick with it.

I'm not sure what the Norton UAC does, since I don't use Vista or Norton, but a limited account is most certainly safer. You can still use Norton with it, thus increasing the security level. SuRun definitely makes it more convenient, so I don't see the need to be running as admin all the time.

 

Hi everyone,

Let me add a little bit of information regarding all the HYPE about LUA as the “panacea” that cures virtually everything in the Windows world.

Back in 2003, I was running Windows XP Professional with SP-1a and the latest security updates at home on both, my desktop and my laptop. The SP-2 for that OS [which included Windows FW and many other security improvements] was still far from being released at that time [it was finally released in August, 2004]. On both, desktop/laptop, I was running as ADMINISTRATOR.

On the other hand, at work, being just a powerless employee who happened to work in the QA Dept. in a pharmaceutical company, I was running Windows XP Professional SP-1 as a RESTRICTED USER that is the account type assigned to almost everyone by our IT Dept. on the desktop at my cubicle and McAfee VSE version 7.0

In July 16th, 2003 Microsoft released this patch: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
and they STRONGLY URGED every Windows NT systems users [ 2000 Pro, Windows XP Pro...and Home also] to apply it IMMEDIATELY. It seems that MS foresaw a major computer virus outbreak in the coming weeks.

At home, I applied this patch urgently the same day it was released [July 16th, 2003] but...at work, the story was a little bit different.

Our IT Dept. did NOT applied this patch for whatever reason they had and, a few weeks latter, on August 12, 2003 the infamous BLASTER worm got loose and started spreading through our work network like the plague just because a silly employee had opened an attachment from an unreliable sender which happened to include this worm.

Our PCs at work started an endless rebooting loop and all this caused a wreck havock on our computer systems at work, where 99.9% of us where just RESTRICTED USERS running Win XP Pro.

At home, the story was different. Neither my destop nor my laptop where affected by this worm even when I was running both of them as ADMINISTRATOR.
Why? Because I was proactive, and I applied the patch released by MS a month earlier before the Blaster worm started its dirty deeds.

The only thing I did notice was a flood of attacks on port 445 detected by my sotware FW [I was using Norton Personal Firewall 2003 at that time, along with NAV 2003].

So, the bottom line to this story is, not matter which type of account you run on your PC, just use COMMON SENSE to keep your data SAFE.

Actually, I do use Windows Vista Business SP-2 [hated by the majority of Wilders users who happen to be still on XP] and I don't find UAC annoying at all. On the contrary, I find it kind of amusing so to speak because I know it's there as another lawyer of protection along with common sense and keeping my AV up-to-date, and regularly running Windows Update to keep WD, and WF up to date. That's it.

Never got an infection...so far [knock on wood].


Best regards,


Carlos

 

Patching your OS is the ultimately first lesson, and I don't consider your IT Dept. professional referring to your story.


LUAs and "sandboxing" applications work by restricting the rights considerably, one way or another - BUT - it's still recommended to patch your applications, and programs like Secunia PSI, FileHippo Update Checker, etc., makes this task a lot easier. You notice I didn't mention patching the OS there? I didn't, because that's for, at least, a knowledgeable user (or, supposedly, a technician for that matter - god damn...) basic practice, a no-brainer.

You know why you should still do this? Because exploits are different! They don't need the rights, simply because they're just that - exploits. They're exploiting a hole in your system!


My point being? LUA had nothing to do with your situation! Only the unprofessionalism of your IT Dept. was the failure!

 

"Hype" and "panacea" are pretty strong words to use, especially in a thread where people have already said that "LUA is obviously not a panacea."

To say that LUA is a basic security best practice and really does increase security a great deal as compared to using an admin account all the time is not hype. It's a fact. To say that most malware out there currently breaks when executed as LUA is not hype. It's a fact. To say that many people could have avoided serious malware problems by running as LUA instead of admin is not hype, it's a fact. So, where's the hype? Even Microsoft doesn't claim LUA is a panacea. So, to me it seems that those people who are talking about there being "hype" about LUA are mostly seeing that hype inside their own personal imaginations. Or perhaps their definition of hype is just different. My definition of hype is something like "advertising and promoting something with questionable and inaccurate methods and claims, or just constantly calling something the greatest thing since sliced bread without being able to show why that would be the case". Maybe their definition of hype is something like "making repeated recommendations based on obvious, verifiable facts." Or maybe they're just honestly concerned that if people start recommending LUA more instead of only recommending loads of commercial security software for every problem, then their stock in various security companies will go down and they lose some money.

Your example only goes to show that like any security measure, LUA doesn't somehow magically fix all the vulnerabilities an OS may have so you don't need to patch. It mitigates the impact of some, and does nothing against some others. LUA is one best practice, patching is another. Do both, and more.

As for common sense? Better to have common sense and a limited user account than common sense and an admin account. As far as security is concerned, anyway.

 

I do. Always. For Vista.

By the way It is not so easy to find an infected machice. Some PC:s seen during summer:

1) Vista. Used as admin. 1.5 years without any security software. Clean.
2) XP. Used as admin. some months without any AV software. Clean.
3) XP. Used as admin. several years with a completely outdated AV software (F-secure 2002). Clean.
4) win2000. Used as admin. several years with a completely outdated AV software (F-secure 2002). Clean.
5) XP. Used as admin. with slightly outdated AV software (F-secure 2007). Clean.
6) XP. Used as admin. with a slightly outdated AV software (F-secure 2007). Clean.

You can guess I was disappointed!

 

Endschuldige mich, Surun ist besser

Well the Microsoft OS-ses started wrong. In the beginning the only way PC's communicated with midsize and mainframes was through terminal emulation. So it was a non-issue. Now MS is improving its apporach with UAC (Vista) and configurable warning level UAC (Windows 7)

It is a freebie which remembers certain UAC choices, so more or less reduces the pop-up noise and clicking okay by default.

Agree, see https://www.wilderssecurity.com/showthread.php?t=250748

But do not forget that UAC still allows side by side infection, so GW or DW are stronger defenses.

 

I like the analogy...

Here is another (that I have seen on here before): Using LUA is similar to wearing a seat belt..

Sure you can drive perfectly safely (or not) whether you wear one or not, and a very good anecdotal chance that nothing will ever go wrong.. but it does not take away from the simple stats that, if and when one ever does have that accident (say the browser fails on a steep hill), then wearing one is generally a pretty good thing to be doing..

And yes, there are alternatives including air bags, specialised third party "19 point" seat belts, sophisticated crash helmets, and personalised special body armour with bubble wrap and fire proofing, mainly for those who know lots and lots about car protection, and especially for those who practise driving them into brick walls.. For those, the chances of an accident, or getting hurt in one, are anyway substantially reduced and better "understood".. and for those who are regularly jumping in and out of their electric milk carts, then clearly seat belts are a real PITA, but the risks associated are also quite different....

But for the 95%+ of ordinary drivers using their cars to get from A to B, even quite skilled ones, and especially on busy (riskier) roads, seat belts on average offer a pretty good cost / benefit ratio.. as do airbags, driving safely etc..

Someone linked in some stats here once (can't remember where) that reported that most (some 99% or whatever?) of the computer infections that had been logged (by this particular vendor) over a particular period / place of monitoring etc had involved admin accounts rather than LUA, if I remember it correctly.. of course, that didn't take into account the percent of their total users using admin versus LUA, which could have provided a more meaningful statistic..

Peter