Important Microsoft article about admin/user privileges

Discussion in 'other security issues & news' started by tlu, Jan 20, 2006.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

    Microsoft has recently published an informative article about the application of the principle of least privilege to user acounts on Windows XP. The dangers associated with admin rights and the considerably increased security under user accounts with limited rights are well described.

    A very readable article, indeed. I suggest reading Aaron Margosis' Blog thereafter.
     
  2. Ah, a message from our resident LUA supporter, tlu, fight the good fight brother. :)
     
  3. tlu

    tlu Guest

    You betcha! :D
     
  4. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    A very useful article. Thanks for the pointer. :)
     
  5. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Windows XP should ship so that LUA is the default. Not much hassle to use runas or jump into an admin account to change settings.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hi,
    Unfortunately, this does not work well in reality.
    Most of security tweaks, including various services, softwares (bugoff, wwdc etc), and limited account work well IF:
    Your computer is a single machine used for internet browsing and document writing.
    However, if you like gaming, running servers, p2p, and connecting your computer to a network (home, ICS etc.), the security tweaks, LUA included become a major pain in the ass.
    Just to mention few, many online games use various anti-hack softwares that require admin accounts, eMule will not work well under LUA, certain Matlab drivers fail to start when running under limited privileges, etc.
    And if you want to use RunAs / Admin to overcome the problems - what's the point of running LUA then? Windows is configured to work 100% under Admin account, unfortunately.
    Limited User is what it says - Limited abilities, not limited security (only).
    Mrk
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    If we rewound the lock back to when XP launched, then I think things would be been much better, people were forced to write user account security compliant software

    I totally agree that it is not easy to do. PS I only use run as for changing and installing changing settings, everything I run everyday runs fine as LUA also emule which has it own special user account.
     
  8. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Ehh... it's not as difficult as your portray. I run LUA probably 98% of the time. The problems you point out:
    • Games. Yeah, this one can be a biggie. As you point out, though, most of the problem resides in their bogus copy protection schemes which often require admin rights and generally just serve to cause problems for legitimate users -- the pirates crack it anyway. This isn't Microsoft's problem it is the game developers'.

    • Security Utilities and Tweaks. Well, yeah, generally a tool designed to configure security settings is going to require elevated admin privileges... as it should be! No harm, no foul here. These tools can be configured to runas and ask for admin credentials each time they are invoked. Quite similar to how such admin and security tools work on alternative operating systems.

    • P2P Apps. I don't usually mess around with these since the vast majority are poorly coded, IMHO, and they are often breeding grounds for viruses, trojans, spyware, keyloggers, and all other sorts of malware. Personally, the last thing in the world I would want to do is to enable a P2P app with admin privileges. If these network apps require admin privileges then the developer most likely did something wrong or made assumptions he/she shouldn't have made, and I don't want it on my system.

    • ICS. Don't know about this one. I run with a hardware wireless DSL router. No problems whatsoever there and obviously not dependent upon admin privileges on my client machines.

    • Matlab. Don't know about this one either, but what in the he... I mean heck... is a math environment/library doing requiring admin privileges? This is a widely used scientific & academic package and I would be greatly surprised if the latest version and service pack wouldn't correct this problem. In any event, IMHO, this is MathWorks' problem not Microsoft's.
    Basically, I feel that the vast majority of the problem lies with 3rd party developers making assumptions that they shouldn't have. This isn't Microsoft's problem. Yes, Windows was originally designed as a single-user OS with virtually no user privilege restrictions. That was the history of Win3.1 and Win9x. But the Windows NT line has attempted to point devs into the direction of a multi-user, user restriction model for some time now. The days of gentle nudging are over in my opinion. It's time to start cracking down and holding individual devs responsible for poor and/or overly assuming code.
     
  9. tlu

    tlu Guest

    Alec, I couldn't have said it better! I might add that problems caused by poorly coded applications that require admin rights can very often solved by using the tools Regmon and Filemon from Sysinternals. And I'm rather confidential that all these experts here who manage successfully countless complex security applications are also able to get along with these two little utilities - don't you think so? ;)
     
Loading...
Thread Status:
Not open for further replies.