Should one use LUA or not?

Indeed, the subject of practising least privilege and not running as superuser is nothing new. It's pretty much ancient, actually. That's why it's so sad that people still feel the need to question it in the Windows world. Since pbw3 already mentioned seatbelts, I'll say that asking whether one should run as LUA is like asking: "Should I use a seatbelt? If I'm a beginner? But should I use a seatbelt if I'm a really good driver? Should I use a seatbelt if I've bought third party airbags for my car? Should I use a seatbelt even when this one guy who used a seatbelt got killed when a huge truck ran over his Pinto?" Sure, seatbelts make some things, like getting out of the car, more "difficult." But on the other hand, they may occasionally save your life. With least privilege, it's the same. Sure, it'll make some things more difficult, and some poorly made software will not work. But then, occasionally, it may save your system from being totally owned, or prevent some buggy but legit software from making your system unbootable.

Well, for the market research...

All the people I know closely (best friends, relatives) either use LUA in Windows, only use Linux or OS X, or are the kind of people who don't use computers practically at all or for some very limited things where it really doesn't matter who they're logged in as. For an example of the latter case, it doesn't really matter that much what security measures you practise if you don't have an internet connection and only ever use your (old) computer to write and print things - no data from any third parties ever gets on the system, and there's nothing "private" on the system, so where's the need for any heavier security measures beyond keeping the PC indoors and the doors locked. Most are in Windows, and use LUA. And yes, I actively encourage them to use LUA. And it works for them, as it works for me. Of course, the Linux people just plain laugh at the idea of someone being logged in as a superuser all the time, so they don't exactly need my recommendations.

 

Well, you did say "know closely", people such as best friends, relatives. How many close relatives and best friends do you think one guy will have? In my case, it's a couple of dozen, depending on the definition. The age groups and profession vary, of course: some relatives are little children whose parents give them limited user accounts so they don't mess up the system, some are old farts who think WWII was something that happened yesterday, some are enjoying being 30 and both healthy and wealthy. Some are working in IT, some are completely different - one guy works as a lumberjack and another runs a farm. The lumberjack uses Linux, by the way. Imagine that. Bloke has a really big chainsaw and Debian. Ironically, the ones that are serious gamers are all adults.

But really, you shouldn't be surprised. People often are rather much like their best friends and relatives. And when someone you trust recommends something, then rather often you follow on that. The Linux guys recommend LUA (and more often just switching to Linux), I recommend it, the IT people recommend it, and those who don't fall into any of these groups will unsurprisingly follow the recommendations, especially when they know they can get help if they need it.

Which is unsurprising, considering that probably no-one who they trust has bothered to recommend LUA for them, or help them with it if they run into problems. On the other hand, if someone you know closely started recommending LUA and helping people set it up, the chances are that soon many people you know would be running LUA.

I don't think it's that long. Barely 20 lines of text. And I thought it was relevant to the question to mention that some people don't use computers to browse the net or do email. Some people just use computers as a glorified typewriter or calculator. Those people don't necessarily benefit much from security software, limited user accounts or knowing how to avoid getting their PayPal credentials phished [since they a) don't know what Paypal is and b) don't use it].

Well, if you did, it might help someone who could really use a hand with computer security.

Generally, I find it rather sad that often security discussions that concentrate on Windows become a kind of marketing fest for various security apps, where fans of some software or another engage in a competition on who can be loudest in proclaiming that Security Software X rules, and those voices who talk about security as something other than a bunch of programs get somewhat drowned out in all the noise about whether Kaspersky beats Norton by a hair or not in some "independent" test by some "testers".

 

Of course.

 

Last time i tried to use LUA (years ago on xp) I couldnt transfer files in "my documents" from LUA to ADM when i was using LUA and found some picture to download, or vice-versa from ADM to LUA.
It's a lame reason i'm sure theres a way to do it but until i discover it, i'm staying in Protected Administrator mode (not the default ADM account from windows). Else, i also recommend LUA to anyone, it's not like you need ADM privileges to browse or write on forums, and if you're not installing a program every minute, it's cool too (with the exception of the my documents swapping!!) ^_^

 

Don't remember if this is in the thread already
http://www.dedoimedo.com/computers/surun.html
Give this a go. I tried it yesterday and it makes LUA a lot more flexible.

ssj -

I thought we were here to give good IT advice !
Oh wait you don't do that ....

 

Entschuldigung angenommen

SuRun really is the better choice, to me it's like having the Linux sudo feature in Windows. SuRun also works in Vista, BTW. I believe Kay Bruns is working on getting it to function with Windows 7.

UAC is definitely a step in the right direction, but I would have preferred to see the installation require an admin account and a user account to be created and explain the reasons.

OK, that has nothing to do with Norton AV. Looks pretty useful, does it work well? (i.e., no major bugs, etc) I downloaded both of them in case I have to do something with a Vista machine. This might keep people from turning UAC off.

I missed that one, Sully's PGS app looks good, downloaded that one as well. SRP on XP Home requires a bit of hacking, this saves the extra work.

Well, as far as I know, UAC != LUA, so it might be a good idea to use both, don't you think? If I'm not mistaken, the UAC prompts with a LUA require the admin password. If this is correct the Norton tool could be very handy in this situation.

 

No worries.

 

Maybe it's a cultural difference. Or maybe you're young. I find that the older I get, the more people value my opinions. Maybe they're just trying to be polite or something.

I firmly believe some people can be educated. After all, if one can go through university, one can certainly learn basic computer use and security practices as well, if one only bothers to try. And in this case, where we're talking of people that are close to me, they have more reason to listen to me than some random guy off the street who doesn't know me. While I don't find persuading my friends and relatives very difficult at all, sometimes I find myself helping some friend-of-a-friend or another person I don't really know and discover they're the type that doesn't really take advice or want to learn. So, it's not like I only meet smart people. It's just that my friends and relatives tend to be that. Fortunately for me!

I don't find that sad. Discussing computer security and finding some products a better fit than others is all fine by me. I'm only sad about the part where security discussions turn into security product discussions, and people talk about apps and compare one app to another like it's a race of some sort with ferocious fan clubs and bashing from all sides, and all this noise drowns out very important things. For example, in any discussion where someone got infected with some malware, there's a good chance you'll see someone recommend AV Product X like that would have solved the problem - even though in most malware infection scenarios whether you're using Norton or Kaspersky is nowhere near as important a factor as whether you were an admin or limited user when the malware executed. This sort of thing.

I didn't say it happens on Wilders - it was a general statement, showing one of the reasons I believe LUA isn't very widespread in Windowsland. In Linux, people recommend not running as root. In Windows, people recommend running some AV while running as admin. That's a problem. Least privilege should enter into recommendations far more often than it does in Windowsland usually, though in recent years it has gotten a little better. That's really quite an important point considering the subject of this thread. One of the reasons people even ask whether they should use LUA or not is because people who should know better have been marketing AV products instead of offering somewhat less expensive and more effective advice. For example: "stop running as admin, run as LUA instead and use my fave AV product" is much more effective advice than "you should've used KAV so you wouldn't have gotten infected LOL." Oh, and that last piece of advice? That one is a real quote, not from this forum though.

Where do you think I'm posting when I'm not posting on security forums ranting about LUA?

 

LUA ?

A couple of months ago (?) I studied the possibility of using LUA+SRP, which was recommended on this forum. To be honest, I've forgotten most of the details. Especially since on a Windows XP HOME EDITION SRP is more tricky, I decided not to pursue it.

I'm not saying LUA is a bad idea.

But maybe LUA is overhyped, especially if one doesn't use something like SRP or SuRun, DropMyRights etc.

I understand that since many of you who have studied Computer Science, default deny, allow by exception, is considered a sound security strategy.
But we are talking Windows XP here, and for as far as I understand Windows has a philosophy of allow by default, deny by exception. It's not UNIX.

Using just LUA, how much malware would be stopped by this ?
A lot ? OK. Let's check av-comparatives. Assuming you have a good AV, the detection rate is about 98 to 99 %. If you complement this by adding 'basic computer hygiene', like not clicking on ads, not responding to spam, checking if a program is safe before installing it, are you really better off using LUA ?
Some security software might not work properly with LUA (not sure).

I know the argument about 'learning'. Again, most people don't want to spend time learning computer science. 'Basic computer hygiene' as I called it, is in many ways about human behaviour. For most people, this is easier to learn than 'computer science'.

Just my 2 cents.

 

Would be great if this had ever been tested . Anyone seen such a survey/test ?

 

Well the probability of meeting a piece of malware could be something like 10% a year, but detection rates for new malware are smaller:

pretty new 10-90%

http://www.virusbtn.com/vb100/RAP/RA...-Feb-Aug09.jpg

zero day 5-70%

http://winnow.oitc.com/AntiVirusPerformance.html

So the probability of getting infected in this example could indeed be as small as 1%.

 

All mbr rootkits and other kernel mode rootkits....

 

Learning the basic practices doesn't take long. It can literally be a matter of minutes. Many of the people who have spared a couple of minutes to learn some of the basic stuff have turned out much better off because of that. But as has been said, some people aren't willing to make any effort at all to learn, and some are just really forgetful. But helping one guy is better than helping none.

Certainly LUA doesn't save people from being stupid and falling to social engineering, but not all attacks are social engineering attacks. In fact it seems to me that the people in this forum, for example, are much more worried about the automatic drive-by style attacks than the social engineering ones. And it just so happens that LUA is rather effective against the drive-by attacks, preventing the vast majority of them from being able to infect the whole system and from doing the very evil stuff like installing kernel mode rootkits.

Joe User browses an exploit site, and never knows that the site exploited an IE vulnerability to run some evil code. If Joe User is admin, the exploit site can happily install anything it wants, from the meanest rootkit to the lamest rogue AV. If Joe User is limited user, the malware dropped by the exploit code probably dies trying to do something stupid like writing to the System32 folder, or if it's one of those rare LUA-compatible malwares, it may do some nasty things but fail to kill security software running as SYSTEM and will fail to infect all other accounts or load kernel mode rootkits to hide itself with. When Joe User's AV gets new definitions and hopefully starts detecting the new malware, it'll have a lot easier job cleaning it than it would have if the malware was in kernel mode and could totally clobber the poor AV.

You could think of it like this: Is there a reason why I should give any and all programs that execute on my system complete and full unlimited control over the system, which is the same level of control that I, the owner of the system, have? Is there a reason to give that kind of unlimited control to any random piece of code executed by some browser exploit? Even if you have no idea whose code it is, and what it wants to do? If you think there's a good reason, then run as admin.

As for common sense, I fail to see why it's an either-or type of choice: either it's common sense or LUA, but you just can't have both, no sir. I'd say that LUA is or should be considered included in common sense - it certainly is in Unixland. I'd say that you should practise least privilege and use common sense. There are very few reasons that I can see to do one but leave the other.

I do spend quite a lot of time on such forums, whenever I manage to cool my nerves down enough to be able to deal with all the illogical marketing speak in those forums.

As for Fly's idea that LUA is overhyped, I find the very opposite to be true. Far, far too few people talk of LUA and recommend it, considering how effective it is. LUA is very underrated in the Windows world.

 

Same here. I'm usually greeted by a look of total vacancy or even contempt from the individual I'm trying to explain it to. Maybe it's partly my fault for poor presentation, but the topic just doesn't seem to generate any interest in them at all.

 

I think because it sounds much more complex than it is. Which is a pity.
Also personally I think anything can become a (worthwhile / interesting ) hobby , but most people would be more "snobby" about this .

When I came here first it was to find the best AV, with a side interest in how they worked.
I work in IT as a SQL programmer and yet the level of detail/knowledge that people have here is amazing esp as a lot of people aren't programmers , as far as I can tell.
So pure interest can take you a long long way.

 

Indeed, most people have security right at the bottom of their list of priorities. That's basically the dancing pigs/bunnies problem: given a choice between looking at dancing pigs and security, people will invariably pick looking at dancing pigs. Sometimes, some users can be educated, though. With some people, I've been lucky, with some others, not so lucky.

Of course, being reasonably dramatic often helps, even if that can be a somewhat questionable tactic sometimes. Don't say stuff like: "How's your computer security? Any viruses and stuff lately? I could help you." That will only lead to the obvious reply: "I don't care, I'm all good, I just wanna browse the adult sites and make bad jokes in Facebook." Instead, you could try something like this: "Want to see how easily an evil person could steal your bank account credentials and take all your money, or how easily someone could set an illegal server up on your machine without you knowing anything until the police raid your house and take you to court for spreading highly illegal material? Want to learn how to stop that stuff from happening?" That works a lot better, but obviously not always.

Sure, I agree with you that knowledge - I figure we could call it common sense, if it was actually common, which it obviously is not - is certainly the most important part of computer security. Or, actually, anything and everything. You can't do anything without knowledge, unless you trust luck and learning from repeated errors. Without knowledge, you won't be setting up LUA, or running security software, or avoiding falling for phishing scams and so on ad nauseam - unless you either rely on luck or have someone to help you, and then that person needs to have some knowledge. That's obviously why user education should be the supreme goal and ideal - even if we understand it's a somewhat unrealistic goal for many users. But then, least privilege should be part of that education, and where education fails, often your help can still improve the security of those less interested in that stuff: if I had a dollar for every PC I've set up LUA, AV software and/or SRP on and installed some alternative software like Opera instead of IE, I'd be drinking free beer for the rest of my years. Default-deny is actually rather good for the uneducated users, who can be expected to just consistently do the wrong thing with regard to security. But, I digress. Sorry about that, guys.

As I see it, Microsoft is a victim of their own business model and clientele. They try to get their software on every PC in the world, and they aim to make their software "easy" to use and "simple." Things like backward compatibility were and are important to them, since many users will get mad when some old poorly made software breaks with a new OS version. Since a system that has security is practically never simpler than a system that has no security at all, obviously this will conflict with the whole ease of use goal. Cars would be a lot easier if there weren't annoying locks on the doors and you wouldn't have to turn some key in some small hole to get the engine running. There's the whole DOS thing, where the security model could be pretty accurately described as "doesn't exist" and no concept of any accounts exists. Many coders still make software like they were making it for DOS. Sadly.

So, what does Microsoft do? They make the default user admin, and make all users created afterwards be admin unless they are explicitly made non-admin. This achieves two things: compatibility with a lot of the old stuff that people want to run, and "ease of use." Because, you got to admit, everyone using the one admin account is "simpler" than having to make multiple accounts and some of those not being admin.

This is actually one of the most ironic things in the computing world as I see it. On one hand, you've got loads of users blaming Microsoft for making Windows an "insecure" operating system, and on the other hand, you've got these same users crying like babies any and every single time MS makes even the slightest change towards a more secure default configuration, and to add insult to injury, these same users are also refusing to use security features like LUA that have existed in NT since before Windows 95!

I'm sure people here remember the huge outcry caused by XP SP 2 breaking a couple of programs. And how about UAC? "Boo-hoo, this is so annoying, Vista sucks, how do I turn this off?" Can we even begin to imagine the ridiculous extents of whining that we would inevitably witness if Microsoft just suddenly changed the default to limited user accounts in a new Windows version? Even this security forum has loads of people who a) have never seriously tried to learn about LUA as compared to how much time they spend on learning about random security software and b) think running as admin is just so much better than stinky LUA that it ain't even funny.

Basically, MS has little choice. They gained their market share largely by being easy to use and compatible with everything old, when other operating systems happily broke old software with each major update to the OS. They can't change things quickly, because people will whine, and they're a business that wants to sell stuff to people. So, they make changes slowly, if at all. One might say that Microsoft is suffering from the world's biggest case of Problem-Exists-Between-Keyboard-And-Chair. They chose the most difficult kind of clients: everyone, especially those people who don't know anything about computers but still have lots of opinions on them. You can see how the strategy was wise in that Microsoft is drowning in money and coughing up bars of gold, but a side effect of that strategy is having to make default settings that assume the average Windows user is barely a primate.

As for the average joe not having any idea how to use LUA, well, that really depends. I don't think the average joe is born with any idea of how to use admin accounts, either. It's a matter of learning, and of what is normal in the environment - even average joe adapts to his environment. If LUA was the default, average joe would have to learn that, and actually would learn it. Already there's a huge amount of perfectly readable documentation on LUA, and how to use it. Assuming average joe can read, that's enough. And MS could make it even easier, by showing that stuff everywhere.

But man, that was one long answer to just one question. This always happens when it gets late over here.

See above. Because poorly made software will break in LUA, Microsoft recommends LUA in a rather conservative fashion: all the help files, guides, everything, say you should use LUA, but the security center in Windows and such are only concerned about firewalls and AVs since those don't usually break poorly made software made by DOS programmers.


Phew. That was pretty long. All right, I think that's enough from me for now. Time to go save some people from dancing pigs.

 

Sir, sorry if you found my words kind of harsh or strong.
You might have misunderstood me.

I'm not denying the effectiveness of LUA, on the contrary, I think it's good for people who exhibit a RISKY browsing behavior.

I have friends at work that I can call computer savvy users. Their knowledge about PCs is huge. They have A+, MCSE certifications and all that. In contrast, I have NONE.

The knowledge about computers I have acquired it through computer magazines, these kind of forums and the Internet.

However, those friends of mine, with all those certifications they own, they browse so called free p0rn, download movies/music from Rapidshare at home, etc. and run A LOT of applications to keep their PCs protected [e.g.: DefenseWall, Geswall, WinPatrol, AV, AS, software FW, SpyBot, etc. All of them at the same time, just to name a few].

They protect their PCs that much [in my opinion], because they KNOW who they are and what they DO.

They even use Restricted User accounts to minimize the impact of a virus infection in case their computers get hit because of their HIGHLY risky browsing behavior.

I have 3 desktops and 2 laptops at home but I mainly use just one of these desktops and a laptop. The desktop runs Vista Business with SP-2, Avira Premium 9, Windows Defender [already included on Vista] and the Windows Vista Firewall and my account has administrative rights but I get prompts from UAC everytime I try to run something on this PC.
My laptop has a similar setup as my desktop with the only difference that on the laptop I run NOD32 v.4 instead of Avira.

For my wife and kids, I created accounts on the other PCs that happen to run Windows XP Pro [ I no longer use XP since I tried Vista back in 2007].
Their accounts are Restricted Users [LUA] and I just created those accounts for them not because I fear they might get hit by a virus/worm but because I dislike when they install programs not authorized by myself on those computers or mess with those computers settings.

To me, even knowing that LUA is very useful to restrain a virus infection to the limited account who got hit by it, I find it more useful to prevent users from installing/uninstalling whatever program they want or changing the computer settings.
I think that is primarily what the IT administrastors at private companies want to achieve also. Prevent users form uninstalling/installing programs or changing systems settings on the PCs assigned to them.

Regards,

Carlos

 

Here is a post from the end of a thread last year with a link to data that shows, at least as far as the OS and Microsoft applications are concerned, LUA clearly makes a system less vulnerable if attacked:

Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts


Even if that report shows a significant improvement to a system's security, whether one should use LUA or not might also take into account other considerations as well, such as how likely a system is to be attacked.

Having said that, the data is clear. Had you been running Vista last year as a standard user (LUA), there were no known critical vulnerabliities that would have allowed a fully patched system to become compromised through any Microsoft software.

 

The Blaster worm exploited a buffer overflow in the DCOM RPC service - a vulnerability which had already been fixed by Microsoft (as mentioned by you). Nobody ever said that you should disable automatic Windows updates if you you're using LUA. So I'm not sure what you're trying to tell us.

 

Hello,

I'm not implying that Windows Automatic Updates should be disabled or else.

The point I'm trying to make is that even when the majority of users at work were set as Restricted Users by our IT Dept. our computers were wrecked by Blaster worm with the endless reboots caused by this worm.

Regards,

Carlos

 

No, but the point is you need both to easily increase your protection against malware a big lot - and that keeping Windows (and software) up-to-date is the most basic, but important practice. Your IT Dept. didn't do their job - end of story.