LUA Whitepaper released


Microsoft Solutions for Security & Compliance (MSSC) has released a new whitepaper, Applying the Principle of Least Privilege to User Accounts on Windows XP.  Get it here:  http://go.microsoft.com/fwlink/?LinkId=58445

Comments (9)

  1. Rick Graves says:

    My email (as yet unanswered) to secwish@microsoft.com:

    Date: Tue, 31 Jan 2006 07:04:24 -0800 (PST)

    From: "Rick Graves" <gravesricharde@yahoo.com>

    Subject: Applying the Principle of Least Privilege to User Accounts on Windows XP

    To: secwish@microsoft.com

    Hello Microsoft,

    The white paper "Applying the Principle of Least Privilege to User Accounts on Windows XP" is good for its intended audience.  Thank you, Microsoft.

    What about Win XP users at home or in small businesses, who do not have an administrator on the payroll who can implement the white paper?  

    "The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration."

    Yes.  In other words, use of Least Privilege can block most all malware and spyware.  

    Least Privilege is a shield, not a tool to root out malware and spyware you already have.  But in my tests, it has proven to be a highly effective shield.  I have documented my tests here:

    http://malware-spyware-diy-testing.blogspot.com/

    Consider a secretary or home user who uses MS Office applications, does email, and some surfing.  Outlook and Internet Explorer do work OK from a "Limited" account, so at least one can do all the high-risk activities with least privilege protection.  MS Word and Excel also work OK from "Limited" account.

    Why should this secretary or home user get malware and spyware?  

    The explanation I have heard from Microsoft is because some applications do not work properly in a "Limited" account.  

    Among the applications that I have used, I am not aware of any show stoppers.  If an application cannot work under a "Limited" account, it typically can be run from an administrator account.  (This option is documented in Win XP itself.)  So most all applications can work in Win XP, except one may have to switch between accounts.  Switching between accounts is not convenient.  

    So for the secretary or home user should get malware and spyware because applications that they do not use make Least Privilege inconvenient — for someone else.

    Microsoft decided in effect that no one should take advantage of Least Privilege protection because it is not convenient for everyone.  

    To me, this does not make sense on its face.  Rather, it only makes sense as an excuse offered to cover up the "real reason", whatever that may be.  

    The computers running many Win XP systems today will not be able to handle Vista.  The secretary and home user may not upgrade for some years.  Is Microsoft keeping them naked and vulnerable (i.e., declining to tell them that Least Privilege can block most all malware and spyware in Win XP today) to motivate them to shell out for the Vista upgrade sooner?  

    For people already on Win XP, there is a really simple way to switch least privilege, which I think will work for most or all Win XP users.  I posted instructions at the top of my blog (again), here:

    http://malware-spyware-diy-testing.blogspot.com/

    Trying Least Privilege is zero cost and zero risk.  Why should Microsoft withold this option from the secretary and home user?

    I tried posting the content of this email in

    http://blogs.technet.com/secguide,

    I even joined, but I could not figure out how to post.

    If there is anything I can do to help, please let me know.

    Rick Graves

    gravesricharde@yahoo.com

  2. Aaron Margosis says:

    Rick —

    Yes, taking advantage of Fast User Switching (FUS) between admin/non-admin accounts is a reasonable way to use admin privileges only as needed.  I wrote about that a while back (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx) and have promoted it in several public presentations such as TechEd.  However, it is not always as simple as you and I wish it were.  First, if the computer is joined to a domain, FUS is disabled.  (Note:  Vista will support FUS in domains!)  Second, while Office and other MS products work fine, there are a lot of apps that fail to work as non-admin.  For example, Intuit’s QuickBooks has been called out numerous times as a major offender – most recently as the first inductee into SANS Application Security Hall of Shame.  So let’s say your user is an accountant and spends all day in QuickBooks using the admin account.  Not only must this user now remember to switch accounts before browsing the web or composing an email, he or she can’t get instant messages or new-email notifications while using QB, and simple operations like copy/paste between QuickBooks and email become impossible.  FUS has its place, but also its limitations – because of scenarios like these it can’t quite be recommended as a general purpose, one-size-fits-all solution for all users.  For other examples of apps with LUA incompatibilities, see the following:

       http://www.pluralsight.com/wiki/default.aspx/Keith.HallOfShame

       http://www.threatcode.com/

       http://support.microsoft.com/default.aspx?scid=kb;en-us;307091

    Your assertions that Microsoft is witholding "least privilege" from users is clearly false – if that were the intent why even expose it in the XP Home UI?  And your implication that MS is "covering up" some hidden agenda is IMHO just silly.  One should learn from Steve Gibson the dangers of postulating conspiracy theories when simpler explanations exist.

    — Aaron

  3. Rick Graves says:

    Aaron,

    I have used "least privilege" since 2002 (but I did not learn that term until 2005).  I have never used fast user switching.  From what you wrote, it seems it would work OK for me.  

    I also do not use Quickbooks.  

    I agree that the list of applications that do not work right is long.  But what about the people who do not use the offending applications?  

    > simple operations like copy/paste between QuickBooks and email become impossible.

    Not impossible, just inconvenient.  One can copy to notepad, save to temporary file, then open the temporary file from a "limited" account.  

    If Microsoft informed its user base that least privilege was available in Win XP, Quickbooks users would ask Intuit to put out a compatible version.  But since (Intuit, probably, and) the vast majority of Win XP users are in the dark, Intuit need not bother.  

    > Yes, taking advantage of Fast User Switching (FUS) between admin/non-admin accounts is a reasonable way to use admin privileges only as needed.  

    Except it does not work for everyone.  So why bring it up?  It is not needed to take advantage of least privilege.  

    To me, your post in effect repeats the argument that no one should take advantage of least privilege because it is not convenient for everyone.  

    > Microsoft is witholding "least privilege" from users is clearly false

    But the vast majority of Win XP users have never even heard or read the term.  

    In the Linux/Unix world, the message is broadcast to all, loud and clear, to use administrative accounts only when necessary.  Not so in the Microsoft world.  For my money, that can only be because "Microsoft is witholding ‘least privilege’ from users".  

    Rick

  4. Aaron Margosis says:

    Rick,

    1.  When you go to User Accounts in Control Panel and create a new account, one of the required steps is to "Pick an Account Type".  The options are "Computer Administrator" and "Limited User".  Both are described.  Yes, Admin is the default, and I know you find the term "Limited" to be disparaging.  However, there is no path from there to "MS is withholding least privilege".

    2.  I didn’t realize that when you were switching accounts you were actually logging off from one before logging on to another.  FUS should improve your experience there.  Why bring it up?  Because it will work for everyone at least as well as switching between accounts the way you are.  However, even then, copy/pasting from apps to Notepad (assuming you’re only copying text — perhaps you want to copy screenshots or some app’s proprietary clipboard format) as a means of transferring the info to LUA-compatible apps is incredibly user-unfriendly, particularly if you have to do that a lot.  Few people would be happy with such an experience.

    3.  I’ve really tried, honestly, but I just can’t figure out what form of logic leads to your assertion that I’m arguing that "no one should take advantage of least privilege because it is not convenient for everyone".  Every single post on my whole freaking blog argues for using least privilege!

  5. Rick Graves says:

    AAaron,

    I am responding to your paragraphs by number.

    1. Microsoft is withholding least privilege in the sense that the company has successfully swept it under the radar of most Win XP users.  I offer the fact that most rank and file Win XP users are completely unaware of the least privilege option as proof that Microsoft successfully withheld it.

    Least privilege is not widely used among Windows users — do you agree?  I would argue this is not the result of a series of freak accidents.  Rather, this reflects that Microsoft took active steps which successfully suppressed the use of least privilege.  I spelled out the four steps that I have identified in my email in March last year to Ed Skoudis and Lenny Zeltser, authors of "Malware, Fighting Malicious Code".  Rather than repeat the content of that email, I put a copy here:

    http://www.advanced-app.com.hk/MiscJunk/email_2_EdSkoudis_and_LennyZeltser.html

    2. I only need to log off a "Limited" account and log into an admin account rarely (weekly or so).  So I do not mind.  

    > Few people would be happy with such an experience.

    People who would have to switch accounts a lot might not be happy.  They could bring pressure to bear on the publishers of the offending applications to put out a least privilege compatible version.  

    Anyone who finds least privilege to be inconvenient should be free to risk malware/spyware/adware infestations for the sake of convenience.  I object to putting ALL Win XP users "in harm’s way" (i.e., at an unnecessarily elevated risk of malware/spyware/adware infestations because the effective protection built into the operating system is inconvenient for some.

    Screen shots can be saved in Paint to a temp file.  You were the one who maintained that "simple operations like copy/paste between QuickBooks and email become impossible".  Obviously, "impossible" is an exageration.  (If there is anything else that can be pasted into an email that you do not know how to save to temp file, feel free to ask.)

    3. You offered as an example an accountant who uses QuickBooks all day long as a reason why other Win XP users should be getting malware, spyware and adware.  What if Steve Balmer got up and said to the media, "Don’t blame Microsoft for our security track record, blame QuickBooks!"  He could never get away with it — Microsoft would get hit with bad press (and possibly a defamation lawsuit) immediately.  

    I agree that you have been promiting least privilege.  Thank you.  What about Microsoft?  Why has Microsoft not given consumers explicit instructions on taking advantage of least privilege protection, detailing the benefits and possible shortfalls with 3rd party software?

    Thanks,

    Rick

    gravesricharde@yahoo.com

  6. Aaron Margosis says:

    (Sigh.)  Some people just seem to enjoy believing that malice and conspiracy are the reasons for the way things are.  I think a closer look at the history and evolution of Windows would indicate far more benign causes to an objective observer.  That history vis-a-vis least privilege has been on the back burner as a blog topic for me for a long time.  I’ll try to write that up after I get through the mini-series on LUA bug workarounds I’m working on now.

  7. Rick Graves says:

    Aaron,

    In your post before, you wrote:

    > Every single post on my whole freaking blog argues for using least privilege!

    I have acknowledged that and thanked you.  But the fact that "single post on [your] whole freaking blog argues for using least privilege" reflects that least privilege is not widely used, and that using least privilege effectively blocks most all malware, spyware and adware.  

    But if Microsoft had been promoting use of least privilege to rank and file Win XP users, you would never have put up your least privilege blog — there would have been nothing to write about.

    So why has Microsoft not been promoting use of least privilege to rank and file Win XP users?  QuickBooks?  

    > (Sigh.)  Some people just seem to enjoy believing that malice and conspiracy are the reasons for the way things are.

    If you and/or Microsoft cannot put in 25 words or less an explanation that holds water, Microsoft has a potential PR problem, and if you do not confront the real situation, IMHO, you could be considered an accomplice in the cover up.  

    If QuickBooks and other applications really are the reason, let Steve Balmer get up and say, "Don’t blame Microsoft, blame QuickBooks and the other applications on this list!"   (But I expect that would never happen because it would never fly.)

    Rick Graves

    gravesricharde@yahoo.com

  8. Dan Mc says:

    I agree with Aaron as to why Windows and Windows apps are slow to work with LUA.  It’s clearly how the product developed from a single-user (and not so long ago non-networked) OS.  The OS caught on because 3rd party developers were able to quickly and easily write their own apps for Windows.  Now the world is different, and devs shouldn’t write an app without thinking about security!  (Many still do, and that’s the problem the MS can’t really be expected to solve.)

    The MS App Compatibility Toolkit works well.  When people like you and me get fuming mad that an application won’t work as a user, it’s still our responsibility to take the toolkit and make it work as a user.  (I actually prefer other tools like setacl in most cases.  If an app needs access to it’s own Program Files dir, I go ahead and grant users full access to that dir only, because the only risk is to that app itself.)

    I’m sure Microsoft would love it if all the 3rd party developers out there fixed their apps to run as user.  All the Microsoft apps do…  I was amazed that even MS Virtual PC runs as a user!  (Which I can in turn use when I have really horrific apps that want admin access.  The clipboard problem is solved there too because of the clipboard transfer service.)  Apps that don’t run as a user won’t get "Designed for Windows" logo certification.  What else can MS do without hurting market share?  Look at the developer backlash from XP SP2…  Microsoft gently pushed on the developers to make their programs run within the new security framework.  It didn’t go over well.

    Changes like this take time.  The time you spend making crappy apps run as a user is well spent.  It’s easier to do that than to deal with thousands of admin users.

  9. I think this was a long overdue whitepaper, to say the least.  I am happy with its content (I did participate as a technical reviewer) and have rolled out many of those aspects within my enterprise.  

    Next on my list of targets is to get our IT staff to follow this principle.  I’m in the process of re-designing our Active Directory structure to encourage (via social-psychology) compliance.  We’ll see how it goes …

    -Tim MalcomVetter, CISSP