I’m Back! Upcoming Posts…


It’s been way too long, but I’m going to force myself to find the time to get more “least-privilege” information posted here.  Most of my posts til now have been about ways for those of us who administer our own machines to run Windows as a non-admin, invoking administrator privileges only when truly needed.  That’s one of the “least-privilege” challenges of Windows today.  There is another (possibly bigger) challenge:  what about users who should always run as non-admin?  The 10,000 “information workers” in your enterprise, the children on your home computers — you do not want to give them the administrator password (directly or indirectly), or have them making security decisions about when administrator privileges should be used.  Yet they need to run programs with “LUA bugs” — programs that don’t work unless they run with administrator privileges.  How can those users run as non-admin?

Too often, this second challenge is addressed by simply having the users/children run as administrators, by unsafely opening up access control to large portions of the file system and registry, or by “encrypting” an admin password into a special program that runs another program with admin privileges.

In upcoming posts, I’ll write on topics such as:

  • What exactly is a “LUA bug”?  (And what isn’t a LUA bug?)
  • A systematic approach for working around LUA bugs that avoids unnecessary exposure
  • How to identify LUA bugs using Regmon and Filemon
  • “LUA BugLight” (a new tool for identifying LUA bugs — still in development!)

It’s good to be back!

 

Comments (17)

  1. knox says:

    Glad to have you back. I make it a point to run as a limited user myself, and require limited users at the domains I manage. Thanks to your efforts, I know some of the little tricks that an admin needs to know, like runas, shift-clicking on control panels, opening the power settings up, etc.

    Thank you!

  2. Philipp Kohn says:

    Hi Aaron,

    great to hear from you. I´m looking forward to read more about LUA in Windows Vista and the new Tools. => cool

    Regards
    Philipp Kohn
    http://blog.kohnonline.de

  3. Toby Broom says:

    Hi Aaron,

    In Vista you "Admin" but UAP prompt you for elevation.

    In XP you run as a "User" and you use Run as etc to elevate.

    is the Admin User in Vista equilivent to a Normal User in XP?

  4. Aaron Margosis says:

    Toby Broom – it’s not quite equivalent.  It’s a little tiny bit like User + MakeMeAdmin, but not really.  Good info about Vista/UAC at these links:

    http://blogs.msdn.com/uac/archive/2006/02/22/537129.aspx

    http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx

  5. Toby Broom says:

    Hi Aaron, is there any use to the User account in Vista?  if your running as user with the option to eleviate then is there any diffrence?

    If I set a password for admin account on vista to say stop my kid’s eleviating with ease, how does this work with the network access cf winXP?

  6. Aaron Margosis says:

    Toby Broom – Check out the links I posted last time.  There are basically three types of accounts in Vista:

    * the built-in Administrator account, which always runs with full admin privileges;

    * the "protected admin" account (I think that’s still what it’s called), which runs everything with normal User privileges except as needed – and prompts you with a secure UI before it allows a program to run with elevated permissions – this is kind of like MakeMeAdmin but much better UX and far more secure;

    * the "standard user" account, which always runs with normal privileges.  When something needs to run with elevated privileges, it prompts you with a secure UI to enter credentials for an admin account (built-in admin or a "protected admin").  You can’t elevate unless you have the password (or other credentials) for an admin account.

    I’m not sure what you mean regarding "the network access of WinXP"…

  7. Mike Drechsler says:

    >I’m not sure what you mean regarding "the network access of WinXP"…

    I believe he meant that in WinXP if the account does not have a password then it will not have remote access permission.  If you need to have a password on these admin accounts in order to use the new elevation features of Vista then does that also mean that they will be vulnerable to remote attacks?

  8. Aaron Margosis says:

    Mike Drechsler – As with Windows XP, you don’t need to have a password for these accounts – and as with XP, the default policy is that local accounts with blank password can be used only for console logon – no remote access.  This is an excellent option if you can trust everyone who has physical access to the computer.  Elevation of a "protected admin" account doesn’t require a password – you can be prompted for simple consent via a secure UI.  If you have a password, vulnerability to remote attacks will be mitigated by the on-by-default firewall (as with XP SP2).

  9. Chelle says:

    Call me ignorant, but I seem to not have Local users and Groups under my system tools.  I have done several advanced file searches and the like.. to come up with nothing.  Can someone please help me with some info. on how to find?  I went in under Administrator in windows safe mode..it still was not there.  I took the computer back to an earlier ref. date in the system restore and still nothing.  I have not added any crazy software either.  I could really use some advice!

  10. Mike says:

    I need to run IIS as a non-admin on a server…preferably Power User.  Do you know if this is possible?  It would be a great help if you could lead me in the right direction.

  11. Aaron Margosis says:

    Mike:  inetinfo.exe runs as LocalSystem, but web apps run as Network Service by default, which is *far* less privileged than "Power Users".  You can also easily configure multiple app pools running under different low-privileged service accounts to run web apps in.

    And please note that Power Users is *not* non-admin — Power Users is "admin-lite", can easily elevate to Admin/System, and is considered deprecated.

  12. Aaron Margosis says:

    Chelle – sorry for not replying sooner.  If you’re not on a domain controller, right-click on My Computer, choose Manage – it should be under Computer Management System Tools.  Another way to get there is to run lusrmgr.msc from the Run dialog or a command prompt.

  13. I see that Microsoft has released its Standard User Analyzer that “helps developers and IT professionals…

  14. Andrew says:

    Hi Aaron,

    This is a great blog and a great cause. Unfortunately with XP it may be a lost cause as it seems most of the major consumer antivirus applications do not update under limited users (I have had no problems with any other applications I use). I can not get people (I can’t even be bothered myself) logging into an administrator account, getting the updates, then logging out again every single day. The best I can do is set local policy to run Internet facing applications as normal users.

    With Vista, not only will antivirus have to work in normal user mode, but I am not sure I will even be running antivirus on the actual client PC (gateways, proxies, etc instead). We will see.

    Andrew

  15. Andrew says:

    Maybe a better alternative to sacrificing LUA for antivirus updates is to just update and full system scan monthly, while keeping the firewall that monitors inbound and outbound connections going. That way any threats will still find it hard to get their information out (especially as it will be harder to kill the firewall process) even if they do manage to get on the system, and I can really lock down the system. Hmm these are tough decisions for me. What do other people think?

  16. Aaron Margosis says:

    Andrew, I was just going to reply to your comment, but I turned it into a blog post:

    http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx

  17. Nitin Arora says:

    Hi Aaron,

    When I logon as Power User on my system, Default Web Site does not appear in the IIS Manager.

    I want to use VS 2005 in a non admin account which is a Power User to develop ASP.net we b projects. But Visual Studio is also throwing access denied error.

    Please suggest what to do to avoid this error.

    Thanks

    Nitin Arora

    [Aaron Margosis]  Is this on XP or Vista?

    “Power Users” is not non-admin.  Power Users are Admins who have not made themselves admins yet.