strawberryJAMM's Security and User Experience WebLog : Security

Customer Feedback Wicki for Windows Security Access Control

strawberryJAMM — Sat, 10 Sep 2005 06:45:00 GMT

Hi folks.

My current possition at Microsoft is as a Program Manager (PM) on the Security User Experience team in the Windows Security Access Control (WSAC) group. I'm just posting this to mention a new set of Wiki pages at Channel9 that have been put in place. WSAC is looking for customer feedback on the features in our areas of responsiblity, especially as implemented in Windows Vista and (eventually) Windows Server codenamed Longhorn.

The home page of the set is at the following URL: http://channel9.msdn.com/wiki/default.aspx/Channel9.WinSecurityAccessControlFeedback

WSAC's areas of responsibility are as follows:

Auditing, Authentication, Authorization - AAA
- Audit
- Audit Collection Services - ACS
- Code Integrity
- Process Isolation
- Secure Input
- Software Restriction Policy
- Windows Security Protocols
- User Account Protection - UAP (a.k.a. Least-privileged User Account - LUA; or Non-Admin)
- XrML Technologies
Credential Management - CredMan
- Electronic ID
- Public Key Infrastructure - PKI
Cryptography - Crypto
- Cryptography
- Cryptographic Services
Information Protection Platform - IPP
- Encrypting File System - EFS
- Rights Management Services - RMS
Security User Experience - SecUX
- Accessibility
- Interaction Design
- Interface Design
- Usability
- User Assistance/Help

So, if you have something to share about any of these features, especially if it's in relation to Beta1 of Windows Vista, please visit the URL above and leave us your comments. We can't wait to hear what you have to say, so do it today!

Fear and Loathing in Las Seguridades (Security)

strawberryJAMM — Thu, 14 Jul 2005 02:12:00 GMT

Fear. Anger. Distrust.

These will motiviate users to change their behaviour when it comes to securing their computers

At least that's the way Frank Hayes sees it in his article "Fear, Anger, Distrust".

Hayes discusses two surveys that came out last week: The Pew Internet & American Life Project on spyware and related problems, and a Ponemon Institute survey (reported on by Computerworld.com columnist Larry Ponemon) of 400 people who had had personal data leaked to the world. While neither one of these surveys intended to be about what makes users change what they do, Hayes' gives us the numbers to show us how fear, anger and distrusted had changed the behaviour of the study's participants.

Unfortunately, Hayes gently reminds us, relying on these particular motivators to change users' habits isn't the best idea:

<quote>

So users will change -- if they get afraid, angry or distrustful. That might be useful in getting them to stop doing risky, insecure things. But only if you make sure they're not afraid, angry or distrustful in your direction.

So threatening them with punishment for breaking security rules won't work. Neither will trying to force them to obey or lying to them. No wonder IT's standard techniques for getting users to behave always fail. They're exactly the wrong approach.

</quote>

This, of course, begs the question: "What is exactly the right approach?" That's a tough one and even Hayes avoids answering it. He does, however, offer a few additional insights "beyond fear, anger and distrust" gleaned from these two studies and then wraps up with the following:

<quote>

[N]ow that you know the strongest motivators of change for users, you want their fear, anger and distrust aimed squarely at security threats -- where they belong.

</quote>

Read the article for the full meal deal.

______________________________

So, just to be a bit silly, here's a "recipe" for the "right approach":

Start with what users like and toss in what users do
Pour in what users expect and what users need.
Mix well and sit in front of a usability study
Skim off any fear, anger and distrust
Bake iteratively over a release cycle and serve to millions.

;-)

Any thoughts on "the right approach"? Please leave a comment!

______________________________

PS: For the curious, "Las Seguridades" = "The Securities". ;-)

Usable Security - a new Usability and Security blog

strawberryJAMM — Wed, 13 Jul 2005 23:08:00 GMT

Well, I'm a bit late to the party but that doesn't mean I can't still welcome Ping and his Usable Security blog to the intersection of User Experience Ave. and Security St. ;-)

It's nice to see someone else blogging in this area. I look forward to reading through (and commenting on!)the posts and comments made about Usable Security since the first post on March 12, 2005.

LUA in the News

strawberryJAMM — Thu, 07 Apr 2005 21:57:00 GMT

There's an article at infoworld talking about LUA in Longhorn - check it out: http://www.infoworld.com/article/05/04/06/HNfewerpermissions_1.html

strawberryJAMM moves to Blogs @ TechNet

strawberryJAMM — Tue, 29 Mar 2005 03:00:00 GMT

blogs.TechNet.com has officially gone live and "strawberryJAMM's Security and User Experience WebLog" has moved off blogs.MSDN.com...(read more)

Adobe Photoshop CS activation doesn't play well with LUA

strawberryJAMM — Wed, 09 Mar 2005 21:12:00 GMT

The activation process in Adobe Photoshop CS doesn't work for LUA users because of the technique that was implemented to validate activation every time the program is launched. There are workarounds, but none are particularly ideal....(read more)

Internet Explorer 7

strawberryJAMM — Wed, 16 Feb 2005 03:56:00 GMT

Today, in his keynote for the 2005 RSA conference, Bill Gates announced, among other things, that Microsoft would be releasing a new version of Internet Explorer for the XP SP2 platform. Internet Explorer 7 (IE7) is expected to continue with advancements already in Windows XP SP2 by adding additional security to the platform while still maintaining its current levels of extensibility and compatibility. Betas are expected to be sometime this summer.

Here are a few related links:

This is a Good Thing^(TM), and I think Dean, from the IE Team, puts it best in his "IE Blog" post about the IE7 announcement:

[The IE Team is] committing to deliver a new version of Internet Explorer for Windows XP customers. Betas of IE7 will be available this summer. This new release will build on the work we did in Windows XP SP2 and (among other things) go further to defend users from phishing as well as deceptive or malicious software.

Why? Because we listened to customers, analysts, and business partners. We heard a clear message: “Yes, XP SP2 makes the situation better. We want more, sooner. We want security on top of the compatibility and extensibility IE gives us, and we want it on XP. Microsoft, show us your commitment.”

I think of today’s announcement as a clear statement back to our customers: “Hey, Microsoft heard you. We’re committing.”

The only thing that I'd still like to know myself is whether IE7 will bring with it improved support for open standards such as CSS, XHTML, PNG, SVG, MathML, &c in addition to improved security. And it looks like I'm not the only one either, based on a quick scan of the first ten or fifteen comments to Dean's post. I think I'll have to skim through them (there are 354 as of 4:47pm PST) to see if Dean or anyone else on the IE team has responded to the queries from my "creative" kith and kin.

More Tips and Tricks for the LUA User

strawberryJAMM — Tue, 15 Feb 2005 05:19:00 GMT

Aaron Margosis has just posted four more columns with LUA Tips and Tricks on his "Non-Admin Blog":

Check 'em out. :-)

A New Wiki for the LUA / Non-Admin community

strawberryJAMM — Fri, 04 Feb 2005 20:59:00 GMT

Well, isn't this nice. The "least-privileged user" concept with Windows is slowly picking up speed and getting ready to take off - come check out the new Non-Admin Wiki that was just launched by Jonathan Hardwick.

(Wiki's are great - now those of us who champion the principle of Least-Privlege on Windows can get our collective wisdom into one place and give others a place to find out what to do and how to become a true "LUA Believer". Soon everyone will be doing it - so why not jump in now so you can claim to be one of the first, the proud, the NON-ADMINS!)

[edit: added a link to Jonathan's Blog]

--
Jenni A. M. Merrifield == strawberryJAMM

Now playing: "New Trees at Knockaun" by "Triona Ní Dhomhnaill" in Windows Media Player 10.

Least-Privileged Users, Add/Remove Programs and System Management Server

strawberryJAMM — Wed, 26 Jan 2005 01:58:00 GMT

I just found out something very interesting related to Least-Privileged User Accounts and software installations that are pushed out to enterprise employees using Systems Management Server (SMS), where they show up in the "Add New Programs" view of the Add/Remove Programs (ARP) control panel applet. It turns out that, for any installation published in this manner, the installing user doesn't have to be an Admin to successfully install the application. Anything that appears in this list will successfully install even if the installing user is running as LUA!

Personally, I couldn't believe this was true when I first heard it, so I had to immediately open ARP while running as LUA, click on "Add New Programs" and look for something that Microsoft's IT Group pushed out that I didn't already have installed ("WinZip 7.0" in my case). Lo' and behold, the installation worked without a hitch!

What an improvement to the user experience - previously, I've used MakeMeAdmin and then launched ARP from the cmd window (type "appwiz.cpl" and hit enter). This opened ARP with an ADMIN token under my credentials, thereby allowing me to see the published applications (launching it using runas /u:localadmin didn't work because the localadmin doesn't have rights to see what is published on the MSFT corpnet!). But now -- now I can install the applications without being an admin, so I can just open ARP, select "Add New Applications" and voilà!

Apparently the argument for this behaviour is that since everything published using SMS has been explicitly approved for use in the company by the enterprise' IT department, LUA users should be allowed to install them. That makes sense and, besides, anything that improves the LUA experience is fine by me. ;-)

Edit:

A colleague on an internal discussion list for Non-Admins, has brought to my attention that there is more than one way to populate the Add/Remove Programs interface, and not all of them support elevated privilege installs. However what I say above is still correct in that anything published through SMS does support them.

"Using a Least-Privileged User Account" OR "Woohoo, I've been published on microsoft.com!"

strawberryJAMM — Wed, 19 Jan 2005 01:19:00 GMT

Well, not to toot my own horn too loudly, but I've had my first external facing document, Using a Least-Privileged User Account (LUA), published on TechNet as part of the monthly Microsoft Security Newsletter for January 2005. This newsletter is considered the authoritative information source for understanding the Microsoft security strategy and priorities and is written for IT professionals, developers, and business managers.

The article is fairly brief and just quickly touches on a few of the key issues around the principle of "least-privilege". Anyone who has been a victim of viruses, worms, and other malicious software (malware) should appreciate this principle - after all, if all processes ran with the smallest set of privileges needed to perform the user's tasks, it would be more difficult for malicious and annoying software to infect a machine and propagate to other machines. Unfortunately, successfully taking advantage of this principle as a method of defence against external attacks by setting up LUA accounts for daily use is not at all straightforward so my article discusses some of these pitfalls and then points readers to some very useful resource sites to help with this process.

Please take a moment to read my article and, if you do, consider leaving a comment or sending email to our feedback alias (lua-qa@microsoft.com) with your thoughts about the article or around the principle of "least-privilege" in general.

Browsing the Web and Reading E-mail Safely as an Administrator, Part 2

strawberryJAMM — Wed, 19 Jan 2005 00:50:00 GMT

Michael Howard has written a follow up to an earlier article where he outlined how to programatically make web browsing and reading e-mail safer for administrators. In this latest article, he provides instructions on how to do the same thing using SAFER (also known as Software Restriction Policies - SRP) with local or enterprise policy to reduce potential threats against these kinds of applications.

<quote who="Michael Howard">

In my last article, Browsing the Web and Reading E-mail Safely as an Administrator, I outlined how you can programmatically spawn a process that runs with reduced privilege, even if you are logged on as an administrator. The aim was to run processes performing Internet functions (applications most subject to attack), such as Web browsers and e-mail clients, in reduced privilege to decrease the damage potential of any malware using these agents as attack vectors.

Windows XP and later support this capability using a technology called Software Restriction Policies, also known as SAFER. There are two ways to use SAFER. One is through APIs like SaferCreateLevel and SaferComputeTokenFromLevel, which is outlined in my last article. The other, and the subject of this paper, is through local or enterprise policy.

[more...]

</quote>

One comment I feel I should make is that this technique does actually use and undocumented feature of SAFER. This really shouldn't be a problem, but "Caveat Emptor" (that is, be aware that the feature in question was left undocumented for a reason - perhaps it was not as thoroughly tested as the features that were documented)

Windows Security Logging and Other Esoterica

strawberryJAMM — Wed, 22 Dec 2004 21:53:00 GMT

Today I discovered that at least one of my team colleagues - Eric Fitzgerald, the "Windows Auditing"[1] expert (he is the "Windows Auditing Team") - is also blogging. If you're interested in reading explanations for differnt security event numbers and some tid-bits on planned Windows Auditing fixes and improvements in W2K3 Server SP1 or Longhorn, check out his "Windows Security Logging and Other Esoterica" blog.

His most current post discusses some of the improvements and fixes to security logging that should be in W2K3 Server SP1 which I think enterprise IT admins will be quite pleased to learn about -- especially the addition of a command line tool that supports per-user auditing.

----
[1] He prefers to use the term "Windows Security Logging"

--
Jenni A. M. Merrifield == strawberryJAMM

Now playing: "Sending You A Little Christmas" by "Jim Brickman" in Windows Media Player 10.

--
edit: fixed some grammatical errors & typos

The Perception of System Security

strawberryJAMM — Sat, 27 Nov 2004 04:30:00 GMT

Valery Pryamikov has posted an excellent little article discussing how the perception of system security has changed across the software industry over the years. The article focuses on Microsoft's perceptions and behaviour, but other software vendors and OS flavours are also mentioned here and there.

(Please be forgiving of the occasional typo and poor grammar as English is not Valery's first language.)

<quote who="Valery Pryamikov" where="On Evolution of Microsoft Perception of System Security">

I wrote my first < 20 lines FORTRAN program back in 1982, when I was first year university math student. Year 1987 was a starting year of my professional carrier as programmer (and I’ve been programming ever since). It was back in the frontier days of the PC when Microsoft was a lot smaller, IBM seemed a whole lot bigger, and Apple owned personal computer territory as far as the eye could see. Many things have been dramatically changed since than. Computing industry matured and evolved from naïve diskless Commodore computers, from 1-2 MHz Intel 8086/8088 processors and first IBM PC specification, from commercial programs measured in couple of Kbytes and produced in a couple of the programmer/month effort to the most research and resources demanding industry with whooping [sic] processing power that have already became [sic] concerned with the physical limitations like speed of light and size of electrons. Grows [sic] of the industry was naturally accompanied by corresponding shifts of mentality as different goals became of [sic] major concern. In the early days of disconnected little private computers we were mostly interested in usability and richness of feature set. That all changed since we became addicted to our ubiquitously interconnected computing world. In the movie of “Matrix”, agent Smith tells Neo that they known [sic] that he is living double life: first life as Mr. Anderson – program writer for respectable computer firm and another life in computers under hacker’s name Neo. And as Neo’s “life in computers” taught him that “there is no spoon”, our “life in computers” taught us that security is the most significant element of our interconnected wellbeing [sic].

Over the years Microsoft has played utmost role in industry grows [sic]. There are people that like Microsoft and there are people that dislike Microsoft, but none can refuse importance of Microsoft role in achievement of computing industry and its influence on our everyday life. So, I thought that could be interesting to look back on evolution of perception of system security as such and evolution of Microsoft’s perception of system security in particular.

[more...]

</quote>

Edit: Added spaces to "where" in <quote ...> so it wraps rather than running off the edge of the page.

Safe Web Browsing and E-mail for the Administrator

strawberryJAMM — Fri, 19 Nov 2004 23:47:00 GMT

This is a useful article by Michael Howard, the biggest big-wig Security dude on the MSFT campus…

<quote who="Michael Howard" where="Browsing_the_Web_and_Reading_E-mail_Safely_as_an_Administrator">

Summary: Michael Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

--=+=--

I've said this many times, but I'll say it again, "Running with an administrative account is dangerous to the health of your computer and your data." So, whenever someone says they must operate their computers as administrators, I always try to persuade them it's not the correct thing to do from a security perspective. That said, every once in a while I meet someone who has a valid reason. For example, I use one of the computers in my office to install the latest daily build of Windows, and I need to be an administrator to install the OS. However, and this is a big point, I do not read e-mail, browse the Web, or access the Internet in any form when running as an administrator on that machine. And I do not do so because the Web is the source of most of the nasty attacks today.

What if someone does want to browse the Web? Or read e-mail? Or do Instant Messaging and so on, and for some reason must run in an administrative context? …

(more...)

</quote>

Note that while this is a very useful tool, it’s still much better to just run with Least-privileges. I strongly urge you to take a look at Aaron Margosis' “Non-Admin Blog” for tips and tricks on running as a non-admin in Windows.