strawberryJAMM's Security and User Experience WebLog : LUA

Customer Feedback Wicki for Windows Security Access Control

strawberryJAMM — Sat, 10 Sep 2005 06:45:00 GMT

Hi folks.

My current possition at Microsoft is as a Program Manager (PM) on the Security User Experience team in the Windows Security Access Control (WSAC) group. I'm just posting this to mention a new set of Wiki pages at Channel9 that have been put in place. WSAC is looking for customer feedback on the features in our areas of responsiblity, especially as implemented in Windows Vista and (eventually) Windows Server codenamed Longhorn.

The home page of the set is at the following URL: http://channel9.msdn.com/wiki/default.aspx/Channel9.WinSecurityAccessControlFeedback

WSAC's areas of responsibility are as follows:

Auditing, Authentication, Authorization - AAA
- Audit
- Audit Collection Services - ACS
- Code Integrity
- Process Isolation
- Secure Input
- Software Restriction Policy
- Windows Security Protocols
- User Account Protection - UAP (a.k.a. Least-privileged User Account - LUA; or Non-Admin)
- XrML Technologies
Credential Management - CredMan
- Electronic ID
- Public Key Infrastructure - PKI
Cryptography - Crypto
- Cryptography
- Cryptographic Services
Information Protection Platform - IPP
- Encrypting File System - EFS
- Rights Management Services - RMS
Security User Experience - SecUX
- Accessibility
- Interaction Design
- Interface Design
- Usability
- User Assistance/Help

So, if you have something to share about any of these features, especially if it's in relation to Beta1 of Windows Vista, please visit the URL above and leave us your comments. We can't wait to hear what you have to say, so do it today!

LUA in the News

strawberryJAMM — Thu, 07 Apr 2005 21:57:00 GMT

There's an article at infoworld talking about LUA in Longhorn - check it out: http://www.infoworld.com/article/05/04/06/HNfewerpermissions_1.html

strawberryJAMM moves to Blogs @ TechNet

strawberryJAMM — Tue, 29 Mar 2005 03:00:00 GMT

blogs.TechNet.com has officially gone live and "strawberryJAMM's Security and User Experience WebLog" has moved off blogs.MSDN.com...(read more)

Adobe Photoshop CS activation doesn't play well with LUA

strawberryJAMM — Wed, 09 Mar 2005 21:12:00 GMT

The activation process in Adobe Photoshop CS doesn't work for LUA users because of the technique that was implemented to validate activation every time the program is launched. There are workarounds, but none are particularly ideal....(read more)

More Tips and Tricks for the LUA User

strawberryJAMM — Tue, 15 Feb 2005 05:19:00 GMT

Aaron Margosis has just posted four more columns with LUA Tips and Tricks on his "Non-Admin Blog":

Check 'em out. :-)

A New Wiki for the LUA / Non-Admin community

strawberryJAMM — Fri, 04 Feb 2005 20:59:00 GMT

Well, isn't this nice. The "least-privileged user" concept with Windows is slowly picking up speed and getting ready to take off - come check out the new Non-Admin Wiki that was just launched by Jonathan Hardwick.

(Wiki's are great - now those of us who champion the principle of Least-Privlege on Windows can get our collective wisdom into one place and give others a place to find out what to do and how to become a true "LUA Believer". Soon everyone will be doing it - so why not jump in now so you can claim to be one of the first, the proud, the NON-ADMINS!)

[edit: added a link to Jonathan's Blog]

--
Jenni A. M. Merrifield == strawberryJAMM

Now playing: "New Trees at Knockaun" by "Triona Ní Dhomhnaill" in Windows Media Player 10.

Least-Privileged Users, Add/Remove Programs and System Management Server

strawberryJAMM — Wed, 26 Jan 2005 01:58:00 GMT

I just found out something very interesting related to Least-Privileged User Accounts and software installations that are pushed out to enterprise employees using Systems Management Server (SMS), where they show up in the "Add New Programs" view of the Add/Remove Programs (ARP) control panel applet. It turns out that, for any installation published in this manner, the installing user doesn't have to be an Admin to successfully install the application. Anything that appears in this list will successfully install even if the installing user is running as LUA!

Personally, I couldn't believe this was true when I first heard it, so I had to immediately open ARP while running as LUA, click on "Add New Programs" and look for something that Microsoft's IT Group pushed out that I didn't already have installed ("WinZip 7.0" in my case). Lo' and behold, the installation worked without a hitch!

What an improvement to the user experience - previously, I've used MakeMeAdmin and then launched ARP from the cmd window (type "appwiz.cpl" and hit enter). This opened ARP with an ADMIN token under my credentials, thereby allowing me to see the published applications (launching it using runas /u:localadmin didn't work because the localadmin doesn't have rights to see what is published on the MSFT corpnet!). But now -- now I can install the applications without being an admin, so I can just open ARP, select "Add New Applications" and voilà!

Apparently the argument for this behaviour is that since everything published using SMS has been explicitly approved for use in the company by the enterprise' IT department, LUA users should be allowed to install them. That makes sense and, besides, anything that improves the LUA experience is fine by me. ;-)

Edit:

A colleague on an internal discussion list for Non-Admins, has brought to my attention that there is more than one way to populate the Add/Remove Programs interface, and not all of them support elevated privilege installs. However what I say above is still correct in that anything published through SMS does support them.

"Using a Least-Privileged User Account" OR "Woohoo, I've been published on microsoft.com!"

strawberryJAMM — Wed, 19 Jan 2005 01:19:00 GMT

Well, not to toot my own horn too loudly, but I've had my first external facing document, Using a Least-Privileged User Account (LUA), published on TechNet as part of the monthly Microsoft Security Newsletter for January 2005. This newsletter is considered the authoritative information source for understanding the Microsoft security strategy and priorities and is written for IT professionals, developers, and business managers.

The article is fairly brief and just quickly touches on a few of the key issues around the principle of "least-privilege". Anyone who has been a victim of viruses, worms, and other malicious software (malware) should appreciate this principle - after all, if all processes ran with the smallest set of privileges needed to perform the user's tasks, it would be more difficult for malicious and annoying software to infect a machine and propagate to other machines. Unfortunately, successfully taking advantage of this principle as a method of defence against external attacks by setting up LUA accounts for daily use is not at all straightforward so my article discusses some of these pitfalls and then points readers to some very useful resource sites to help with this process.

Please take a moment to read my article and, if you do, consider leaving a comment or sending email to our feedback alias (lua-qa@microsoft.com) with your thoughts about the article or around the principle of "least-privilege" in general.

Browsing the Web and Reading E-mail Safely as an Administrator, Part 2

strawberryJAMM — Wed, 19 Jan 2005 00:50:00 GMT

Michael Howard has written a follow up to an earlier article where he outlined how to programatically make web browsing and reading e-mail safer for administrators. In this latest article, he provides instructions on how to do the same thing using SAFER (also known as Software Restriction Policies - SRP) with local or enterprise policy to reduce potential threats against these kinds of applications.

<quote who="Michael Howard">

In my last article, Browsing the Web and Reading E-mail Safely as an Administrator, I outlined how you can programmatically spawn a process that runs with reduced privilege, even if you are logged on as an administrator. The aim was to run processes performing Internet functions (applications most subject to attack), such as Web browsers and e-mail clients, in reduced privilege to decrease the damage potential of any malware using these agents as attack vectors.

Windows XP and later support this capability using a technology called Software Restriction Policies, also known as SAFER. There are two ways to use SAFER. One is through APIs like SaferCreateLevel and SaferComputeTokenFromLevel, which is outlined in my last article. The other, and the subject of this paper, is through local or enterprise policy.

[more...]

</quote>

One comment I feel I should make is that this technique does actually use and undocumented feature of SAFER. This really shouldn't be a problem, but "Caveat Emptor" (that is, be aware that the feature in question was left undocumented for a reason - perhaps it was not as thoroughly tested as the features that were documented)

Safe Web Browsing and E-mail for the Administrator

strawberryJAMM — Fri, 19 Nov 2004 23:47:00 GMT

This is a useful article by Michael Howard, the biggest big-wig Security dude on the MSFT campus…

<quote who="Michael Howard" where="Browsing_the_Web_and_Reading_E-mail_Safely_as_an_Administrator">

Summary: Michael Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

--=+=--

I've said this many times, but I'll say it again, "Running with an administrative account is dangerous to the health of your computer and your data." So, whenever someone says they must operate their computers as administrators, I always try to persuade them it's not the correct thing to do from a security perspective. That said, every once in a while I meet someone who has a valid reason. For example, I use one of the computers in my office to install the latest daily build of Windows, and I need to be an administrator to install the OS. However, and this is a big point, I do not read e-mail, browse the Web, or access the Internet in any form when running as an administrator on that machine. And I do not do so because the Web is the source of most of the nasty attacks today.

What if someone does want to browse the Web? Or read e-mail? Or do Instant Messaging and so on, and for some reason must run in an administrative context? …

(more...)

</quote>

Note that while this is a very useful tool, it’s still much better to just run with Least-privileges. I strongly urge you to take a look at Aaron Margosis' “Non-Admin Blog” for tips and tricks on running as a non-admin in Windows.

All you need is LUA

strawberryJAMM — Fri, 15 Oct 2004 20:28:00 GMT

I was thinking about LUA (Least-privileged User Accounts) and had this little burst of silly creativity that I felt compelled to share on my blog... ☺

Jenni

--=+=--

To the Tune of "All you Need is Love"
(With my deepest apologies to John Lennon and Paul McCartney)

All you need is LUA
By Jenni Merrifield

LUA, LUA, LUA
LUA, LUA, LUA
LUA, LUA, LUA

There's nothing you can't do that could be done
Nothing you can't win that could be won
Nothing in the way so you can learn how to play the game
It's easy

Nothing you can't make that could be made
Nothing you can't save that could be saved
Nothing stopping you from doing all that you could do before
It's easy

All you need is LUA
All you need is LUA
All you need is LUA, LUA
LUA is all you need

Nothing you can't find that could be found
Nothing you can't hear that had a sound
Nothing you can’t show to blow away the CEO
It's easy

All you need is LUA
All you need is LUA
All you need is LUA, LUA
LUA is all you need

All you need is LUA (All together, now!)
All you need is LUA (Everybody!)
All you need is LUA, LUA
LUA is all you need
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
Yee-hai! (LUA is all you need)
LUA is all you need (LUA is all you need)

Yesterday (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
LUA is all you need (LUA is all you need)
Oh yeah! (LUA is all you need)

--=+=--

The best thing, I think, about this silly little ditty is that it's pretty close to being true. You really don't need to run as Admin for your daily work as long as you know a few workarounds for Non-Admins. Give it a try! Your system will LUA you for it. ☺