Software engineers who attend Microsoft’s annual Windows Hardware Engineering Conference later this month could get their first taste of a new Windows user permissions model that could change the way thousands of programs are developed and run. But as the company prepares for the final Longhorn development push, questions remain about its plans for a new user privileges model called Least-Privilege User Account, or LUA.
Fewer permissions are key to Longhorn security
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Good move, but a little too late. XP and 2000 both have different user permissions but it’s a shame many software vendor don’t respect that. Some time ago even installing Nero had to be done with a administrator account.
Application developers who log onto their development machines as administrators when they write code create programs that assume that level of privilege, but have trouble when run by a user with reduced permissions, according to Brown, who estimated that 90 per cent of Windows software couldn’t be installed without administrator access to Windows, and that 70 percent wouldn’t run properly unless the user is an administrator.
I doubt that number is accurate. Although I did have many problems with installing from a non-admin user, I was able to install majority of applications. But not all.
Anyway, a good thing. Hopefully this will teach stupid Windows programmers that their text editor doesn’t need admin privileges.
I am really curious how the MS marketing machine is going to promote this feature? As innovative, a security revolution? Will they be capable to present something present for years/decades on all multi-user platforms as something new and exciting? How long before MS fanboys begin to say:
Switching away from MS is not an option because no one else has LUA? Like they are now calling Active Directory vital for the enterprise; disregarding Netware or LDAP / PAM…
Can MS pull it off again and again and again….
Like they are now calling Active Directory vital for the enterprise; disregarding Netware or LDAP / PAM…
LDAP/PAM isn’t even close to Active Directory in terms of features. Netware was close but AD has comprehensively beaten it in a fair fight.
M$’s marketing machine may well have NetWare’s NDS beaten but AD certainly didn’t (or hasn’t for that matter) beat NDS on a technical basis. I mean, in AD you can’t even assign an OU permissions to a filesystem object ffs!
The Windows permissions model does need some serious simplifying because at the moment I just get the feeling M$ keep bolting on bits to it here and there in an attempt to make their products more secure and only result in making things more difficult to manage.
Honestly, many users (not you or your tech savy friends) don’t know the difference between java script popups asking to install bonzibuddy and legitimate system warnings. And ordinary Windows users doesn’t have any concept on permission to begin with, when the system asks users to choose between admin or user level program install, how would they know aside from clicking the default or just “ok”? The problem would be that the default choice didn’t work in that specific previledge level. And I bet you know some people who cries “My internet broke!!!” when the simple fact is somehow the big blue E (IE) short cut disappeared from the desktop for some odd reason. How they are going to deal with something more complex than clicking on something other than desktop icons, I don’t know.
The good place to educate people on permission issue is during the installation. where historically people were forced to sit in front of the computer for 40 minutes because it asked some odd question at random intervals, or else it wouldn’t proceed. They have those how great this version of Windows is stuff, they could slap a few slides of texts and tutorial about permission stuff. Of course that’ll be pointless for those who never (re)install Windows and stick with default pre-installed system.
Maybe smart people at MS can come up with a way for people to cope with it in the least painful way somehow. Meanwhile, I use linux so it’s alright, but someone like my flatmate who has a laptop but totally clueless about how system works, I can imagine her getting all red and frustrated, tossing the laptop out of the window (unfortunately not tossing Windows out of the laptop…)
The problem isn’t installing the software, its running it. Too many Windows apps run under Admin and require the user to have Admin privileges. Its the old Windows mentality from when it was a single user system unlike Unix’s history of mult-user.
** not trolling ! **
For still trying to resolve the security problem the wrong way…
Ok, lowering the number of logged in admins will help a bit.
But:
IMHO is the number of available exploits reason number 1 for security issues.
Some simple things are dificult to do, for instance. This week I wanted to change an account type from administrator to a limited one on Windows XP. This can only be done if there’s another account which has administrative privileges although by default there’s an administrator account. So I had to create another account hat I would never use, but then changing the account to limited, some programs would give errors when running, so I ended up changing back the account to administrator and deleting the dummy acount. Another thing I found weird and saw before is that even the administrator is prevented from viewing some files belonging to other users.
I should mention I wanted to change the account type from administrative to limited because of virus infections in the last few weeks, because the person who uses this computer would install programs that give pretty screensavers, wallpapers and other weird things.
According to Windows, you can install using a power-user account. The difference between power-user and administrator is that administrators have access to other users’ profiles.
Part of the problem is, according to the way Windows is supposed to work, you should only have to log in as “administrator” if you’re managing other users. If you need to be able to install programs, you should be using power-user. If you’re only running programs, you should run as user. However (and this is where the “problem” comes in), a whole lot of software requires the administrator account to install and to run.
OSX has a similar breakdown, but instead of admin, power-user, user, it’s root, admin, restricted. The difference between admin and restricted is that admins have sudo rights, so they can install things. However, they’re still not root (root is disabled by default), but they can install and administer the computer without logging out and logging back in. It’s a much better system. Ubuntu works the same way.
For still trying to resolve the security problem the wrong way…
Ok, lowering the number of logged in admins will help a bit.
But:
IMHO is the number of available exploits reason number 1 for security issues.
I think you’re very wrong. You don’t really NEED exploits if everyone is running as the equivalent of root all the time. Crackers start out with the security level they want.
I was trying to say that by the time this LUA thing sets in, there will be assortments of apps that are admin only while other half are user capable. And the article talks a bit about user independent installation directory. So the question is, it’s good that apps can be installed as admin, but how is user supposed to know what apps can be installed and ran as an user and what apps are admin only? If apps are not capable of running as user, then user level installation matter as well, doesn’t it? Hence, how is the ordinary users supposed to be able to really benefit from this whole permission concept if admin install/run is the easiest and most universal way of doing things on Windows?
Application developers who log onto their development machines as administrators when they write code create programs that assume that level of privilege, but have trouble when run by a user with reduced permissions, according to Brown, who estimated that 90 per cent of Windows software couldn’t be installed without administrator access to Windows, and that 70 percent wouldn’t run properly unless the user is an administrator. (See: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dn….)
Very true. I have been guilty of this myself.
Looking forward to the changes.
Other changes will allow developers to create per user installations of applications, with user-specific settings saved in the “my programs” folder, rather than a globally accessible program files directory that requires administrative permissions to change
I think I must have seen that somewhere before already? Oh, right, My Mac does that.
@Polarrrr Bearrrr
The good place to educate people on permission issue is during the installation. where historically people were forced to sit in front of the computer for 40 minutes because it asked some odd question at random intervals, or else it wouldn’t proceed. They have those how great this version of Windows is stuff, they could slap a few slides of texts and tutorial about permission stuff. Of course that’ll be pointless for those who never (re)install Windows and stick with default pre-installed system.
I have always found installing Windows applications a huge PITA. I’ll accept a decent workflow, but when I click “Install” the thing has to take off and finish up already. I don’t want to have to sit at the screen waiting until maybe the installer needs me to click a button.
I’m not going to score any brownie points with this, but the way Apple installs software is something Microsoft could learn a thing or two from.
OTOH, it’s good to see that they’re finally taking security issues a lot more serious now. They do learn. May take a decade or two, but they get there.
I’m not in favor of the whole political correctness thing though. A LUA. Bring back the good old days when this kind of user would be correctly identified and labeled as “luser”, because that’s exactly what they are. If you can’t be bothered to learn what the shiny buttons are doing, don’t come complaining that “it’s broken”.
A computer’s OS is probably the most complex piece of technology most people are ever going to encounter on a daily basis. Yet somehow the idea seems to have taken root that no learning curve is involved and that “it’s just going to work” and that you needn’t bother learning anything about it. Apparently this kind of attitude makes sense when working with technology to which even the average user entrusts critical information/business processes to.
How self-delusional can you get?
At least Microsoft is trying to improve their security. That seems to be the #1 complaint of so many that are against them. So what if Mac or *nix had this first, wouldn’t you all agree this is a better security model than what Windows had previously? By the sounds of it Longhorn is getting better and better. I’m really looking forward to it.
This whole per user programs installation thing is all reminiscent of a normal Linux system. I can see Microsoft hyping this like crazy as the new reason why they’re number 1 in security or some bunk like that. The fact is, Microsoft should have implemented stuff like this when they released Windows NT, or if they did there, in Windows XP. And the fact is, computer users should have a little bit of knowledge about the use of operating systems in the first place. For instance, Computer Studies should be mandatory in high schools, though probably all they’ll be taught there is how great Microsoft is.
Looks like Microsoft is finally realizing the beautiful simplicity of the old RWX unix security model.
Is a fact of computing that adding complexity ADDS unreliability in equal amounts.
A permissions model that is simple and easy to understand will be used a) more correctly and b) more often which will make your system more secure than a system which while it might have the most fancy permissions model in the world, will be insecure due to improper usage.
Uh, unless I’m missing something here, there’s not a whole lot of difference in user privileges when installing and running apps under Windows or Linux.
In Linux, almost every app I’ve installed–whether it’s with apt-get/dpkg, an rpm tool, or the config/make/make install route, requires administrator/root privileges (root or sudo). Admittedly, fewer Linux programs than Windows programs need root privileges to run. I can however, think of quite a few Linux programs that need root or sudo to run properly–for instance K3B.
-Jeremy
K3B do not require root perms at all, given that permissions are correct, and your kernel is not broken in that direction.
>K3B do not require root perms at all, given that permissions
>are correct, and your kernel is not broken in that direction.
K3B’s own documentation recommends that you run it as root.
it is not that MS CAN’T use LUA. we are simply being synical of how MS willmarket this….
will they say to their fanboy hoards “We decided to take a trick from Unix, Linux and OS X…” or will they say “we have innovated again!!!!”
depending upon what they say, fanboys will either be silent or run around the internet in squads claiming how Windows is so good and how they could never switch because they need LUA.
I’ve ran k3b as a regular user on gentoo, debian and arch and never ever had to have root permissions. And yes it did actually burn cds
not in my class. My class will focus on exposing the kids to OS X, Windows and Linux. it will talk about the pro’s and con’s of each platform, and the similarities and differences…. it is imperative that kids learn that CONCEPTS behind GUI based OSs so that they are not locked into one platform for the rest of their life.
imagine learning to dive a car and you were taught how to exactly drive a 1995 Taurus. you would not have the skills (hypothetically) to get a different car because the gauges and knobs and levers are in a different configuration.
the reality is that people learn from parents the different parts of cars and know that every car has standard ways to interact with it (steering wheel, breaks, gas, etc.)…. well the fact is that Operating systems all have standard ways to interact with the computer… the problem is that people are not taught that and think that if they cannot see it in a place they are use to, then it does not exist on the OS and therefor the OS does not meet their BASIC needs.
like my buddy who played with his bother’s powerbook… he could not see where to set the printer color settings because it was not the same as windows…. well I set him straight and showed him that he just needed to click on a drop down box.
Quote from article:
“For example, Windows programs commonly save user-specific files to critical areas of the operating system, such as the program files directory or protected parts of the Windows registry, which stores configuration information and is off-limits to regular users, wrote co-founder of Pluralsight, Keith Brown, in an MSDN document on LUA from April 2004.”
This is one aspect of Windows that has always bothered me. The file system is an absolute mess. Programs are allowed to install anything anywhere in the system: data files, dlls, executables, whatever. Even Microsoft is guilty of this. Can someone tell me why the ‘Windows’ folder is such a huge freaking mess? If they would have had any sort of forethought on the subject, they would have set up a well-organized folder heirarchy for the system, as well as for developers to use.
Just look at BeOS and OS X. If you wanted to move all of your files and settings from one BeOS machine to another, you just had to drag your entire ‘home’ folder over and not worry that you forgot to transfer your emails because they’re stored somewhere else (Microsoft Outlook, anyone?). And I love the fact that OS X has a ‘System’ folder that is managed by, and only accessible by, the SYSTEM. No one else should need to, or be able to, make changes to it (if I’m wrong about this, someone please correct me). I also like that there is a ‘Library’ folder for all users as well as separate ‘Library’ folders for each individual user and his/her settings. All very organized and well thought-out.
Please don’t think I’m a zealot or anything; I use Windows every day. But this is one area that I really believe Microsoft made some fundamentally bad decisions. They didn’t give developers any consistent locations to put things, and to make matters worse they are one of the greatest perpetrators! Now, I know that they have made some strides with the ‘Documents and Settings’, ‘Application Data’ and ‘Local Settings’ folders and whatnot, but there are still a lot of programmers that don’t use those resources at all. And Windows is still a huge, unorganized mess.
Although promoted as “new concept” and “MS invention” I couldn’t find something new even for MS (except maybe My Programs concept). Most things like programs ability to run under limited user accout, not writing into system folders etc are on MS logo compatibility list already many years – but there’re not so many developers, following MS guidelines. Interesting, how MS forces this attitude change?
(Like well-known winamp – they violate some of MS rules and nothing is changed for years:
– writing data into winamp folder
– using same configuration file for different users
– not using proper winapi functions for accessing configuration file – this avoids possibility to map this file into users registry.)
“You SHOULDN’T be able to install without Administrators account”
I think you mean:
“You SHOULDN’T be able to install systemwide without Administrators account”
“So what if Mac or *nix had this first, wouldn’t you all agree this is a better security model than what Windows had previously?”
Erm…they did. When was the last time you met a Mac or *nix user who logs into their desktop as root?
I believe K3B wants to run as root so that it can use real-time scheduling to burn CDs. Running as real-time makes it impossible to run out of buffer and burn a coaster.
However, most systems these days are so much faster than the CD/DVD burner that this isn’t really an issue.
Personally I dont think that you should be able to instally ANYTHING without user permissions. I work for an edu (as is evident by my IP), one user account “student”, is used by all students, therefore if one (lets call him “unknowledgeable”) user does something to the account thats one machine you need to work on to repair.
Of course the above comment is environment-centric, in my environment having the low level user be able to install anything they want (even if it isnt systemwide) is a bad idea
will they say to their fanboy hoards “We decided to take a trick from Unix, Linux and OS X…” or will they say “we have innovated again!!!!”
As long as it works as planned I could really care less how they hype it.
I certainly wouldn’t expect them to give any nods to the competition. If thats what you are hoping be prepared for dissapointment.
Microsoft’s filesystem security is way too granular and complex. It takes a rocket scientist to figure out what permissions apply to any given file. And control is scattered throughout the filesystem, thanks to the complicated way that permissions can be inherited. To make matters worse, there’s no easy way to view permissions except to right-click on each individual file and navigate through the properties dialog.
With Unix there are only a few permissions, but they are effective. They are also very easy to see: drwxr-x— is highly visible and easy to understand.
I hope that by “fewer permissions,” Microsoft means they are simplifying their permissions model, not just that they will give users fewer permissions by default.
Good move, but a little too late. XP and 2000 both have different user permissions but it’s a shame many software vendor don’t respect that. Some time ago even installing Nero had to be done with a administrator account.
So what are you telling here? That you don’t understand user permissions? Of course if you install software you need to be Administrator/root. That’s the whole meaning.
It’s about using software. It’s almost impossible to run Windows under normal privileges. So everybody becomes Administrator so every box is vulnerable by default.
Whenever I see someone complain about applications under a non admin account under Windows XP I can’t help but wonder if I am the only one who was able to get 99.9% of my programs to run in a non admin account. The only program that refused to run was one game. The only other problem I had was when a program has a user file in the programs folder it didn’t have permission to write to it. I easily remedied that by changing that particular file’s permissions (with cygwin no less).
Also it is a good thing to have to install programs using the admin account. I keep a seperate admin account on my XP box for that purpose. Most programs that create the user files after you run them rather than at install time run just fine right away.
Also you don’t need to have write permissions to .exe or .dll for them to work properly. In fact, I think it’s better if you don’t under your user account.
I was just thinking of how I saw a person somewhere else say he runs under admin because he likes to know he has “full control” over his system. That’s a false power trip in my opinion just like someone saying they always run Linux, BSD, etc. in Root all the time so they know they are in “full control” at all times. I think people should be educated as to what they really need when running a computer.
I think this article refers to Microsoft possibly making it all easier for the average user to contend with.
BTW, I’m no microsoft fanboy I also use Mac OS X and every once in a while Linux.
If you have a shared login like that, obviously set your permissions appropriately. However, I don’t think preventing users installing software in their ‘home directory’ (or the Windows equivalent) by default is necessary, as _most_ users are unique, not shared.
Key phrase: “was able to get”. i.e., you had to hack around to make it work. Joe User does not hack around to make things work.
What’s the easiest way to configure XP to automatically login to a user account?
Quote:
What’s the easiest way to configure XP to automatically login to a user account?”
Try Tweakui. You can get it on Microsoft’s website. Allows you to change a bunch of other stuff, too. Highly recommended.
“Try Tweakui. You can get it on Microsoft’s website. Allows you to change a bunch of other stuff, too. Highly recommended.”
You need an EXTRA utility to tweak your UI? Isn’t that what you have your GUI for?
This makes sense? *shakes his head in disbelief*
Do they also have a crank to start your computer?
And a break pedal when you want to stop?
TweakUI… mother of god have mercy.
Lemme guess, you’re a KDE user?
FWIW you can do quite a bit of “tweaking” of the UI without TweakUI.
If you want to put your brake pedal on the dashboard or give it a custom tread pattern, you might have to dig a little deeper and use some “3rd party” tools.
(end badcaranalogy)
The key to Longhorn security will be to actually releasing the product, and stop telling us what features will be in that will later be chopped out.
This is like the biggest fuss I’ve ever seen, and Elaina is lapping it up and dishing it out like there is no tomorrow. I can just see the posting in 6 months time: longhorn security to be put into blackcomb, and blackcomb has had features removed. Grr
This is a great idea. Its what Windows has needed for a long time. To bad it will break a LOT of third party applications…
All those old windows programs are chains and balloons.
3 issues with windows and security/stability I have.
1. Simplification of file security system is a must. OS system files be stored in a seporate folder with Administration access. User apps stored in either a user folder or a shared user folder for access by all on the system without touching the OS syystem folder/files. Each and every app needs to contain their files within their own folder and not splatter files throughout the file system structure as currently Windows programs do.
2. Improve NTFS. It is a poor OS file system that fragments and truncates way too easily. The amount of hand holding NTFS needs to maintain performance and stability is a joke.
last but not least.
3. Keep it simple and easily organised. I liked BeOS file system but some of the easiness was sacrificed to adhere to POSIX compliance. If they could take the concept of BFS and the OS andd ditch POSIC ccompliance you’d have a very simple file/directory structure which is a piece of piss to deal with. KISS
hey! what the heck is so wrong with tweakui? I’ve been using it since windows95 and IMHO it is the best! Sure it would be nice if it was included in Windows in the first place, but the Powertoys suite has always had a grass roots “what Microsofties want” featureset, and I always thought that was cool… look at the taskswitcher powertoy! (alt-tab replacement http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys….
)
It rocks! (and I run Mandrake as my OS on my main computer .. okay Mandriva or whatever it’s called now) and I still use Tweakui to login my Win98 machine under a WinNT domain instead of using the lame “WindowsLogin” family login.
In windows almost all system services(daemons) are running with the root eqv SYSTEM account. Any buffer overflow in such network facing daemon can means remote-root exploit. Running network daemon as root in *nix world is considered as suicide but somehow this is the standard practice is MS world.
Is MS gonna fix this bad custom with the LUA initative?
You dont need tweakui to tweak Xp. There are plenty of regitry edit websites out there. All those GUI tools do is change the registry often unsuccessfuly too might i add. My 2 cents. I think what is going to end up happening is Longhorn is going to be the best thing since…errr…whatever the best thing is…and it is going to sell like hotcakes and MS will have found a way of once again bettering their OS without causing users any additional discomfort even with all the new security features and so on. I think MS excels at making something complex very easy to manipulate…I mean case in point is their Visual Studio app…its easy to use! Case in point Windows XP, so easy to use it is the hackers’ best friend.
Longhorn will be the same in that it will be very easy to use and it will just be loads improved than XP and once again alternative OS users will be left behind scratching their heads.
Note: I am a fan of diversity of everything…choices = good but the above is my opinion of what will happen. OS X users rejoice till Longhorn comes out…
In order to compete with Linux and Apple. Microsoft has a very bad security record and despite their efforts they are still the primary target for spyware, viruses and hackers. LUA is the least they need, they need much more. They need to patch holes in IE that allow it to install software. Part of that process will happen when people switch to Longhorn for the rest of Microsoft’s customers using XP they really need to get SP2 on every machine.
They also could do, as others have mentioned, with a simplified access control. Also the web browser should not download a file and set its execute bits.
The harder they make it for hackers the more secure their system will become, unfortunately Microsoft is not in the habit of doing things for their customers, but rather their shareholders.
I don’t know if this is well known, but it should be.
Based on what I’ve heard from someone that works at MS, the Windows SuperSite, and screenshots I’ve seen: LUA will be the default and most users will such use it. Current applications will be able to run fine under this, because if it does try to do something that the LUA does not have permission to do, Longhorn will lock the application and ask the user for admin password to continue such action. I also hope that once an application asks for password, it won’t ask again while it remains running.
How is this bad I ask you? I see this as a very good thing.
Na, learning UNIX (and the joys of vi) so that we have a generation of bitter UNIX adms unwilling to appologise for the crappy products Microsoft puts out. It would be the equivilant of teaching economics to every student, and when voting time comes, a third party is voted in because the two larger parties couldn’t organise a piss a up in brewery even if the people present were alcoholics!
I hope the ISV’s this time make actively use of what’s possible.Despite a LUA you will see some stupid game firms forcing it’s users to disable all what offers a little bit extra security,and even describe how to do it,because some dead firm can’t make punkbuster run under a limited user account.So what you likely will see is users despite all improvements still gaming online as root and thus render all improvements quite useless.
Your analogy seems fairly flawed. Every game I have run under Windows XP runs very happily under restricted user accounts. It is more system utilities, anto virus software, Productivity suits, and verything else that needs to be installed under administrator but most (utilities aside) run in user space.
It upto MS to educate both the users and developers to ensure best practices are maintained for secure computing. You’d be amazed at hw many wonderful ignorant clients I have tried to tell not to run their OS under Administrator. They then wonder why they are so prone to problems. pah.
..and I’ll explain why: they will make default user permissions a no-go, so many people will raise permission levels, then when they get infected and phished and 0wned and broke and stolen they can just raise their arms and say: we didn’t do it, you were. This “new” thing will serve as a new default apology.
Your analogy seems fairly flawed. Every game I have run under Windows XP runs very happily under restricted user accounts.
I have the impression you didn’t get the same wavelenght.Unfortunately some online games like enemy-territory,americas army etc,have an anti-cheat mechanism inmside called punkbuster.After instalation and updating the game playing one of the aforementioned games as limited user triggers almost everytime punkbuster with a message like:insufficient OS privileges.Now first of all it’s bad such malware has to be used but that’s a different story.As an potential solution for this problem they (punkbuster) suggest on their website to give the limited user a lot more privileges like the right to debug programs,etc but than it’s not realy an limited user account anymore.Believe me or not as soon you or anybody else with in essence good security practise in mind have left the user with good advise,the game is played as root.
some developers didnt write multiuser programs for win xp and 2000 because it is faster, requiring fewer programing hours, and therefore cheaper. isv development costs are going to go through the roof because of the need to write multiuser and multithreaded programs for longhorn and multicore processors. i quess the big money winners will be the companies that make software tools for programers. unless isv so no and wait until enough people have longhorn and multicore processors making such programming commercially profitable.
Latest example I ran into of a program that wouldn’t run with a limited account was WordPerfect 9. It needed write privileges in areas of the registry not available to limited users (HKEY_CLASSES_ROOT).
Some site out there recommended giving users write privileges to HKEY_CLASSES_ROOT to solve it, which was less than ideal. I found I could give a user privileges to HKEY_CLASSES_ROOT for the first time WordPerfect was run, then revoke the privileges and WordPerfect would work after that. It apparently was setting some key in HKEY_CLASSES_ROOT for each user on the first run, but I couldn’t be bothered to figure out exactly what (wasn’t my computer, didn’t really care that much).
Upshot, it could be made to work for a luser without permanently granting him extra permissions, but would have been a bit beyond joe sixpack
I’m sure new versions of WP work just fine, but not everyone is happy with forced upgrades.
That is a very old issue with Wordperfect Suite, infact, its so old that Corel, since Windows 2000 release, has been offering free a free Wordperfect update to actually fix the multi-user problems – question is, why haven’t you taken advantage of it?