A least privileged environment is going to significantly increase the security of the “Longhorn” Windows platform. Get started today by writing managed code, first of all, and when building desktop applications, make them LUA (Logical Unit Application programming interface) compliant.
Security in Longhorn: Focus on Least Privilege
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
What kind of article summary is this? This is completely incomprehensible to anyone who isn’t familiar with os security. Would it really hurt to add a few lines explaining what this is?
Seems like a good idea. I figured they would do this in longhorn. I’m glad they are.
Nice that Mircosoft has also discovered the well-known fact, that giving as few as possible privileges to code enchases security sometimes…
what is managed code?
What on earth is Logical Unit Application programming interface? Can somebody in this industry please speak english?
This had better be enforced, too! That’s the biggest problem of Windows. Microsoft allows people to get away with writing programs that require privileged access and one of the main reasons why people who administer machines for multimedia use often find themselves having to grant admin access to users who can’t handle it. Also, why the power user class is virtually useless in the M$ world.
Software that runs within an enviroment that is “managed” and “sandboxed” from other applications, and, with security privileges in place, certain abilities such as reading/writing to and from the filesystem.
Windows isn’t half bad for security if outlook, and IE are removed. They are windows two biggest holes.
By removing IE, and by using basic security like and *nix system has. The number of worms and viruses are going to be massively reduced.
MS might actaully be on to something useful in their next OS. The question becomes is what do they do to preserve their monopoly.
Funny part is that this is NOT a troll!
A good summary of LUA is to say that Windows will do what UNIX has done since day one. It will deprecate the diea of a user having unrestricted rights. You’ll run with a limited user account and escalate on the rare occasion you need additional privileges.
The cool stuff is the way new their new techniques will fool legacy stuff into running – by giving them their own mirrored sandboxed copy of a file (maybe like a hard link, but they don’t have permissions to the original file). Each app could, in theory, have it’s own viwed of the registry – they won’t be able to modify stuff like HKLM, but rather, a mock HKLM key inside HKLU.
http://www.developer.com/net/cplus/article.php/1756291#M
Managed code — Code that is executed by the CLR. Managed code provides information (i.e., metadata) to allow the CLR to locate methods encoded in assembly modules, store and retrieve security information, handle exceptions, and walk the program stack. Managed code can access both managed data and unmanaged data.
Managed data — Memory that is allocated and released by the CLR using Garbage Collection. Managed data can only be accessed by managed code.
Managed execution — The process used by the CLR to execute managed code. Each time a method in an object is called for the first time, its MSIL-encoded instructions are JIT-compiled to the native code of the processor. Each subsequent time the same method is called, the previous JIT-compiled code is executed. Compiling and execution continued until the program terminates.
Adam Scheinberg wrote:
The cool stuff is the way new their new techniques will fool legacy stuff into running – by giving them their own mirrored sandboxed copy of a file (maybe like a hard link, but they don’t have permissions to the original file). Each app could, in theory, have it’s own viwed of the registry – they won’t be able to modify stuff like HKLM, but rather, a mock HKLM key inside HKLU.
Does this mean the registry clean programs all over the internet will actually work. Or that add/remove will actually remove these keys.
Managed execution ? The process used by the CLR to execute managed code. Each time a method in an object is called for the first time, its MSIL-encoded instructions are JIT-compiled to the native code of the processor. Each subsequent time the same method is called, the previous JIT-compiled code is executed. Compiling and execution continued until the program terminates.
I know the Java plugin in windows has some sort of cache mechanism. Does this work similar to what happens in .NET as described above.
prob is that most applications today need admin rights to get installed unlike linux where you can install them in ur local path. So application developers will have to change their attitude.
A program will want to change file associations on each startup (for some reason commercial programs feel the need to pop up in your face at least once a day and say “I’M HERE ! THESE PEOPLE MADE ME”, and sabotage your system like viruses do.
Examples : windows media player, realmedia, quicktime, winrar, winzip, msn messenger, a lot of other messengers, all sorts of websites.
There is no such thing as a sweet spot in my opinion.
Code can execute on your system -> it can spawn threads until the windowing system locks up (forkbomb)
Every site can store 5 megs -> een.boem.com starts a “SEE” app and redirects to twee.boem.com, which locks up 5 megs and … ( you cannot select by ip or by domain, because if you use a proxy, external ip lookup might not be available, same for domain (subdomains tend to be independant of their parent domain for things like webhosting etc).
Code can produce windows on the desktop -> it can produce 5000 windows, or respawn on close, I mean we’ve all seen this and know what it will be used for. Dear god a spam mail might startup a program in Longhorn.
There will be a border around a spoofed login screen ? -> nice, but most users don’t know the login security concept, so they won’t care. “The computer asked for my password, so I typed it”.
And have you seen the first few “managed” applications ? They still want more access than they get by default, or they simply refuse to run. An ominous warning is present, yes, but if every non-microsoft program will produce one, guess what the user is going to do (even if it was you or me).
The behavior of copy on write files in the file system SUCKS ! Winrar will try and couple itself to .rar files, and … it won’t have done anything. The file manager won’t see the association, and so rar files will not open in winrar no matter what you do ! Of course microsoft programs will not have this problem.
And managed code is SLOW. Very slow. Try it out sometime
“And managed code is SLOW. Very slow. Try it out sometime”
care to back that up? better yet, care to back that up w/ real world examples? you’d be surprised. do some actual research before you spout off comments like this.
>care to back that up? better yet, care to back that up
>w/ real world examples? you’d be surprised.
I was not i knew it was slow all the time.
http://www.codeproject.com/managedcpp/mcppintro01.asp?df=100&forumi…
Ms is now trying to copy Unix security in its newest OS, i already knew there where likeb 30 years behind. And because its Microsoft the stuff will certaintly not work when the OS comes out maybe after service pack 3?
prob is that most applications today need admin rights to get installed unlike linux where you can install them in ur local path. So application developers will have to change their attitude.
I agree, but imo installing is not be biggest problem; you can ask the administrator to install a program for you. More problematic is that a lot of programs expect to have write access to the program files folder. For daily use i always use a normal user account, but i often have to modify NTFS settings because the developer of a program thinks that user configuration settings or other temporaray files belong in a program files subfolder. I suspect that a lot of developers are using an administrator account for daily use and have no clue about security issues.
Ms is now trying to copy Unix security in its newest OS, i already knew there where likeb 30 years behind.
Imo that’s not true. I believe that in principe the NT versions of Windows can be more secure than a lot of UNIX operating systems. The NTFS access control model is a lot more sophisticated than the standard UNIX model. This could change if Linux distributions add models like SELinux or RSBAC, but so far i have only seen them in specialized distributions. It is about time that they are added to mainstream distributions.
Most security issues with Windows come from the applications that run on top of the core and it seems that Microsoft is finally paying real attention to that problem.
>I believe that in principe the NT versions of Windows can be >more secure than a lot of UNIX operating systems.
Oh in what way?, please explain “in principe” and the “lot of UNIX operating systems” and how Windows NT is more secure or can be more secure than Unix because i am very curious about that. I think Unix is more secure in every way then Windows ever will be because of one BIG point.
most Unix sysadmins do know what they are doing instead of clicking around in a pre-sleected env. they actually configuring the system. Its more hard the configure Unix but then again you have to look things up and google to get some info on the issue and then you learn, he so thats what a smtp server is doing, instead of click enable [smtp wizard] and follow some red clow with a magic stick that is going to ?help? you through the setup proccess. Besides that MS has a B I G history on security flaws and issues NOBODY in the security businness is taking MS serious exep MS itself.
Even there bug fixes are full of bugs that need to be fixed by other bugfixes..go figure.
>The NTFS access control model is a lot more sophisticated
>than the >standard UNIX model.
Wich standard UNIX model? NFS, SAMBA, SSH?
LUA seems to be POLA (Principle of Least Authority) gone wrong. Sure, it’s probably better than unix “security”, but as long as it’s just a bunch of named permissions and based on user accounts it will never work that well. The article didn’t talk about capabilities, but the whole system must adopt POLA capability-based security if you want to get rid of all those viruses and minimize the effect of security holes. Somehow I find it unlikely that Microsoft would move all those system calls behind capabilities, and any OS that won’t will still have to use bug-prone ACL-based security (unless researchers would find another security silver bullet). That includes Linux, MacOS and the BSDs.
Linux desktop offers more features than longhorn we have been using it and it is rock solid.
Try SUN JDS or Mandrake 10 official.
Linux desktop offers more features than longhorn we have been using it and it is rock solid.
Try SUN JDS or Mandrake 10 official.
WTF does an article about Longhorn security have to do with Linux or UNIX ???
Its the same crap on these forums over and over. Half of you sound like broken records.
See a post about MacOS and suddenly its a MacOS vs. Linux. Something to do with Windows ? Oh Linux just comes up in the forums over and over. Nevermind what the god damn original article was about. Lets all have a circle jerk over Linux/UNIX over and over and never read a damn thing that is written in the articles.
This place is becoming slashdot. Half informed peons who can’t see 2 inches past their own noses.
>See a post about MacOS and suddenly its a MacOS vs. Linux.
>Something to do with Windows ? Oh Linux just comes up in the
>forums over and over.
Linux is an OS system Free and Open you can get more information about on: (not on order of imp.)
http://www.linux.org
http://www.gnu.org
http://www.ibm.com
http://www.sun.com
http://www.novell.com
http://www.suse.com
http://www.redhat.com
http://www.kernel.org
Its the hottest thing around, its free and open of virussen, does not crash often, has loads of applications, has a nice mascotte, runs on almost every hardware around.
Come join the fun!
I believe that in principe the NT versions of Windows can be more secure than a lot of UNIX operating systems.
Yes in theory, but in practice, because Window’s security is so complicated, hardly anybody uses it.
In UNIX, securing a file or directory boils down to chmod(), with 3 easy to understand bit fields. In Windows, it boils down to a half dozen or more calls to create DACLs, ACEs, stuff them in the correct order, blah blah blah. This didn’t get any easier until Win2000 and the ConvertStringSecurityDescriptiorToSecurityDescriptor() call. This doesn’t exactly roll off the fingertips.
If I want to only allow a group to access to a file, in UNIX I call chown() and chmod().
In Windows… I consult the docs to puzzle out the mini-language that the above api takes, try a half-dozen different attempts until I find the right combo, pack the structure correctly, etc. Even then, there are unanswered questions. If a member of the group logs in via terminal server, do I need to give that group permission also? And so forth.
So yes, the Windows security API is more powerful but it is organized into a complete mess and is extremely awkward to use. Most apps I’ve seen totally avoid it and just inherit the security settings of the parent dir.
That’s a good point. I wish more people would post such comments instead of the usual uninformed zealotry. It could also explain why SELinux isn’t used more. SELinux (and RSBAC) could seriously enhance Linux security, but as with all security problems, there is a tradeoff between security and useability.
I’m curious as to why they need to take over any three-letter-acronym there is. The programming language Lua has been around like.. 10 years? And what is Logical Unit Application anyhow? Just random nerd-gibberish? (how many such combinations can you generate?
Executive Application Unit
Localization Unit Application
Meaningless Random Unit
…
This basically gives Microsoft control over your PC. With UNIX and logging into root, you still have control over your PC. Microsoft is using security as an excuse to keep root access away from you, and to them.
I really don’t understand your post. Are you trying to be funny?
Oh in what way?
A wider range of finer-grained privileges.
please explain “in principe” and the “lot of UNIX operating systems” and how Windows NT is more secure or can be more secure than Unix because i am very curious about that.
You obviously can’t be *that* curious, because five minutes on Google will give you all the material you need to find out about the “principles”.
One should remember, however, that theory != practice.
I think Unix is more secure in every way then Windows ever will be because of one BIG point.
Your “point” has nothing to do with OS capabilities.
Wich standard UNIX model? NFS, SAMBA, SSH?
User/Group/Other is the “standard” Unix security model.