Opinion: Security models for mainstream operating systems are not flexible or powerful enough to do the things we need to do, but most users aren't ready for improvements.
Theres no question that the user-oriented permission model has problems. Its an attempt at a simple facade on top of a complex set of issues.
If mainstream operating systems are still "stuck" with it, its because the alternatives are, to put it kindly, underdeveloped at this point.
A fascinating analysis of "trusted" operating systems by eWEEK Labs Senior Analyst Jason Brooks
touches on many of these issues.
As his example of Red Hats Fedora Core 2 shows, once you enable fine-grained security policies and then lock down the system, the way that security experts advocate the system becomes impracticably complex.
Too many things were broken on real-world configurations. Subsequent releases offered a less fascist approach and have been improving the tools for admins to turn the security screws slowly so that applications (the whole point of the computers) will work in as secure an environment as can be managed.
The vision of a world where advanced security controls work requires that application developers scrupulously document the specific privileges that their applications require, and attempt to use the minimum necessary.
Unfortunately, in the real world, developers too often show disdain for such concerns. This is why so many corporate users are running as administrator users (or, basically as bad, Power Users
) on their local desktops.
Click here to read a review of DesktopStandards PolicyMaker Application Security 2.5.
Windows Vista will at least slow this problem down and allow users to elevate their user privileges on an ad-hoc basis. It will also allow users to run as standard, unprivileged users except for when running applications which the administrator has designated as needing a more-privileged user context.
All of this is too complicated for most people, but theres something better thats much more complicated. The trusted operating systems of which Brooks wrote qualify, and even Windows has the capacity for greater control. Its just that Windows doesnt expose the built-in functionality that allows that control.
Every running application has a security "token" to which Windows attaches specific privileges. Click here for a complete list of the privileges
and heres a few samples:
The free Sysinternals Process Explorer tool
- SeCreatePermanentPrivilegeUser Right: Create permanent shared objects.
- SeLoadDriverPrivilegeUser Right: Load and unload device drivers.
- SeShutdownPrivilegeUser Right: Shut down the system.
- SeSystemEnvironmentUser Right: Modify firmware environment values.
- SeSystemtimePrivilegeUser Right: Change the system time.
- SeTcbPrivilegeUser Right: Act as part of the operating system.
will show you all the operative tokens for applications running in the system.
Too bad Windows doesnt provide any actual tools, not even bad ones, to manage these privileges. (Actually, there is one tool in the Windows resource kits since Windows 2000 that touches on these capabilities: NTRights
There are several systems which attempt to bring a management approach to this level of security: Winternals Softwares Protection Manager, DesktopStandards PolicyMaker Application Security.
Click here to read a review of Winternals Softwares Protection Manager 1.0
Its good that powerful security management tools are finally becoming available to administrators who have the inclination and the gumption to use them, but this is advanced stuff.
One day, mainstream operating systems have to find a way to make true least-privileged access accessible, but were years from that.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer