Windows - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Windows


Mr. LUA Goes to Washington



 By: Ryan Naraine
2005-12-14
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


  Table of Contents:
  1. Mr. LUA Goes to Washington
  2. ' LUA to Go in '

Rate This Article:
Poor Best
Mr. LUA Goes to Washington
( Page 1 of 2 )

Microsoft brings the gospel of Least-privileged User Account to its security summit in Washington DC, calling for a security deployment repository and new bug-hunting tools to help developers create for non-admin users.

WASHINGTON, DC—The gospel according to LUA (least-privileged user account) took center stage at Microsoft Corp.s Security Summit East here with a pair of Redmond consultants pitching the idea of a well-funded security deployment repository to help developers create applications for non-admin users.

The LUA principle, which promotes the use of accounts with fewer access rights than Administrator accounts, has been largely ignored by end users, but if Aaron Margosis and Shelly Bird have their way, code writers will have a central place to get tools and training to create least-privilege applications.

Margosis and Bird work as security consultants with Microsoft Consulting Services Public Sector, evangelizing the value of LUA to government, military and state agencies and during a "Lessons Learned from the Field" presentation here, the duo lamented the low rate of LUA adoption.

Despite the fact that LUA is accepted within software security circles as a key to reducing damage from malicious hacker attacks, Margosis said a large percentage of customers still run Windows with full admin rights, making them sitting ducks for malware attacks that rely on "maximum privileges."

Resource Library:

Users overlook XPs non-admin security. Click here to read more.

"The malware writers know and assume youre running as admin and take advantage of it. The best way to avoid those types of malicious attacks is to run as LUA. Its that simple," Margosis said.

However, because existing applications cause compatibility problems when run by lower-rights users, Margosis said enterprises are struggling to balance the need for security against business productivity.

"A lot of business applications have these LUA bugs. They dont work correctly unless theyre run with full admin privileges. That means that the typical user is an admin instead of a least privilege user and that means that malware attackers will always have an easy target," he explained.

Thats the thinking behind the proposal for a security deployment repository to provide a central place to offer tools and training for developers.

"Were pitching this idea [of a repository] because we cant move forward without something like this," Bird declared.

"We need to improve the tools for finding LUA bugs and have a central place to find the fixes. We need to start training people to ease this suffering of figuring out why an application might not be working for a [non-admin] user."

"We need something centralized, where fixes are properly vetted in a structured environment," she added.

She said informal discussions had begun at Redmond on funding for the repository but stressed that it was an early-stage proposal that would depend on buy-in from agencies like the Department of Defense.

Bird said a huge part of the effort should deal with the re-education of developers to get them to think about LUA as the default scenario.

She noted that another unnamed consultant was already actively working on developer education and suggested the repository could sync operations to avoid duplication.

Next Page: LUA to go in Vista OS.





  Reader Comments: Mr. LUA Goes to Washington
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵MR-b[^fI*EBc")ۚeoВ/㩱%hh|GggD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3U;Y|%x_'Щѩ&€dB$lhwtLhT@ƾQ8FMLbh;&qGXC< tWӺ#A8i @I>b(áh] ]( Ѽe}GJ+C7 ݩx8/DeO؀HYTb{Aq45;n3 w2 X]~D4ڮq 8]^Nૌl[Gݑ[#XsIzVHx)ɡæ'I/!_CRp`iFW+׌<m6L(L|HBɤ:ѰħFr ˺Y4h4öۢCCٰo5RrXJyYT/[,TeW4ϷF}osj_.;gW(֝[p n+Va*.:^O.ac'H|'oDV)UjT:(¤Ԙ8|5 uz P%oP~y)ڡVR\FZV@``%pbQUe>Ϧe}}uI}|vti"|#9ĠjPEb+gxg4X-:nNOn/9n:'ݛ9^qɝN4p3 Z_Zr\? z??LmrG,.iTW%3'6Py$Y)Izֿ8'} ,-)TtܿG)L,Y`M`IpL2Xc]N2ߜ>o4C+D_x0ND5cfI5 (,eg MH5Ŧ]`)exFS{4/h*-ͿE7h+bԜWSAEI7CD r23|!XsI((G&TR]E6\aU<8zuwܬ-U$jմޙ/~<ҲKwqnUO^ *364>H ,H!eݴ%稫7MGVOLGTr }U9=b(7ZdL,1,{Lt차ϳp: 0hv?SOiͦ89ytDAG61^zK ucb>'ݸäpV8; u#uә=U45(h`GI l"&q3)к`&oAY@[SaP#[ѽ:z?@6 =2/?>fCnH }P(V|`{ )qmNl}h`1 >5g% q0yzODȧ$D!"-i]NP@Ar< -,rr4/~C~vGBj+'"Pl=!đt݁Zh3|4К3=PA\^.Ƈ5œL;NmPr`8 ՠZ&4B ڛuV<ۢfA8-v k2ZE'6`FTTMZ|!||=Ꭴm[4@>T*|zS.z8؍8r!O5kb$`CO 룔YXp$880U]2 akThj]Mafyb|Fȸ:qmXbO@sUzqg0읶ׅ]%ϥ߬(ͧ6uу=&9Je!6#{e!{W+(-jE)jycl ؑq,YriL*wڶ{>Qidݙ(yR+rf!9 ֐I8U1'\ ؕGQ/AY@*# k Bo`"12l3u/.ztwݱM% i4Q.)J5E` L] T<ty[= F:6. 1H#60/`k .^@>%%@P0"AcK鬡cKU1SOm{hCy-X\(Tt a"!1}ڣ>nssQ*/sw+ f)T;Ofz^*k 6DZUUR;,Z U=>YP2z4b&cоY6i` :2sԳлMklsGq3`S"mLtu_+'E&GlE6Xil q ivKsq{?I jf?}T*JZӳ(*I$ {2 t9t=d}k?pY/UU^SG;:&ߐ@hO ]k8ỨbRvQLv迌2KGɭTSV8<V6ZZaoaqVZF3HU5dEM#/ ސOZ[GC^$G|)ATEMTjjEIz,pe#EZd ЯZd&{\%\3Li0o)Q멋~ 4[*X.-DД4ϰ;Rb i kxG c-Bwyr @ +3{KqmϱkK{&u U)U tVR$gI#cg?fmE`:Je4q{27(۞k-/$xGʟ?9pw@7@| o6eM+t׀mkZpw|L2M#uL!)Wje>e!eO.lWJ_0]P/s>PV|o =$Ԅ7; +An)ɡ$ |C*ͤ D;}R^\ό&Շݽ]VWv&/!(0H_dhmdU]uv1g +f[i.3xWc绛I쀔4}ڽK<d^G #W^^A1vY?N0+ο hqoRXD\޷hClYj2a'A)pd]2~ܮW{aOQ區usѺ~߹_>wICr޹lK^'+Q\CR@!pWv::f3ڌ6NJ,$zqaxK)Wf@ tOלX0z!ӱB3ZOUc)|F ʢjk:M?vVT+,kZ\f·?!bN<APC{ r P)'$ 'yS|b;+38Ǟw[}hh!腘:Ua2"(BR.IHO5xv>^8Ql7 FGWE'[;{-2}mџ.`m eIbQ+f+I'{GHI NN:os_,ĠChpFn1x-6ؾJ9 4SJd"8A%;)~ڰ{, /D=:dSNQ(iaE-e9rdJ9#S"\+ 6L P,OҴy=#lQ1 i(K"ih$lbTFZoNwպm@yjZӽM3BJ$gΖˤ%"ė4 y) " |82B[(GH T䵴Zv*;ӒstH1?$ݝ:V88FXbp'a ;eΫPf|mu{{B s?݁CO6vmn3}1FgcקUQ+鑵?LΩnbH;T!5] Dg<$'؂8iMon} 3*U-# !; sV찐99>e+ !šӗH6-#,q͟~TJA|4#ϰǣf'Ý<(A)Zi7 L ;):FamAD[ǦNl<,BP OY|#gT~T`9PY(=1Q:XAWAgySMLt ?K}wD5=fexr:S6|p,vYD6D{=zg[qBP?ۧiMlT }D_p$|=$5-X% ݙJ.TI?xlD ^\Uk{ ‚pJ|'NJ8i"JcHHi.NJK<^&Rv %f?[ӸlP B@m 9$]a2TZSULVNWxYkѤwx?ʞ@mL,}!$~;FםFR&J.jFI aB4wdfJ̬Y+Iʿ7E,XQ?osI0VăBCd {aMed4G/_`wULn 0HMR4IަLRdYJ'tiR$vj{ VfQC 1("@@eU`a7AU%"iM $dHz?gjZS3XPsjm!7&1h7z}[ IT~i B]zOA> Ub0{Ijx< }U&|r+vVt+OlÑ` bƶ1u ҫ7~(m[8c5 #\c3~4A$ IRP1jD=-2yav6onIeS iߢҕoY6cZ){BȳnY]꒸.@Ou26#k>ʶ*&Ӂ<&'X$vZ裖.zKe**q iS:;YSEѱf6E͸ Z6֓ka"L[rke;W%sӮqSQx{,˵Ҿ|e"^qF#]Sv|j9` mKeح\ RI""f0yKa>}a2xP<4U}CR{1W)K k7hQ?P hfKxn,e춉2ۭ<lj<# IdzaSsL/yAD4\uCzy)cAjRzPG˟)}sW`DV+kD(:F"J "Alğ4 XOE= 'Uې|/q)܊fAwItd pAj% iF\6tyZR3 ,,ڟ9(lWOlvYM~zkJ6/2դfMp~e9uܽ^\g x&h ;tLH E Cٹ` ĠH"1("@}=31`mSjs}ooooaU[%έ;=K׽%V|ߧ 4lYy嚆p?'Abs@l}&W̴/+BܺʗX.{`yRGH'Vp`&n%/EφE"&QH!'Qa=5/L=cmnvu0ڑfUEb_u&ddԛ3۔t5 gJWP% U!P< X8' Cxj(兑yi>{r" GaMHgXK+z66JkxK2D8$<7Z qjmkn R[t^ٟa6*0iy3'E-Uw$K_ l085Kb*$ӛvP}۷ 3LXbIJ~Ye VDU'JV,5,$$ᑛ ዯ{dGI]v+1 { α[O pw@ f˵?^ wsw:Tѹἃa$v6uiWHs ק{1ݱ;U ޲Q wJ B+lx1ѫLC97MAxrOׄ%T|f ǿ"WoGZDbL6 qI;6۬7oL5Hvjcm*o3"{A۴Vx{7i&`Wulau^\j$}`+Z~mYѧS.%zW2@7Z~&ϲRXwS݃yGYj:&RJE:`ῳF+┱faeO'%3_eH5T["OGK)ztM@{)=Ms-EM~Z#V .K{~i #E|[VL ܣWTG ᅮ$}'hv`'rX,hMLm 9( ,ɸ Dt)mq60lG L2.N-£Et^k7 œKhgmα?=-fTnCn$Ɩ [?_t> DF/zPAfXt~D)Dߣ]嘡-Y?`C䷿T'}dɷk1VcV[2QȏQ Qķq)>՝辎SPšE\ybukMpI-?ق(p{g{@=^w ܠǮO8bauמQ|l:/ajj}<D#,z~Es G2Cְjj`@4#z@hXDu~rx;:Dn|#Qk"4IP6i[;󗚻4>(CZP"Z’ yM}Is977EQEj==#Ÿ R"R +pWxy̓xX2{n4?8?G6ǜMEfID+ET9]vՔ}u5b? `lG(zdI+2// c|RO&׺ƪt[`ɧj*~- IT3)7נCCm{<)fF<{y ?m_z^3v𥭛n)}+n-owghPb^T֝U{/'7d[tTLPP)%(7_跔'ycƔ5lK @xl9 sXdMw=;B>q 13R; ^a  kd4̉sЩ H WIkm2J%3?3\mDΝz_a8r}sΩ}?3r1c ]%'e|0̊|Ux[hhwYn7 h:'g;  At a݋R>hueaj+ZAkj]X;ҁT+qܖ.tfYlB+m&}^FS.oJ^j$'Tp ?>|6ژyiF4Y gMr'/\ix##&݌k3`w rF@Yf!se=]YR# _fq@9l~HswB"#xwOuq, SC,BYb3/q?9 !'@vttwFnHs.c uh`6r*?pБ`Ւ r)؇c*|k47\_}ae1 `8*pgj96U KdTL 2@: xE ? ׽nrn[0'lx DpbZ[UH 1ӈ)i=rv:^G>v;WXj !1gOiX$_1VI,QoT?tQ:..( o$H)YPXP؟S?pkTJHB}s ^6) '.X`,2E<ezY<>we~t:&Z!f5KfltQQ({b:M u?簈)s)aR;:5Q@<P 4'/ͻ7,Xzob @p),f,՚RD&u]u]j%@]gxtnV?.4%WPRh 4 V #vFCThh t0 c3B's;c։'rڽ&-rznއu^yFa[+M|폺Uw'WN;eSxblv>4m+Lxte$AN/[mf(NT3\H%y:w"?@gB󬳾sRhvNrʡsS^K/Z_~sk^"g">"\/ryC@9BǼrǜ}}   Mu$!(oY NoR8G9B(^*UykOy射<)߇yVU<^`kW9x 挿 {);[?u'u CFWz^S_xڞꖽpLڭe]9n@KG{1Pi +{Iz@ⅇW4:<)X9vFnmsxvY몮|\;Yo%P.YCIsDgev' A] oBgU>n{d$qA)VqF`n= :i>5C7&$~5h]4pޣ7p]w n )xT-kZYoZԪw俋dAgG b2jJ]Nlժ~\,)g^9Q(Fuo*#I0njE=uȐa0V1;BDO" Чc v̆ȴbe!jfE߰aw8a+h;rI?@,(qY\DdkO]cBfCVGyx; V0~jv1B`-kD2Ydn 涁MY3,>,MqkI%D;o0m&6=ǁ&=B-7M}X!W =s%3! Ņ{6Txl "esMPFY-M؂1&PSB[*Ed"91>23gH&O#K^Dpaw./' ] :/J&EFSel ,'\ 'pp1d`6gG|םۈZBؕ]ݎ:32)'O^ێ6 .8 fL~Ʈ=.f/~}$[]=vPƛ{90CD]QBv3 ^l x/G$lL$7\ ]ݼȡ=ץs/_+.Ġ/>''4WB)U7gMa,Nd=:rCShpaAp>72FX`TPsHOmM\-n\{&@qb^:.~;IT>Kx2HIh;>~ED#`A0^eC$u@Ч ߆ϨnC>XZe.,s0ŬBSh<)gO?'[nG\k<>biEPL.c{<9z@n0$ ,1-iDK:F9-S 0 p,[ftO6A|Jo?;=_$%\!dxlg/`S7Dl .7mӴ1u¹"UXIَR , ~:3N ƝOQh| W91-"<oc3)?;7x*+&q; fC &+_2uE>v/-G_ږ*yD1e~}J<3g(u",@zPhP+7`/9ʒH]S(|9N]QjãōGHoǸ[ [ Iy>p;Щ1 ٵGm;qSr2M/l XGڦZ-¶,:qp {m;}k{&^ؖ׶< Xè)v$ѿfpJJχŀ𞭞{̾\f#9:tg)dr̅2 !ɳy[K (Jq] XοâȖWITR6!;ׯD?8- cIĬ ;fcXJ ,oԟN*)Asa#Dl [ApN7WmsS<"Y":xqeQ Vs*`wҵX;EB(O}u9tC*G꛺UEo}BUFBl4.W$7y:?C[7nyQ'R4hIw',!w:9\OWuM+_0`F-<#Dg˳̆UZ*$4)FҢpL\岞+zi+mw9n~뉘HOa6%s\ɜKBS+4Y/kЧTN&GN⇅c>lgLt )*)vymb-C6C-;:,X(