WASHINGTON, DC—The gospel according to LUA (least-privileged user account) took center stage at Microsoft Corp.s Security Summit East here with a pair of Redmond consultants pitching the idea of a well-funded security deployment repository to help developers create applications for non-admin users.
The LUA principle, which promotes the use of accounts with fewer access rights than Administrator accounts, has been largely ignored by end users, but if Aaron Margosis and Shelly Bird have their way, code writers will have a central place to get tools and training to create least-privilege applications.
Margosis and Bird work as security consultants with Microsoft Consulting Services Public Sector, evangelizing the value of LUA to government, military and state agencies and during a "Lessons Learned from the Field" presentation here, the duo lamented the low rate of LUA adoption.
Despite the fact that LUA is accepted within software security circles as a key to reducing damage from malicious hacker attacks, Margosis said a large percentage of customers still run Windows with full admin rights, making them sitting ducks for malware attacks that rely on "maximum privileges."
"The malware writers know and assume youre running as admin and take advantage of it. The best way to avoid those types of malicious attacks is to run as LUA. Its that simple," Margosis said.
However, because existing applications cause compatibility problems when run by lower-rights users, Margosis said enterprises are struggling to balance the need for security against business productivity.
"A lot of business applications have these LUA bugs. They dont work correctly unless theyre run with full admin privileges. That means that the typical user is an admin instead of a least privilege user and that means that malware attackers will always have an easy target," he explained.
Thats the thinking behind the proposal for a security deployment repository to provide a central place to offer tools and training for developers.
"Were pitching this idea [of a repository] because we cant move forward without something like this," Bird declared.
"We need to improve the tools for finding LUA bugs and have a central place to find the fixes. We need to start training people to ease this suffering of figuring out why an application might not be working for a [non-admin] user."
"We need something centralized, where fixes are properly vetted in a structured environment," she added.
She said informal discussions had begun at Redmond on funding for the repository but stressed that it was an early-stage proposal that would depend on buy-in from agencies like the Department of Defense.
Bird said a huge part of the effort should deal with the re-education of developers to get them to think about LUA as the default scenario.
She noted that another unnamed consultant was already actively working on developer education and suggested the repository could sync operations to avoid duplication.