Microsoft is sparing no expense to spread the Least-privileged User Account security gospel ahead of next years Longhorn launch, but a little-known fact—especially among IT administrators and end users—is that the technology is already available in the Windows operating system.
The LUA principle, also known as non-admin or minimum rights, is accepted within software security circles as a key to reducing damage from malicious hacker attacks, but on Windows systems, although the option is available, experts say end-user adoption remains “frighteningly low.”
“To the average user, the notion of non-admin is abstract and obscure,” said Michael Howard, a senior security program manager in Microsoft Corp.s security business and technology unit. “Most users just dont know they can set up least-privilege accounts in Windows today, and thats just a sad reality.”
Howard has long argued that Windows users can run as administrators and conduct everyday computer tasks by dropping unnecessary administrative privileges when using Internet-facing Internet tools, but, because the Windows default is for accounts to be set up with full administrative privileges, the damage from nasty malware attacks is worse than it should be.
In an interview with Ziff Davis Internet News, Howard used the example of a recent mutant of the Bagle worm family, a piece of malware able to create files in the system32 directory, disable firewalls and other processes, and delete key registry values. “All those things require admin rights and would fail if the system were set up as non-admin,” he argued.
Looking to increase end-user and software developer awareness, Howard and a group of Microsoft developers have added information and tools on a non-admin Wiki aimed at Windows users.
On the Wiki, the Microsoft security gurus are sharing tips on how to set up non-admin accounts and explaining why widespread adoption can minimize the damage from rootkits, backdoors, keyloggers, adware, spyware, viruses and Trojans.
Howard stressed that user accounts with fewer privileges will greatly reduce the Windows “attack surface” and pointed out that several easy-to-use tools are available to help non-technical users find their way around the no-admin versus admin maze.
One of the tools, which was created by Howard, is the Drop My Rights utility that allows administrators to run Internet-facing applications—e-mail clients and Web browsers—as a non-administrator.
Howard described Drop My Rights as a simple command-line tool that can also be used to create “safe shortcuts” that always bring up an application as non-administrator.
“If youre running as admin, you generally have a bucketload of privileges you will never use or never need. With Drop My Rights, you can run any command with lower privileges and do everyday chores without being at risk of having a nasty piece of malware take over your entire machine,” he said.
The Wiki also provides simple instructions on how to tell if a machine is set to run as admin, how to give a user account temporary admin privileges, and how to force an application to always run with low privileges.
Windows users can also find an Internet Explorer toolbar that provides a color-coded display of the privilege level of running Windows processes.
Next Page: When admin still makes sense.
When Admin Still Makes
Sense”>
One of the biggest hiccups in the evangelization of no-admin is the fact that many software programs are developed to run only as admin. A Microsoft knowledge base article provides a long list of programs that are not compatible with least-privilege accounts.
The list includes game titles like “Mary-Kate and Ashleys Dance Party of the Century,” “Rugrats Totally Angelica Boredom Buster Program,” and “The Wild Thornberrys Rambler,” all children programs that should never be admin-only, Howard asserted.
“It may sound cynical, but the moment one application doesnt work properly, the user gets turned off,” he added, noting that another problem is the myth that non-admin accounts break every program.
Aaron Margosis, another Microsoft developer participating in the Wiki, has published detailed guidance on least privilege, including information for software developers building applications for Longhorn.
The LUA principle will enjoy the spotlight at the upcoming PDC conference, but theres a feeling that Microsoft could have changed the defaults to support least privilege when it shipped the Windows XP Service Pack 2 last summer.
Howard, however, defended the decision to save the defaults for Longhorn, arguing that the security enhancements introduced in XP SP2 were meant to address incoming network attacks.
“The main goals for SP2 were different. It was primarily to address malicious network worms and thats why we improved the firewall … That was the guiding principle at the time,” he said.
Howard said it would have been a mistake to change the administrative defaults without giving software developers ample lead time.
“Theres a whole ecosystem that needs to be educated and that can take a long time,” he added. “There are a lot of games that update themselves online and a lot of them write files into the program files directory. We need to get them to change that, because the program files directory is a protected location and you have to be logged on as admin to drop bits there.”
“When youre dealing with a product to be used by 100 million customers, you have to give developers lead time. They have to see whats coming down the pike so they can make the appropriate changes.”
Microsoft has already announced that the Internet Explorer 7.0 refresh will ship with reduced-privilege mode turned on by default. The “low-rights” IE 7.0 will only be available in Longhorn.