WASHINGTON, DC—The gospel according to LUA (least-privileged user account) took center stage at Microsoft Corp.s Security Summit East here with a pair of Redmond consultants pitching the idea of a well-funded security deployment repository to help developers create applications for non-admin users.
The LUA principle, which promotes the use of accounts with fewer access rights than Administrator accounts, has been largely ignored by end users, but if Aaron Margosis and Shelly Bird have their way, code writers will have a central place to get tools and training to create least-privilege applications.
Margosis and Bird work as security consultants with Microsoft Consulting Services Public Sector, evangelizing the value of LUA to government, military and state agencies and during a “Lessons Learned from the Field” presentation here, the duo lamented the low rate of LUA adoption.
Despite the fact that LUA is accepted within software security circles as a key to reducing damage from malicious hacker attacks, Margosis said a large percentage of customers still run Windows with full admin rights, making them sitting ducks for malware attacks that rely on “maximum privileges.”
“The malware writers know and assume youre running as admin and take advantage of it. The best way to avoid those types of malicious attacks is to run as LUA. Its that simple,” Margosis said.
However, because existing applications cause compatibility problems when run by lower-rights users, Margosis said enterprises are struggling to balance the need for security against business productivity.
“A lot of business applications have these LUA bugs. They dont work correctly unless theyre run with full admin privileges. That means that the typical user is an admin instead of a least privilege user and that means that malware attackers will always have an easy target,” he explained.
Thats the thinking behind the proposal for a security deployment repository to provide a central place to offer tools and training for developers.
“Were pitching this idea [of a repository] because we cant move forward without something like this,” Bird declared.
“We need to improve the tools for finding LUA bugs and have a central place to find the fixes. We need to start training people to ease this suffering of figuring out why an application might not be working for a [non-admin] user.”
“We need something centralized, where fixes are properly vetted in a structured environment,” she added.
She said informal discussions had begun at Redmond on funding for the repository but stressed that it was an early-stage proposal that would depend on buy-in from agencies like the Department of Defense.
Bird said a huge part of the effort should deal with the re-education of developers to get them to think about LUA as the default scenario.
She noted that another unnamed consultant was already actively working on developer education and suggested the repository could sync operations to avoid duplication.
LUA to Go in
“We need to heighten awareness around secure coding,” Bird said, noting that this would involve improved LUA tools and the publication and distribution of software standards.
Microsoft plans to embed the LUA principle into the coming Windows Vista operating system but Margosis urged developers to shift the mindset today to avoid using bad coding practices in the future.
“Youll be in a position where you will still be hauling a lot of bad practice. You want to go and start cleaning up now,” he declared.
Margosis and a group of senior Microsoft developers have started the ball rolling with the release of LUA-related information and tools on a non-admin Wiki aimed at Windows users.
On the Wiki, the Redmond security gurus are sharing tips on how to set up non-admin accounts and offering easy-to-use utilities that can handle things like dropping user rights or elevating privileges to handle specific tasks.
Margosis also announced plans to release another tool—tentatively named LUA Buglight—to remediate the challenges of finding code bugs that impact compatibility with non-admin users.
Convinced that there are no valid technical or business reasons why applications should require admin privileges, Margosis plans to release LUA Buglight into a pool that also includes Regmon and Filemon, two freeware utilities from Sysinternals.com.
With LUA Buglight, he said developers can generate new tokens and make calls to the Windows API to get reports on potential LUA bugs.
A pre-alpha version of the tool, which is being funded by Microsoft, is currently being tested and Margosis expects to have it available early next year.
He argued that the cost of ownership benefits from a well-managed LUA environment were significant.
“Its 40 percent cheaper to run a well-managed desktop. When everyone is running as admin, you simply cant have a well-managed desktop,” Margosis added.