Delen via


LUA Whitepaper released

Microsoft Solutions for Security & Compliance (MSSC) has released a new whitepaper, Applying the Principle of Least Privilege to User Accounts on Windows XP. Get it here:  https://go.microsoft.com/fwlink/?LinkId=58445

Comments

  • Anonymous
    February 04, 2006
    The comment has been removed
  • Anonymous
    February 05, 2006
    Rick --

    Yes, taking advantage of Fast User Switching (FUS) between admin/non-admin accounts is a reasonable way to use admin privileges only as needed.  I wrote about that a while back (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx) and have promoted it in several public presentations such as TechEd.  However, it is not always as simple as you and I wish it were.  First, if the computer is joined to a domain, FUS is disabled.  (Note:  Vista will support FUS in domains!)  Second, while Office and other MS products work fine, there are a lot of apps that fail to work as non-admin.  For example, Intuit's QuickBooks has been called out numerous times as a major offender - most recently as the first inductee into SANS Application Security Hall of Shame.  So let's say your user is an accountant and spends all day in QuickBooks using the admin account.  Not only must this user now remember to switch accounts before browsing the web or composing an email, he or she can't get instant messages or new-email notifications while using QB, and simple operations like copy/paste between QuickBooks and email become impossible.  FUS has its place, but also its limitations - because of scenarios like these it can't quite be recommended as a general purpose, one-size-fits-all solution for all users.  For other examples of apps with LUA incompatibilities, see the following:
       http://www.pluralsight.com/wiki/default.aspx/Keith.HallOfShame
       http://www.threatcode.com/
       http://support.microsoft.com/default.aspx?scid=kb;en-us;307091

    Your assertions that Microsoft is witholding "least privilege" from users is clearly false - if that were the intent why even expose it in the XP Home UI?  And your implication that MS is "covering up" some hidden agenda is IMHO just silly.  One should learn from Steve Gibson the dangers of postulating conspiracy theories when simpler explanations exist.

    -- Aaron
  • Anonymous
    February 07, 2006
    Aaron,

    I have used "least privilege" since 2002 (but I did not learn that term until 2005).  I have never used fast user switching.  From what you wrote, it seems it would work OK for me.  

    I also do not use Quickbooks.  

    I agree that the list of applications that do not work right is long.  But what about the people who do not use the offending applications?  

    > simple operations like copy/paste between QuickBooks and email become impossible.

    Not impossible, just inconvenient.  One can copy to notepad, save to temporary file, then open the temporary file from a "limited" account.  

    If Microsoft informed its user base that least privilege was available in Win XP, Quickbooks users would ask Intuit to put out a compatible version.  But since (Intuit, probably, and) the vast majority of Win XP users are in the dark, Intuit need not bother.  

    > Yes, taking advantage of Fast User Switching (FUS) between admin/non-admin accounts is a reasonable way to use admin privileges only as needed.  

    Except it does not work for everyone.  So why bring it up?  It is not needed to take advantage of least privilege.  

    To me, your post in effect repeats the argument that no one should take advantage of least privilege because it is not convenient for everyone.  

    > Microsoft is witholding "least privilege" from users is clearly false

    But the vast majority of Win XP users have never even heard or read the term.  

    In the Linux/Unix world, the message is broadcast to all, loud and clear, to use administrative accounts only when necessary.  Not so in the Microsoft world.  For my money, that can only be because "Microsoft is witholding 'least privilege' from users".  

    Rick
  • Anonymous
    February 08, 2006
    The comment has been removed
  • Anonymous
    February 08, 2006
    The comment has been removed
  • Anonymous
    February 09, 2006
    The comment has been removed
  • Anonymous
    February 09, 2006
    The comment has been removed
  • Anonymous
    February 16, 2006
    The comment has been removed
  • Anonymous
    May 15, 2006
    I think this was a long overdue whitepaper, to say the least.  I am happy with its content (I did participate as a technical reviewer) and have rolled out many of those aspects within my enterprise.  

    Next on my list of targets is to get our IT staff to follow this principle.  I'm in the process of re-designing our Active Directory structure to encourage (via social-psychology) compliance.  We'll see how it goes ...

    -Tim MalcomVetter, CISSP