Software engineers who attend Microsoft's annual Windows Hardware Engineering Conference later this month could get their
first taste of a new Windows user permissions model that could change the way thousands of programs are developed and run.
But as the company prepares for the final Longhorn development push, questions remain about its plans for a new user privileges
model called Least-Privilege User Account, or LUA.
Microsoft claims that LUA will make life tougher for hackers and virus writers by limiting access to administrator permissions
on Windows systems. But the company has been mum in recent months about its plans for implementing LUA in Longhorn, and it
is considering incentives to encourage adoption of LUA (pronounced "Loo-ah") by skeptical ISVs (independent software vendors),
including a new logo program for LUA compliance, according to interviews with ISVs and industry experts.
Least permissions is a principle of computer security that recommends giving software applications and their users no more
privileges on an operating system than are absolutely necessary. Widely accepted within the software development community,
least permissions has often been overlooked in recent years, as operating system and application software companies worked
to make it easier to use software, said John Pescatore, vice president of Internet security at Gartner.
Microsoft said it will encourage the use of least permissions in Longhorn by making it easier for users to do common tasks
without administrator privileges. For example, the company may modify Windows so reduced permissions users can alter display
and power management settings on their machine and use VPN (virtual private network) technology more easily. Other changes
will allow developers to create per user installations of applications, with user-specific settings saved in the "my programs"
folder, rather than a globally accessible program files directory that requires administrative permissions to change, according
to documents and presentations on Microsoft's Web page.
Microsoft also proposed application manifests, which allow developers to define the permissions an application needs to operate
properly and can be signed by ISVs to ensure their integrity. Deployment manifests, signed by IT departments, will allow network
administrators to dictate how much trust an application should have on the network, according to the documents.
The changes are intended to revive an important security concept that has been a low priority among many Windows users and
application developers.
"I don't think the notion of application runtime permissions are either well understood or well handled," said Jason Rimmer,
chief architect at Vertex Inc., a tax technology and services provider based in Berwyn, Pennsylvania. "Coming from Unix, you're
used to asking 'Does this run under root or not?' But Windows operators have never had to consider that. LUA will force that
choice on people," he said.
For example, Windows programs commonly save user-specific files to critical areas of the operating system, like the program
files directory or protected parts of the Windows registry, which stores configuration information and is off-limits to regular
users, wrote Keith Brown, co-founder of Pluralsight, in an MSDN document on LUA from April 2004.
Application developers who log onto their development machines as administrators when they write code create programs that
assume that level of privilege, but have trouble when run by a user with reduced permissions, according to Brown, who estimated
that 90 percent of Windows software can't be installed without administrator access to Windows, and that 70 percent won't
run properly unless the user is an administrator. (See: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp.)
Network administrators enforce strict user privileges on networks and restrict access to servers and other resources, but
individual Windows users often log on to their Windows system as a local administrator because of the difficulty running even
common programs with just user permissions. Authors of viruses, worms, bots and spyware take advantage of those elevated privileges
to install malicious programs and change the configuration of Windows to keep their creations from being detected, shut down
or removed, experts say.
A strictly enforced LUA model could make it harder for worms and viruses to take over Windows systems. But Microsoft may have
a tough time changing user and developer behavior, even with new features that support the LUA regime in Longhorn, experts
warn.
"The (LUA) framework we're talking about has been there for 10 years. ... The fact is that vendors go the lazy route and continue
to dump program settings in (the program files directory). Software vendors, including Microsoft, have to stop writing lazy
code," said Brian Bergin, president of Terabyte Computers.
To encourage adoption of LUA features and principles, Microsoft has been working closely with Macrovision to develop application
installation and setup programs for use with Longhorn that incorporate LUA concepts, said Bob Corrigan, product manager for
the InstallShield product at Macrovision.
Installations are a pain point for LUA in Windows, because they require files to be written to different areas of the Windows
file system and configuration changes in the Windows registry that often are inaccessible to ordinary user accounts.
"The advent of LUA will compel ISVs and corporations to take a close look at what applications do at the point they're [installed],"
Corrigan said.
Macrovision hopes to simplify some of the complexity of LUA in its applications. For example, future versions of InstallShield
will allow ISVs to build application installation and setup programs that segregate user and administrator functions, so that
users don't have to have administrative access to install some software and administrative-level permissions aren't accidentally
extended to non-administrators, he said.
That's a change from current Windows installation routines, which typically mash together common and administrative components
during installation without any clear distinction between the two, Corrigan said.
Microsoft is also weighing a logo program, akin to the Windows logo program, that will grant special status to applications
that comply with LUA principles, he said.
"If there are some qualifications for being LUA compliant, a logo compliancy program could enforce them at a critical point:
the creation of an installation for delivery," Corrigan said.
Microsoft declined to comment, but a source confirmed that the company is working on a logo program similar to what Corrigan
described.
Microsoft declined repeated invitations to discuss LUA's role in upcoming Longhorn releases, but said it is considering LUA
for future releases as part of an overall vision for multilayered security known as "defense in depth," according to an e-mail
statement attributed to Amy Roberts, director of the Security Business and Technology Unit at Microsoft.
Behind the scenes, Microsoft has given ISVs a broad outline of its LUA plans, but few specifics, Rimmer said.
"The architectural concept [of least permissions] has been around for a while, so I'm looking for rich information from [Microsoft].
... I'm looking to get more assistance with the actual security constraints are to each [privilege] level -- like 'Users can
add other users or install software or get performance information'," he said.
The dearth of information in recent months has led to speculation that some core components of LUA are being reconsidered
as the Longhorn development team gears up to create an alpha version of the product.
"If I had to guess, there's less chatter because this is lobbying time. ... [Microsoft] is taking feedback from major customers
and trying to figure out how to turn that into a component that's in the product," said Russ Cooper, senior scientist at Cybertrust
and editor of the NTBugtraq discussion list.
Some aspects of LUA may also be tied to the next-generation Windows File System, which Microsoft said in August that it will
not ship with the first version of Longhorn at the end of 2006, Pescatore said.
Regardless, LUA will be a major change for many application developers, and Microsoft needs to begin laying the groundwork
for the change, experts agree.
"They have to nail it down now and give ISVs a year and a half," Pescatore said. "If you look at [Windows XP] SP2 and the
firewall being enabled by default, they tried to do that a year in advance, and heard a lot of squawking from ISVs who said
they broke applications."
The company should also expect that ISVs will have to be convinced that complying with LUA as part of a logo program or not
is a priority that is worth the extra development effort, Rimmer said.
"LUA is a change that doesn't equal value to ISVs, so you're going to get pushback," he said.
Still, Rimmer is giving Microsoft the benefit of the doubt, even though there are still question marks around the company's
specific plans.
"Microsoft employs very smart people and this is an architectural foundation that already exists. They're going to take it
and enhance it for their platform, like they did with the introduction of active directory," Rimmer said, referring to Microsoft's
implementation of LDAP (Lightweight Directory Access Protocol).
The company also has an opportunity to brand LUA with its own user-friendly features and interfaces, which would be a vast
improvement over platforms like Sun Microsystems' Trusted Solaris and Unix, Gartner's Pescatore said.
"They're so complex, nobody can use them," he said. "They require every user to be a security expert. But if you look at what
Microsoft is good at, it's not inventing ways to do security, but ways to make security easier to implement for security administrators."
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
