Finally, Microsoft Will Separate Vista Users from the DesktopBy Andrew Garcia | Print
Tech Analysis: Vista's User Account Control feature will bring it up to snuff with other enterprise operating systems. eWEEK Labs' tests, however, show that the feature will require a fair amount of evaluation, forethought and fiddlingat leaAmid the hullabaloo about how intrusive Vista's User Account Control feature will be to the average user, Microsoft has been quietly ramping up the support infrastructure needed to help companies adopt it. eWEEK Labs' work with UAC shows that more work lies ahead, however.
With Vista's UAC, Microsoft has finally gotten serious about securing the Windows operating system by limiting a user's rights during day-to-day computer usage. UAC also finally brings the Windows operating system up to speed with just about every other major operating system available today.
UAC enables the concept of LUA (Least User Privilege), where users run with limited privileges for the bulk of their interaction with the desktop. User rights are elevated only when necessary to perform certain administrative tasks. By limiting the user's normal permissions, there is less attack surface on the operating system and less chance for the user to inadvertentlyhow should we put thisscrew things up.
Organizations that have already implemented LUA with current Windows versions will likely have the easiest transition to Vista and UAC, as the hard work of getting users accustomed to limited rights and making applications work correctly with those limited rights has already been done. (And we expect that these organizations will quickly remove the annoying credential request for standard users, replacing it with a stock denial message.)
However, organizations unfamiliar with the LUA concept are likely to disable the UAC feature in Vista altogetherat least for the short termas they begin the arduous task of evaluating their software stable for security compliance with the new operating system. (Vista is expected to be released by the end of 2006.)
Whether administrators are familiar with LUA or not, they will need tools to configure Vista across the enterprise and to evaluate their applications' Vista-proclivity. With Group Policy and the Standard User Analyzer, Microsoft aims to do just that.
In Vista, Group Policy includes nine new policy settings that control the behavior of UAC, and these settings can be applied either in the local GPO (Group Policy Object) or in a Windows Server 2003 domain-based GPO. These settings control whether domain-based and built-in local administrators run by default with the Standard User token or with the Administrator privilege token. In the former case, the settings determine if admins can simply approve privilege escalation or if they must provide their credentials to run a protected task. Other settings dictate whether standard users have the option to enter administrator credentials or if they are simply denied access.
As long as IT managers are administering GPOs from a Vista-based machine, each of these policy objects can be found at Computer Configuration/Windows Settings/Security Settings/Security Options. Because Vista uses new XML-based ADMX templates with Group Policy, legacy Windows machines cannot edit or take advantage of these new policy settings.
Next Page: Virtualization.
Administrators also can enable virtualization via Group Policy as a catchall for applications that need elevated permissions to write files or registry settings to protected parts of the file system, like the Program Files directory or the HKLM registry hive. Virtualization fools the operating system by instead writing these files or keys to a walled garden in the user's directory.
Microsoft views virtualization as a stopgap measure, with good cause. Virtualization does not solve compatibility problems for applications that may require other kinds of elevated permissions that can't be met by faking out the file system. So, while Microsoft ramps up its Vista logo program to teach application developers how to conform to Vista's security parameters going forward, it has been creating tools to help administrators and coders get ready for UAC.
This summer, Microsoft released SUA (Standard User Analyzer), a handy GUI that works with the company's Application Verifier to help developers and administrators understand exactly where legacy applications will run afoul of UAC.
For instance, during tests, when we used SUA to evaluate an application that we knew required some administrative privilegesSysInternals' FileMonSUA alerted us to a few files temporarily copied to a protected disk location, as well as a pair of required administrator privileges that FileMon needs to run (SeDebug Privilege and the SeLoadDriverPrivilege).
Since virtualization is not an option here, and handing out administrative credentials to all application users defeats the value of UAC in the enterprise, administrators must look elsewhere for a solution.
Administrators can deal with offending applications one by one via SUA's Compatibility tab, by clicking on the Run As Program as Administrator button. However, this solution can be unwieldy across a large number of desktops and is not guaranteed to work, as the executable may be blocked from that capability.
Earlier this year, we reviewed a pair of solutions that offer a more elegant approach to policy-based privilege escalation for applications and processes. Both Desktop Standard's PMAS (PolicyMaker Application Security) and Winternals' Software Protection Manager allow administrators to selectively elevate a process's or application's security privileges according to user, group or host computer. In this way, administrators can allow standard users to run poorly coded applications that require various elevated privileges or attempt to write files or registry settings to restricted areas of the file system via policy without having the user present administrative credentials.
We prefer the PMAS solution because of its tight integration with Group Policy, although we felt Protection Manager had slightly superior rights delegation, filtering and process identification capabilities. But Protection Manager's agent architecture proved sluggish and unwieldy in some circumstances, while PMAS snapped right into Group Policy.
Interestingly, Microsoft purchased both companies within the last few months, although PMAS was not included in the Desktop Standard acquisition. Instead, PMAS is now sold and maintained by BeyondTrust, previously a spinoff subsidiary of Desktop Standard, while Microsoft is the proud owner of a series of Group Policy-based configuration and security settings to add to its burgeoning arsenal for the forthcoming Windows Longhorn Server.
Microsoft should be able to meld these technologies into Group Policy to form a powerful solution to help administrators unlock legacy applications in a scalable, organized fashion while it awaits Vista-compliant code from ISVs.
Unfortunately, it is likely too late to see this functionality in the Windows Longhorn Server release time frame. We would hope to see such capability at the top of the list of new features for subsequent Longhorn Server service packs, however.
Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.
Check out eWEEK.com's for Microsoft and Windows news, views and analysis.