SHARE
Facebook X Pinterest WhatsApp

Taking Least Privilege to the Max

Symantec is arguing that Windows Vista’s User Access Control features are too intrusive, and perhaps they have a point. There’s no reason to assume Microsoft got things perfect. Windows has a rich history of third parties adding value and making it better. One of my favorite improvements on user access control in all current versions […]

Written By
thumbnail Larry Seltzer
Larry Seltzer
Jan 14, 2007
Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Symantec is arguing that Windows Vista’s User Access Control features are too intrusive, and perhaps they have a point. There’s no reason to assume Microsoft got things perfect. Windows has a rich history of third parties adding value and making it better.

One of my favorite improvements on user access control in all current versions of Windows is BeyontTrust Privilege Manager, a program that is still remarkably alone in providing certain powerful security features for Windows.

User access control is all about setting the privileges for users when accessing certain resources. The heart of the problem being discussed by Symantec is that when you set a general level for a user, and presumably the philosophy these days is that you set the user to have a limited set of rights, you are inevitably going to misestimate what they need for particular tasks.

eWEEK Labs says that Internet Explorer security is enhanced by Vista capabilities. Click here to read more.

The main benefit of this is to limit the damage that bugs and exploits in the application can do on a system. When you read vulnerability disclosures you often see a line about the attacker only having the same privileges as the user of the application, and this is an important restriction.

Vista’s LUA deals with this by asking the user for more privileged credentials when a task is run that requires them. Nothing shocking here; Mac OSX has done this for years and been praised for it.

There are two approaches to application privileges: building up and dumbing down. Privilege Manager and Vista support both, in different ways. With building up, described above, you start out with an unprivileged user and grant them the privileges they need, and only what they need, on an on-demand basis.

With dumbing down, you start out with a privileged user, like an administrator, and decrease rights when running potentially dangerous applications like Internet Explorer.

Windows Vista users use the building up approach as a general matter, which is why they see the privilege checks Symantec is talking about.

They also use the dumbing down approach in a couple of ways. When logged in as Administrator, Vista tries to dumb down automatically and reminds the user if an app is using privileged operations. Also IE7 itself, even when run by an Administrator, runs in a specially-crippled configuration. (You might say IE is on probation for life, and with its record the sentence is deserved.)

Some time ago I heard a rumor that Microsoft was going to include functionality like this in Windows Longhorn, but it appears that was wrong. I’ve asked the Longhorn team point blank and they say they haven’t heard of it, and neither has BeyondTrust.

The only strange thing about this is why Microsoft won’t do it; it’s been many years since they introduced the basic functionality, and yet they leave it in there inaccessible to users.

In fact, the situation is even stranger than that. BeyondTrust used to be DesktopStandard and PrivilegeManager used to be PolicyMaker Application Security, which eWEEK Labs reviewed rather favorably last year. Then a lot happened: Microsoft bought DesktopStandard lock, stock and barrel, except for PolicyMaker Application Security. Some of the principals took that application, which they said was their fastest growing product, and became BeyondTrust.

A few months before that, Microsoft bought tools vendor Winternals, apparently more to get the principals of that company (the famous Mark Russinovich and Bryce Cogswell) than their products, many of which Microsoft discontinued.

One of the discontinued products was Winternals Software Protection Manager, about which eWEEK Labs also had some nice things to say. In fact, Microsoft even now endorses BeyondTrust Privilege manager as a migration path for Winternals Software Protection Manager customers.

So not only has Microsoft not provided a product in this space, they seem determined not to do so. I’m at a loss to explain this. I can see them not wanting to proceed using the Winternals product, which had some architectural problems, not least of which was that it wasn’t based on Group Policy, but they let the DesktopStandard product slip through their fingers too.

Before Microsoft got the LUA religion it was commonly used as a stick to beat the company with, since OSX did it so well. UNIX was better in so many ways and many Windows users lazily run as Administrator. Now that Vista takes LUA so seriously you’ll see the same reflexive Microsoft bashers complaining about all the privilege checks.

I think consistency is in order here: Microsoft should be extending LUA using the underlying features they built in to Windows to do the job. At least someone is doing it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

Recommended for you...

Scale Computing Makes Strategic Updates to HyperCore Solution
Jordan Smith
Sep 17, 2025
Druva Launches Metadata Graphing & New Agentic AI Solutions
Jordan Smith
Sep 17, 2025
SonicWall’s Michael Crean on State of Managed Security
Victoria Durgin
Sep 17, 2025
Gigamon Unveils Agentic AI App to Boost IT Productivity
Luis Millares
Sep 16, 2025
Channel Insider Logo

Channel Insider combines news and technology recommendations to keep channel partners, value-added resellers, IT solution providers, MSPs, and SaaS providers informed on the changing IT landscape. These resources provide product comparisons, in-depth analysis of vendors, and interviews with subject matter experts to provide vendors with critical information for their operations.

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.