Symantec is arguing that Windows Vista’s User Access Control features are too intrusive, and perhaps they have a point. There’s no reason to assume Microsoft got things perfect. Windows has a rich history of third parties adding value and making it better.
One of my favorite improvements on user access control in all current versions of Windows is BeyontTrust Privilege Manager, a program that is still remarkably alone in providing certain powerful security features for Windows.
User access control is all about setting the privileges for users when accessing certain resources. The heart of the problem being discussed by Symantec is that when you set a general level for a user, and presumably the philosophy these days is that you set the user to have a limited set of rights, you are inevitably going to misestimate what they need for particular tasks.
The main benefit of this is to limit the damage that bugs and exploits in the application can do on a system. When you read vulnerability disclosures you often see a line about the attacker only having the same privileges as the user of the application, and this is an important restriction.
Vista’s LUA deals with this by asking the user for more privileged credentials when a task is run that requires them. Nothing shocking here; Mac OSX has done this for years and been praised for it.
There are two approaches to application privileges: building up and dumbing down. Privilege Manager and Vista support both, in different ways. With building up, described above, you start out with an unprivileged user and grant them the privileges they need, and only what they need, on an on-demand basis.
With dumbing down, you start out with a privileged user, like an administrator, and decrease rights when running potentially dangerous applications like Internet Explorer.
Windows Vista users use the building up approach as a general matter, which is why they see the privilege checks Symantec is talking about.
They also use the dumbing down approach in a couple of ways. When logged in as Administrator, Vista tries to dumb down automatically and reminds the user if an app is using privileged operations. Also IE7 itself, even when run by an Administrator, runs in a specially-crippled configuration. (You might say IE is on probation for life, and with its record the sentence is deserved.)
Some time ago I heard a rumor that Microsoft was going to include functionality like this in Windows Longhorn, but it appears that was wrong. I’ve asked the Longhorn team point blank and they say they haven’t heard of it, and neither has BeyondTrust.
The only strange thing about this is why Microsoft won’t do it; it’s been many years since they introduced the basic functionality, and yet they leave it in there inaccessible to users.
In fact, the situation is even stranger than that. BeyondTrust used to be DesktopStandard and PrivilegeManager used to be PolicyMaker Application Security, which eWEEK Labs reviewed rather favorably last year. Then a lot happened: Microsoft bought DesktopStandard lock, stock and barrel, except for PolicyMaker Application Security. Some of the principals took that application, which they said was their fastest growing product, and became BeyondTrust.
A few months before that, Microsoft bought tools vendor Winternals, apparently more to get the principals of that company (the famous Mark Russinovich and Bryce Cogswell) than their products, many of which Microsoft discontinued.
One of the discontinued products was Winternals Software Protection Manager, about which eWEEK Labs also had some nice things to say. In fact, Microsoft even now endorses BeyondTrust Privilege manager as a migration path for Winternals Software Protection Manager customers.
So not only has Microsoft not provided a product in this space, they seem determined not to do so. I’m at a loss to explain this. I can see them not wanting to proceed using the Winternals product, which had some architectural problems, not least of which was that it wasn’t based on Group Policy, but they let the DesktopStandard product slip through their fingers too.
Before Microsoft got the LUA religion it was commonly used as a stick to beat the company with, since OSX did it so well. UNIX was better in so many ways and many Windows users lazily run as Administrator. Now that Vista takes LUA so seriously you’ll see the same reflexive Microsoft bashers complaining about all the privilege checks.
I think consistency is in order here: Microsoft should be extending LUA using the underlying features they built in to Windows to do the job. At least someone is doing it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.