Fewer permissions are key to Longhorn security
- 07 April, 2005 12:18
Software engineers who attend Microsoft's annual Windows Hardware Engineering Conference later this month could get their first taste of a new Windows user permissions model that could change the way thousands of programs are developed and run. But as the company prepares for the final Longhorn development push, questions remain about its plans for a new user privileges model called Least-Privilege User Account, or LUA.
Microsoft claims that LUA will make life tougher for hackers and virus writers by limiting access to administrator permissions on Windows systems. But the company has been mum in recent months about its plans for implementing LUA in Longhorn, and it is considering incentives to encourage adoption of LUA (pronounced "Loo-ah") by skeptical ISVs (independent software vendors), including a new logo program for LUA compliance, according to interviews with ISVs and industry experts. Least permissions is a principle of computer security that recommends giving software applications and their users no more privileges on an operating system than are absolutely necessary.
Widely accepted within the software development community, least permissions had often been overlooked in recent years, as operating system and application software companies worked to make it easier to use software, vice-president of Internet security at Gartner, John Pescatore, said Microsoft said it would encourage the use of least permissions in Longhorn by making it easier for users to do common tasks without administrator privileges. For example, the company may modify Windows so reduced permissions users can alter display and power management settings on their machine and use virtual private network (VPN) technology more easily. Other changes will allow developers to create per user installations of applications, with user-specific settings saved in the "my programs" folder, rather than a globally accessible program files directory that requires administrative permissions to change, according to documents and presentations on Microsoft's Web page.
Microsoft also proposed application manifests, which allow developers to define the permissions an application needs to operate properly and can be signed by ISVs to ensure their integrity. Deployment manifests, signed by IT departments, will allow network administrators to dictate how much trust an application should have on the network, according to the documents.
The changes are intended to revive an important security concept that has been a low priority among many Windows users and application developers.
"I don't think the notion of application runtime permissions are either well understood or well handled," said Jason Rimmer, chief architect at Vertex Inc., a tax technology and services provider based in Berwyn, Pennsylvania. "Coming from Unix, you're used to asking 'Does this run under root or not?' But Windows operators have never had to consider that. LUA will force that choice on people," he said.
For example, Windows programs commonly save user-specific files to critical areas of the operating system, such as the program files directory or protected parts of the Windows registry, which stores configuration information and is off-limits to regular users, wrote co-founder of Pluralsight, Keith Brown, in an MSDN document on LUA from April 2004.
Application developers who log onto their development machines as administrators when they write code create programs that assume that level of privilege, but have trouble when run by a user with reduced permissions, according to Brown, who estimated that 90 per cent of Windows software couldn't be installed without administrator access to Windows, and that 70 percent wouldn't run properly unless the user is an administrator. (See: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/leastprivlh.asp.)
Network administrators enforce strict user privileges on networks and restrict access to servers and other resources, but individual Windows users often log on to their Windows system as a local administrator because of the difficulty running even common programs with just user permissions. Authors of viruses, worms, bots and spyware take advantage of those elevated privileges to install malicious programs and change the configuration of Windows to keep their creations from being detected, shut down or removed, experts say.
A strictly enforced LUA model could make it harder for worms and viruses to take over Windows systems. But Microsoft may have a tough time changing user and developer behavior, even with new features that support the LUA regime in Longhorn, experts warn.
"The (LUA) framework we're talking about has been there for 10 years," president of Terabyte Computers, Brian Bergin, said."
The fact is that vendors go the lazy route and continue to dump program settings in (the program files directory). Software vendors, including Microsoft, have to stop writing lazy code."
To encourage adoption of LUA features and principles, Microsoft had worked closely with Macrovision to develop application installation and setup programs for use with Longhorn that incorporated LUA concepts, product manager for the InstallShield product at Macrovision, Bob Corrigan, said. Installations are a pain point for LUA in Windows, because they require files to be written to different areas of the Windows file system and configuration changes in the Windows registry that often are inaccessible to ordinary user accounts.
"The advent of LUA will compel ISVs and corporations to take a close look at what applications do at the point they are [installed]," Corrigan said.
Macrovision hopes to simplify some of the complexity of LUA in its applications. For example, future versions of InstallShield will allow ISVs to build application installation and setup programs that segregate user and administrator functions, so that users don't have to have administrative access to install some software and administrative-level permissions aren't accidentally extended to non-administrators, he said.
That was a change from current Windows installation routines, which typically mashed together common and administrative components during installation without any clear distinction between the two, Corrigan said.
Microsoft was also weighing a logo program, akin to the Windows logo program, that would grant special status to applications that complied with LUA principles, he said.
"If there are some qualifications for being LUA compliant, a logo compliancy program could enforce them at a critical point: the creation of an installation for delivery," Corrigan said.
Microsoft declined to comment, but a source confirmed that the company was working on a logo program similar to what Corrigan described. Microsoft declined repeated invitations to discuss LUA's role in upcoming Longhorn releases, but said it was considering LUA for future releases as part of an overall vision for multilayered security known as "defense in depth", according to an e-mail statement attributed to Amy Roberts, director of the Security Business and Technology Unit at Microsoft.
Behind the scenes, Microsoft had given ISVs a broad outline of its LUA plans, but few specifics, Rimmer said.
"The architectural concept [of least permissions] has been around for a while, so I'm looking for rich information from [Microsoft]. ... I'm looking to get more assistance with the actual security constraints are to each [privilege] level - such as 'Users can add other users or install software or get performance information'," he said.
The dearth of information in recent months has led to speculation that some core components of LUA are being reconsidered as the Longhorn development team gears up to create an alpha version of the product.
"If I had to guess, there's less chatter because this is lobbying time. ... [Microsoft] is taking feedback from major customers and trying to figure out how to turn that into a component that's in the product," said Russ Cooper, senior scientist at Cybertrust and editor of the NTBugtraq discussion list.
Some aspects of LUA might also be tied to the next-generation Windows File System, which Microsoft has said that it would not ship with the first version of Longhorn at the end of 2006, Pescatore said.
Regardless, LUA will be a major change for many application developers, and Microsoft needs to begin laying the groundwork for the change, experts agree.
"They have to nail it down now and give ISVs a year and a half," Pescatore said. "If you look at [Windows XP] SP2 and the firewall being enabled by default, they tried to do that a year in advance, and heard a lot of squawking from ISVs who said they broke applications."
The company should also expect that ISVs would have to be convinced that complying with LUA as part of a logo program or not is a priority that is worth the extra development effort, Rimmer said.
"LUA is a change that doesn't equal value to ISVs, so you're going to get pushback," he said.
Still, Rimmer is giving Microsoft the benefit of the doubt, even though there are still question marks around the company's specific plans.
"Microsoft employs very smart people and this is an architectural foundation that already exists. They're going to take it and enhance it for their platform, like they did with the introduction of active directory," Rimmer said, referring to Microsoft's implementation of Lightweight Directory Access Protocol (LDAP).
The company also has an opportunity to brand LUA with its own user-friendly features and interfaces, which would be a vast improvement over platforms like Sun Microsystems's Trusted Solaris and Unix, Gartner's Pescatore said.
"They are so complex, nobody can use them," he said. "They require every user to be a security expert. But if you look at what Microsoft is good at, it's not inventing ways to do security, but ways to make security easier to implement for security administrators."