Windows Vista and Principle of Least Privilege
The IT community has had many issues with Microsoft and their current practice of installing the system with only an Administrator account created, which has full access to the computer. As viruses, malware, worms, and attackers grow by leaps and bounds, there must be some measures taken to help reduce the exposure for these hideous attacks on a Windows computer. The measures that Microsoft are taking are not 100% clear, but the overall message is remaining the same. Microsoft will have some form of least privilege for users in Vista, it is just not clear how deep they will go with it.
Defining Principle of Least Privilege
The definition of Principle of Least Privilege is fairly simple and easy to comprehend. The idea is that users will be given only the privileges absolutely necessary to perform any given task. This might be configuring their computer, browsing the Internet, running a financial application, or sending e-mail. You might have also heard the term Least Permission, which is very similar to the Principle of Least Privilege.
Current Attempts to Implement Principle of Least Privilege
Administrators struggle every day in an attempt to control what the user can access. The principle of least privilege can span beyond the user's computer and into the network itself. For example, administrators spend countless hours making sure that access control lists on network resources are configured properly. These access control lists are responsible for allowing only the configured users access to the resource that they are attached to. Every network resource (file, folder, printer, etc) has an access control list on a Windows network.
An additional attempt to control what users have access to includes locking down server access. This is typically done through access control lists and user rights. User rights control what a user can do on the server. Examples of user rights include: logging in locally, accessing the computer over the network, backing up files and folders and logging in using a Terminal Service session.
These attempts at locking down network resources and servers are very successful. However, these configurations have no bearing on whether the user is logged in to their local computer as a typical user (least privilege user) or an administrator. Therefore, the main weakness at controlling the implementation of the Principle of Least Privilege is at the user's computer.
Reasons and Pitfalls to Giving Administrative Privilege to Users
I don't know too many administrators that desire providing administrative access to their end users, even if the reason for the administrative access is to install and run a key application on the computer. Some reasons that users might need to have administrative access to their computer include:
installing printer drivers
changing the system time or time zone
installing security patches
running Windows tasks or administrative tasks
In each case, the overall need for the administrative privilege is necessary. There are still more reasons that users logon with administrative privileges. Although these reasons fall mainly on the home users, there are many companies that fall prey to running as an administrator for the following reasons:
It is the default user that is installed, so it is used
It seems to work for everything that I need, so it is used
I did not know I could create another user account
There is currently no way to restrict the user from having administrative access to the entire computer once they have been given administrative access to one of these tasks. This means that the user with administrative access to the computer can perform other tasks such as:
browsing the Internet as an administrator
installing other applications on their computer
changing key network settings
removing their computer from the domain
Application Development and Installation Concerns
If we focus strictly on the need for a user to be an administrator to run an application, the problem stems back to the development of the application. In almost every case the developer of the application is logged in as an administrator, to develop and test the application's behavior. There are few applications that are developed to run under a least privilege concept or environment.
Another pitfall to most applications that require the user to be an administrator is the fact that the application writes data to key system folders and Registry locations that require administrative access. These might include:
Research on applications requiring administrative access has resulted in staggering figures. The research indicated that an estimated 90 percent of Windows software can't be installed without administrator access to Windows. This is coupled with the figure that 70 percent of applications won't run unless the user has administrative privileges.
Microsoft's Solution to Principle of Least Privilege
Microsoft is taking measures to fix almost every one of these problems to ensure that there is a least privilege user in Windows Vista. When Vista was still codenamed Longhorn, Microsoft was referring to a new user privilege model called Least-Privilege User Account (LUA). The idea of the LUA account would be that the account would not have administrative privileges to the computer, reducing the effect that viruses and attackers would have if the account was jeopardized.
Then for a while, Microsoft was pushing independent software vendors to consider supporting the LUA account. This included a special logo program for LUA compliance.
The name LUA was a poorly chosen one, since it was impossible for Microsoft to implement the concept of Least Privilege User Account with the technology they were talking about providing in Longhorn. Microsoft discussed technologies like the Run As command, which is not using the concept of least privilege at all. Here, the user can run any application as a different user that has administrative privilege. Thus, they can abuse the service and even log on as the user that has the elevated privileges.
Once Microsoft changed the name of Longhorn to Vista, they also changed the name of their least privilege model. The new name is User Account Protection (UAP). The concepts of UAP are not that different than those of LUA, but there are some differences. Some of the key concepts that Microsoft is trying to implement with UAP include the following tasks that will not require administrative access:
Laptop users will be able to set a WEP key to attach to a home wireless network
Users will be able to install printer drivers
Users will be able to download and install updates
VPN and dial-up connections can be created and established
Running most applications
One of the features that Vista is promising is working with application installations that do require administrative privileges. The goal is to have Vista prompt the user for administrative credentials for just the applications that need them. This is due to the applications need to store files and settings in the system files and Registry keys that we discussed earlier. If the user does not have any administrative credentials, Vista will provide Registry and file virtualization. This virtualization will be per computer and will store the application information in per-user locations that the user has privileges to access.
Microsoft is also attempting to tackle the application issues head first. They have reportedly been working with vendors that provide application installation software to include LUA/UAP technologies. Some of the work revolves around having a segregated setup, dividing user and administrator functions. This does bring up potential issues of getting the software installed at all, but those issues were not brought up in my research.
Microsoft does currently have technologies to install applications for users that are logged in with least privilege access. The technology is Group Policy, which can install applications without an administrator being logged in to the computer. If this technology is coupled with other technologies like PolicyMaker Application Security, the issues of installing and running applications as a least privilege user are solved.
The need for users to be logged in with least privilege access is paramount to the future security and stability of all networks. There are too many vulnerabilities and risks associated with having users logged in as administrators. With companies like Microsoft pushing the implementation of least privilege in their operating systems, the possibility of seeing a least privilege model in Vista is very real. It does not appear that Microsoft will go all of the way in implementing a complete least privilege solution, but with some third party solutions for controlling applications, we will be very close. For now, we will just need to keep our eyes on what Microsoft does with Vista.