Date: Tue, 1 Feb 2005 10:02:38 -0800
From: Jenni Merrifield @microsoft.com
Subject: RE: LUA false advertising
To: "Rick Graves" <gravesricharde@yahoo.com>,
"LUA Q&A (customer feedback alias)" <lua-qa@microsoft.com>
 
 
Rick, thanks for writing.

  Perhaps I should clarify the statement, "least privilege is not in
active use on most Microsoft Windows-based systems".  This statement
applies mostly to home or other "unmanaged" systems, where the person
who is responsible for maintaining the computer is also the person who
is using it.  Windows XP does allow the creation of an account that
runs with least privileges but, unfortunately, the system was not really
designed with widespread LUA use in mind.  It can be done, depending on
the software the user wants to use, and the amount of time and effort
he or she is willing to put into discovering and using various
workarounds, but it is not exactly "simple" or "straightforward".

  For example, it is true that you can enhance the security of the
system by doing what you have suggested - using two different accounts,
one LUA and one ADMIN - and other LUA best practices and tools are
available, many of which (including your suggestion) can be found on
Aaron Margosis' "Non-Admin WebLog" (http://blogs.msdn.com/aaron_margosis).  
However, none of these options are seen as simple by many users.  

  Apps also contribute to the problem - most apps shouldn't need admin
privileges, but all too often developers include something that
requires privilege, sometimes without even realizing it.  Users buy
computers to run applications and  will generally do whatever it takes
to get the apps they buy to run.  Setting up separate accounts and
switching between them is annoying enough - trying to keep track of
which apps must be run with which account is more than most users are
willing (or should be expected) to do.

  In the end, everything always works when running as admin, so the
path of least resistance is to have one acount that runs as ADMIN and
then you never need to remember what tools or accounts need to be used at
which times and for which applications.  Solving this problem is not a
trivial task, but it is one that we hope will be seamless and
transparent for the vast majority of these same users when Longhorn
ships.

  I hope I have addressed what appears to be your major concern
regarding the article.  In short, while we certainly do believe that
Longhorn will make running as LUA a far better experience for typical
users on unmanaged systems than it is with WinXP today, we are not
suggesting that the principle of Least Privilege is unavailable to
current users or that it can only used by purchasing Longhorn once
released.  Rather, the very opposite is true -- we *want* users to
start securing their systems by setting their accounts to run as LUA
right NOW, not later (This was even the focus of the second to last
section of my article, "Secure Your Systems with LUA" --
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx#EBAA)

  Yours,
Jenni A. M. Merrifield

--
Jenni A. M. Merrifield
User Experience PM - Windows Security Access Control
Designing to Requirements and Walking on Water are EASY. . .
. . . So long as Both are Frozen.
----------
Are you a creative and innovative Product Designer?
Are you excited by challenging and critical design work?
Are you often frustrated by having to explain security dialogs to
family
and friends?
Windows Security Access Control has the perfect opportunity for you!
http://www.microsoft.com/careers/search/details.aspx?JobID=8804b9c6-c912
-45b3-8615-84876ad02286
--

 

> -----Original Message-----
> From: Rick Graves [mailto:gravesricharde@yahoo.com]
> Sent: Wednesday, January 26, 2005 2:49 PM
> To: LUA Q&A (customer feedback alias)
> Subject: LUA false advertising
>
> Hello LUA Q/A,
>
> The Microsoft party line is that there is "important
> security principle" out there, but one must wait and
> then pay for Longhorn before one can use it.
>
> begin quote
>
> Today, due to awkward complications that arise when it
> is employed, least privilege is not in active use on
> most Microsoft Windows-based systems. However, with
> the release of the next Windows operating system,
> codenamed "Longhorn" almost every user will be able to
> make regular, daily use of this important security
> principle.
>
> end quote
>
> http://www.microsoft.com/technet/security/secnews/articles/lpu
> seacc.mspx
>
> If this were being put out to the general public,
> instead of to the TechNet crowd, I would call it false
> advertising.  One can make use of the "important
> security principle" without waiting, and without
> having to pay for a new product -- I have been doing
> so since shortly after the release of Win XP in 2002.
> No one has to wait, and no one who has Win XP has to
> pay.  
>
> Making "regular, daily use of this important security
> principle" is easier than Microsoft makes it out to
> be.  Just set up and use a "Limited" account for the
> two most high risk activities, surfing the web and
> doing email.  (IE and all tested varieties of Outlook
> work fine from a "Limited" account.  Outlook may
> require some set up steps, but Microsoft is good at
> doing those.)  
>
> One can access all legacy applications from an
> administrator account.  Microsoft knew that this was
> complete solution to the "backward compatibility
> issue" before it released Win XP, as is from the last
> paragraph on the Limited Account dialog, a picture of
> which I have put here:
>
> http://www.advanced-app.com.hk/MiscJunk/LimitedAccounts.jpg
>
> To accept this easy solution, one must accept that one
> person can have two or more accounts.  I have observed
> that Microsoft people sometimes get stuck because they
> assume (incorrectly) that one person can have one and
> only one account.  This is simply not so -- any
> computer owner can have both a "Limited" account and
> an administrator account.
>
> Of course is is good to make using LUA easier.  But I
> believe Microsoft should not imply that the easier
> (but more expensive) option is the only option.
>
> I commend Microsoft for beginning to promote the
> concept of LUA.  However, if Microsoft publically ties
> making use of the concept to paying for the Longhorn
> product, I will cry "Foul!" at the top of my lungs.  
>
> Rick Graves