Date: Wed, 23 Feb 2005 13:52:20 -0800 (PST)
From: "Rick Graves" <gravesricharde@yahoo.com>
Subject: RE: LUA false advertising
To: Jenni Merrifield @microsoft.com
 
 
Jenni,

Thanks for the response.  Sorry for taking so long to
get back to you -- my normal schedule has been
disrupted by two out-of-town trips.  

With respect to "Limited" user accounts, ("LUA"), you
acknowledge the following:

> Windows XP does allow the creation of
> an account that runs with least privileges ....

On that we agree.  I get picky with the rest of the
sentence,

> ... but, unfortunately, the system was not
> really designed with widespread LUA use in mind.

I can agree with the rest ONLY if "the system" refers
to all application software (MS Office, MS Visual
FoxPro, etc., along with software products from other
vendors), in addition to Windows XP itself.  From my
perspective, there is no problem with Windows XP
itself, but lots of "awkward complications" are
injected into the equation by APPLICATIONS that are
not 100% "least privilege" compatible.  

I got the "awkward complications" phrase from your
Microsoft TechNet article, "Using a Least-Privileged
User Account" that prompted me to write, here:

http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx#EBAA

With respect to the world of "awkward complications",
in my experience most can be worked around, and most
work arounds are easy, but with one catch: the
computer user must accept having more than one account
-- that is, it is OK for one person to have both an
administrator account and a "regular user" account (to
use the Linux term for the latter, rather than the
Microsoft term, "Limited").  (I will address the catch
further down.)  

I tackled the workarounds for the "awkward
complications" when I first started using Win XP in
2002, and as a result, using Win XP while applying
"the principle of least privilege" has been easy for
me ever since.  Except when I am installing or
removing software (rarely), I spend all my time in a
"Limited" (regular user) account, and go into an
administrator account no more often than once per week
-- to download virus definitions and to download and
apply security patches from Microsoft.  Obviously, the
software that I normally use on Windows does not
include one of the few packages for which some
"awkward complication" workaround is impossible.  

I am also of the opinion that the experience of most
Win XP would be similar to mine, if it were not for
what I consider to be a Microsoft misinformation
campaign concerning applying "the principle of least
privilege" in Windows XP.  I know of three elements to
Microsoft's misinformation campaign: 1) Push the idea
that a person can have one and only one account, hence
everyone wants to be an administrator, 2) Apply the
pejorative label "Limited" to the regular user
account, hence no one wants to be "Limited", and 3)
Make sure there is no recommendation to use "the
principle of least privilege" anywhere the owner of an
"unmanaged system" can find it.  

Microsoft launched a "Designed for Windows XP" program
BEFORE releasing Windows XP.  Microsoft could have
included testing software for LUA compatibility if it
had wanted to.  Microsoft had this idea in mind before
releasing Windows XP, as is clear from the last two
sentences on the "Limited" user account dialog, of
which I put a picture here:

http://www.advanced-app.com.hk/MiscJunk/LimitedAccounts.jpg

"For best results, choose programs bearing the
Designed for Windows XP logo, ...."  Microsoft had the
idea, but abandoned that aspect of the program, and
forgot to update this screen to reflect its change of
plan.  

From my perspective, Microsoft's logic for supressing
the use of "least privilege" boils down to this: no
one should take advantage of the protection because it
is not convenient for everyone.  From this
perspective, Microsoft's position is so absurd that I
personally must believe that Microsoft's stated
position is not the "real reason", rather just the
best excuse Microsoft can make under the circumstances
to deflect attention from the "real reason".  

Do Microsoft people really think that a person can
have ONE AND ONLY ONE account?  (I know one who did
before I pointed out the two account option.)  See the
user account set up screen from an Win XP install that
I performed recently with a version that includes SP2
(but the XP versions before are exactly the same in
this respect):

smaller image file
http://www.advanced-app.com.hk/MiscJunk/WinXPsetup05.jpg

bigger image file
http://www.advanced-app.com.hk/MiscJunk/WinXPsetup05big.jpg

begin quote

Who will user this computer?

Type the name of each person who will use this
computer.  Windows will create a separate user account
for each person so you can personalize the way you
want Windows to organize and display information,
protect your files and computer settings, and
customize the desktop.

Your name:

2nd User:

{etc.}

These names will appear on the Welcome screen in
alphabetical order. When you start Windows, simply
click you name on the Welcome screen to begin.  If you
want to set passwords and limit permissions for each
user, or add more user accounts after you finish
setting up Windows, just click Control Panel on the
Start menu, then click on User Accounts.

end quote

Are you aware that the rest of the computer universe
is under the belief that a person can have more than
one account?  As far as I know, the notion of "one
person, one account" is entirely a Microsoft
phenomenon.  

I do not expect you to divulge Microsoft's "real
reasons" as a result of my emails.  So the more
productive result of this exchange would be to focus
on actions moving forward.  

Quoting from your email, "In short, while we certainly
do believe that Longhorn will make running as LUA a
far better experience for typical users on unmanaged
systems than it is with WinXP today, ...."  That is
good.  As long as the Longhorn hype makes this clear,
you will have no problem from me.  In contrast, I
would have a problem with your TechNet publication:
"However, with the release of the next Windows
operating system, codenamed 'Longhorn,' almost every
user will be able to make regular, daily use of this
important security principle."  To my reading of the
article, it lacks the emphasis of the sentence from
your email, and is misleading as a result.  

If the Microsoft hype leads those who have been
brainwashed with "one user, one account" (i.e.,
Microsoft's "unmanaged systems" customer base) to
believe that one must purchase Longhorn to take
advantage of the "principle of least privilege", there
are Attorneys General in 50 States and a Federal
Trade Commission in Washington DC to whom I will
express my views.  

Rick


--- Jenni Merrifield <jennim@microsoft.com> wrote:

> Rick, thanks for writing.
>
>   Perhaps I should clarify the statement, "least
> privilege is not in
> active use on most Microsoft Windows-based systems".
>  This statement
> applies mostly to home or other "unmanaged" systems,
> where the person
> who is responsible for maintaining the computer is
> also the person who
> is using it.  Windows XP does allow the creation of
> an account that runs
> with least privileges but, unfortunately, the system
> was not really
> designed with widespread LUA use in mind.  It can be
> done, depending on
> the software the user wants to use, and the amount
> of time and effort he
> or she is willing to put into discovering and using
> various workarounds,
> but it is not exactly "simple" or "straightforward".
>
>   For example, it is true that you can enhance the
> security of the
> system by doing what you have suggested - using two
> different accounts,
> one LUA and one ADMIN - and other LUA best practices
> and tools are
> available, many of which (including your suggestion)
> can be found on
> Aaron Margosis' "Non-Admin WebLog"
> (http://blogs.msdn.com/aaron_margosis).  However,
> none of these options
> are seen as simple by many users.  
>
>   Apps also contribute to the problem - most apps
> shouldn't need admin
> privileges, but all too often developers include
> something that requires
> privilege, sometimes without even realizing it.
> Users buy computers to
> run applications and  will generally do whatever it
> takes to get the
> apps they buy to run.  Setting up separate accounts
> and switching
> between them is annoying enough - trying to keep
> track of which apps
> must be run with which account is more than most
> users are willing (or
> should be expected) to do.
>
>   In the end, everything always works when running
> as admin, so the path
> of least resistance is to have one acount that runs
> as ADMIN and then
> you never need to remember what tools or accounts
> need to be used at
> which times and for which applications.  Solving
> this problem is not a
> trivial task, but it is one that we hope will be
> seamless and
> transparent for the vast majority of these same
> users when Longhorn
> ships.
>
>   I hope I have addressed what appears to be your
> major concern
> regarding the article.  In short, while we certainly
> do believe that
> Longhorn will make running as LUA a far better
> experience for typical
> users on unmanaged systems than it is with WinXP
> today, we are not
> suggesting that the principle of Least Privilege is
> unavailable to
> current users or that it can only used by purchasing
> Longhorn once
> released.  Rather, the very opposite is true -- we
> *want* users to start
> securing their systems by setting their accounts to
> run as LUA right
> NOW, not later (This was even the focus of the
> second to last section of
> my article, "Secure Your Systems with LUA" --
>
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx
> #EBAA)
>
>   Yours,
> Jenni A. M. Merrifield
>
> --
> Jenni A. M. Merrifield
> User Experience PM - Windows Security Access Control
> Designing to Requirements and Walking on Water are
> EASY. . .
> . . . So long as Both are Frozen.
> ----------
> Are you a creative and innovative Product Designer?
> Are you excited by challenging and critical design
> work?
> Are you often frustrated by having to explain
> security dialogs to family
> and friends?
> Windows Security Access Control has the perfect
> opportunity for you!
>
http://www.microsoft.com/careers/search/details.aspx?JobID=8804b9c6-c912
> -45b3-8615-84876ad02286
> --
>