To: |
Ed Skoudis and Lenny Zeltser |
From: |
Rick Graves |
cc: |
Roger Grimes, Jenni Merrifield
@microsoft.com, PC Magazine, Stephen Northcutt |
Re: |
least privilege and Windows XP |
Date:
|
13 March 2005 |
Hello Ed and Lenny,
I am reading your recent book, "Malware, Fighting Malicious
Code". I am writing because you give good advice concerning least
privilege, but I think you should adopt some additional explanation if
you want the advice to be understandable to most Windows XP users, such
as those using stand-alone systems.
In addition to introducing "the principle of least privilege" on page
59, your book says this:
begin quote
Never, ever, ever surf the Web or read
e-mail while logged in as a root
user on UNIX or any user in the Administrator's group on Windows.
You're asking for trouble if you surf or read e-mail in this way,
because all malware inside your browser or mail reader will run with
superuser privileges.
end quote
I agree 100% that the advice is good. The problem is the advice
is expressed using words that Microsoft did not teach to rank and file
Win XP users. As a result, I believe the words in the book would
NOT result in most Win XP users understanding the advice or
knowing how to apply it.
In PC Magazine's web version, from November of 2004, there is an
example of an explanation that would be easy for a Windows XP user to
understand and follow, here:
The article does a good job of explaining how to set up and use a
"Limited" account -- the (non-standard) Win XP term for an account
without administrator/superuser/root privileges. However, note
that the article does not mention the term "least privilege".
The passage from your book above would be incomprehensible to most Win
XP users in part because they already "know" that each person can have
one and ONLY ONE account (more on this later). Since they "know"
that a person can only have one account, your advice to "Never, ever,
ever surf the Web or read e-mail while logged in as ... any user in the
Administrator's group on Windows" does not compute! Also, the
term "Administrator's group on Windows" is a Windows server concept
that most users of stand-alone Win XP systems have never seen.
I have been using Win XP since it was released in 2002, and for the
almost whole time I have been applying principle of least privilege
without knowing the term. I ran across the term "least privilege"
for the first time in January of this year, when Roger Grimes brought
the following Microsoft TechNet article, "Using a Least-Privileged User
Account", to my attention:
Here is a quotation from the article:
"Today, due to awkward complications that arise when it is employed,
least privilege is not in active use on most Microsoft Windows–based
systems."
This statement says that 1) least privilege is not in active use on
MOST Microsoft Windows–based systems, and 2) this is BECAUSE of
"awkward complications". (Here, "due to" means there is cause and
effect relation.) The TechNet article mentions one reason
how this state of affairs came into being:
"One reason for so many Windows users running with an administrator
account is that 'Administrator' is the default type for new accounts on
Windows XP, Windows 2000, and Windows Server 2003."
Obviously, this is not the result of a freak accident. Rather,
Microsoft made a deliberate choice that least privilege should not be
used on most Microsoft Windows–based systems, Microsoft took steps to
implement that choice, and the steps succeeded in bringing about the
end result that Microsoft wanted -- least privilege is in fact NOT used
on most Microsoft Windows–based systems today. As a short hand, I
refer to Microsoft's choice, steps and end result as "sweeping least
privilege under the rug" in Win XP.
Here are some of the other steps not mentioned in the article that I
have identified:
- Push the idea that a person can have one and only one account
(more on this below), hence everyone wants to be an administrator,
- Apply the pejorative label "Limited" to the regular user account,
hence no one wants to be "Limited",
- Make sure there is no recommendation to apply the principle of
least privilege anywhere rank and file Win XP users are likely to find
it, and
- Adopt non-standard terminology for the least-privilege-compatible
features in Win XP (such as "Limited" account), so that third-party
advice, such as
that presented in your book, is incomprehensible to rank and file Win
XP
users.
The last two, 3 and 4, are related but different. Item 3 is about
withholding the recommendation to take advantage of the protection
afforded by least privilege. Item 4 is about adopting
non-standard terminology to describe features that relate to least
privilege. Item 4 helps implement item 3 by tending to render
third-party recommendations to use least privilege incomprehensible.
I have referred to the numbered steps above as a "misinformation
campaign" in an email to Jenni Merrifield, the author of the TechNet
article. A friend who is a computer professional advised me that
the "misinformation campaign" term is inflammatory. In these
circumstances, as a short-hand label for the four steps, would you
think the term is a fair or unfair?
Before it launched Win XP, Microsoft had the idea of using multiple
accounts in Win XP. For programs that do not work in a "Limited"
account, Microsoft knew that running such programs under an
administrator account would effectively work around the problem -- this
solution is set forth on the last paragraph on this screen from Win XP:
The text for this screen shows a plan that programs bearing the
"Designed for Windows XP" logo would work properly under a "Limited"
account, but legacy applications might need to be run under an
administrator account. "For best results, choose programs
bearing the Designed for Windows XP logo ...." Microsoft
abandoned the plan but forgot to change the wording on this
dialog.
Following the "awkward complications" sentence, the TechNet article's
next
sentence reads as follows:
"However, with the release of the next Windows operating system,
codenamed 'Longhorn' almost every user will be able to make regular,
daily use of this important security principle."
But today, every Windows XP user can already make regular, daily use of
the principle of least privilege -- there is no need to wait, and there
is nothing more to buy. (The PC Magazine article from November
2004 explains how.)
To the vast majority of Windows XP users,
who do NOT know that their current operating system already has least
privilege capabilities, the quoted sentence would obviously cause them
to
understand that least privilege is a new feature in Longhorn -- for
which they will have to pay to upgrade. The TechNet article is
not advertising, and there can be no false advertising without
advertising. However, if Microsoft were to make a similar claim
in connection with the Longhorn advertising campaign that will surely
come, I believe the claim would be illegal false advertising.
That sentence could only be only OK if the sentences immediately
following explained that least privilege capabilities are already
available in Win XP. (In the TechNet article, the sentences
immediately
following do NOT explain this.)
According to Microsoft, rank and file Win XP users should not use the
principle of least privilege until after they buy Longhorn. Note
that the intended audience of the TechNet article is NOT the rank and
file. Rather, for now, Microsoft is introducing the principle of
least privilege only to the consultant crowd and other disciples of the
word from Microsoft. (Microsoft does suggest in the article that
the TechNet crowd can try least privilege for now, but does not
recommend spreading the word on least privilege to the rank and file.)
Another quotation, that illustrates the effectiveness of Microsoft's
efforts to sweep least privilege under the rug:
"Unfortunately, almost all Windows users today continue to use an
administrator account for their daily tasks."
To understand the status of least privilege in the Windows world today,
I think the article merits careful reading. Also bear in mind
that for the message in passage from your book to be implemented by Win
XP users, you must explain the content clearly and with enough emphasis
to get least privilege out from under the rug and into the open.
The message from popular personal computer press has been consistent
with Microsoft's choice to sweep least privilege under the rug.
Here is an example -- until November 2004, this is what PC Magazine had
to say about "Limited" accounts (again, using the non-standard Win XP
term "Limited" for reduced privilege accounts):
"The standard recommendation for home users of Windows XP is to give
Administrator accounts to adult users and Limited accounts to children."
Note that the prior line in PC Magazine from May 2003 was based on "one
person, one account" thinking -- adults get administrator accounts,
children get "Limited" accounts. But the whole point of that
particular
article was than since many games do not work under "Limited" accounts,
you have to upgrade the kids to administrator accounts as well!
Every computer user gets one administrator account!!!
Although the more recent, November 2004, PC Magazine article does a
good job of explaining how to apply the principle of least privilege
(without using the term), the bottom line recommendation is that it is
not worth the bother! This is the last paragraph:
begin quote
The bottom line is that the
limited-user option, while attractive from
a security perspective, creates difficulties for users. The impediments
to running Windows smoothly from it are significant unless the machine
configuration rarely changes. Until Microsoft and application
developers address the problem, users are left to choose between
security and smooth function, and that's not a choice anyone should
have to make.
end quote
To me, the contrast between your recommendation and that of PC Magazine
is striking. Given the same least privilege option, you and PC
Magazine end up at different extremes. How could this be?
One obvious difference -- Microsoft advertising revenue (PC Magazine)
and lack thereof (the two of you). This was driven home to me
when I read the TechNet article for the first time, in January, and
this sentence
in particular:
"However, with the release of the next Windows operating system,
codenamed 'Longhorn' almost every user will be able to make regular,
daily use of this important security principle."
After I read the TechNet article in January, the November 2004 PC
Magazine article made perfect sense by adding a new sentence to the
last paragraph quoted above, on the end: "Wait and buy
Longhorn." I urge you to try it yourself -- re-read the last
paragraph from the PC Magazine article, quoted just above, and add to
the end, "Wait and buy Longhorn."
It seems to me that PC Magazine adopted a bottom line recommendation to
save the market for Longhorn, and this explains why PC Magazine's
bottom line is the opposite of yours. The wording of the TechNet
sentence and where PC Magazine came out on least privilege suggest to
me that in the upcoming Longhorn advertising campaign, Microsoft plans
to tout least privilege as a new feature in Longhorn that computer
users
will want to get and for which computer users will want to pay.
I have informed Microsoft that if the upcoming advertising campaign
gives the impression to Win XP users that least privilege is a new
feature in Longhorn, I would object to the States's Attorneys General
and to the FTC in Washington, DC. The exchange of emails is here:
One person, one account
Before any Win XP user can be receptive to your recommendation to use
least privilege, the Win XP user must unlearn what they already know:
that each person can have one and only one account.
Win XP users who install their own operating system get their first
dose of "one person, one account" from the setup screens. Here is
the text from the screen that sets up accounts:
begin quote
Who will user this computer?
Type the name of each person who will use this computer. Windows
will create a separate user account for each person so you can
personalize the way you want Windows to organize and display
information, protect your files and computer settings, and customize
the desktop.
Your name:
2nd User:
{etc.}
These names will appear on the Welcome screen in alphabetical order.
When you start Windows, simply click you name on the Welcome screen to
begin. If you want to set passwords and limit permissions for
each user, or add more user accounts after you finish setting up
Windows, just click Control Panel on the Start menu, then click on User
Accounts.
end quote
Here is a big photo of the screen:
I did a Win XP install in January and took pictures of all the screens
in the process. In case you think that Microsoft must have put in
a recommendation to use least privilege somewhere, all the screen shots
are here:
These are smaller versions, more suitable for downloading. I have
the originals which are bigger, and the link to the original account
set up screen is above.
The other "smoking gun" example of one person, one account is the PC
Magazine article from May, 2003.
Quoting again from the TechNet article,
begin quote
The Security Principle of Least Privilege
If low-privileged processes are compromised, they will do a lot less
damage to a system than high-privileged processes are capable of doing.
Consequently, using a non-administrator account instead of an
administrator account while completing daily tasks offers the user
added protection against infection from a host of malware, external or
internal security attacks, accidental or intentional modifications to
system setup and configurations, and accidental or intentional access
to confidential programs or documents.
end quote
As you know, all of the above benefits are available in Win XP today --
there is no need to wait, and there is nothing more to buy.
It is however true that there are
many applications that do not work properly or at all under a "Limited"
account. However, Microsoft's Internet Explorer and all versions
of Outlook that I have tested DO work properly under a "Limited"
account. One way to work around the problems is to use a
"Limited" account for surfing and for email, and to use the
administrator account for everything else. This step applies the
least privilege protection where it is most needed.
I put out exactly this recommendation in a shotgun "to whom it may
concern" email in September, with the subject "more bulletproof Win
XP", the text of which I have put here:
The editor in chief of PC Magazine, Michael Miller, gets big credit in
my book for being sharp enough to pick up on this, leading to the
November article from which I quoted above.
Using Win XP in this way both works around many (maybe all) of the
"awkward complications" and is fully consistent with the recommendation
in the passage from your book.
I mentioned above that I have informed Microsoft that if the upcoming
advertising campaign gives the impression to Win XP users that least
privilege is a new feature in Longhorn, I would object to the States's
Attorneys General and to the FTC in Washington, DC. One element
of the circumstances is that the majority of Microsoft's Win XP user
base are not likely to get the message that a computer owner can have
both an administrator account and a least privilege account. In
my last email to Microsoft, I used the term "one person, one account
brainwashed" to refer to persons who are not receptive to using least
privilege today because they "know" that a person can have one and only
one account. The friend who is a computer professional also
advised me that "one person, one account brainwashed" is
inflammatory. On one level, I agree with him. However, the
purpose of the communication to put Microsoft on actual notice of what
I would be sharing with the States's Attorneys General and FTC in the
event that Microsoft's communications tend to mislead current Win XP
users. This would come about only if the upcoming Longhorn
advertising campaign gives the impression to Win XP users that least
privilege is a new feature in Longhorn. The subjective
understanding is key here, as most Win XP users do not have full
knowledge because Microsoft chose to misinform them about the least
privilege features in Win XP.
So if you want most Windows XP users to understand your recommendation
on least privilege, I suggest you should consider some additional
explanation.
I hope this is helpful.
Regards,
Rick Graves