Share via


I'm Back! Upcoming Posts...

It's been way too long, but I'm going to force myself to find the time to get more "least-privilege" information posted here. Most of my posts til now have been about ways for those of us who administer our own machines to run Windows as a non-admin, invoking administrator privileges only when truly needed. That's one of the "least-privilege" challenges of Windows today. There is another (possibly bigger) challenge: what about users who should always run as non-admin? The 10,000 "information workers" in your enterprise, the children on your home computers -- you do not want to give them the administrator password (directly or indirectly), or have them making security decisions about when administrator privileges should be used. Yet they need to run programs with "LUA bugs" -- programs that don't work unless they run with administrator privileges. How can those users run as non-admin?

Too often, this second challenge is addressed by simply having the users/children run as administrators, by unsafely opening up access control to large portions of the file system and registry, or by "encrypting" an admin password into a special program that runs another program with admin privileges.

In upcoming posts, I'll write on topics such as:

  • What exactly is a "LUA bug"? (And what isn't a LUA bug?)
  • A systematic approach for working around LUA bugs that avoids unnecessary exposure
  • How to identify LUA bugs using Regmon and Filemon
  • "LUA BugLight" (a new tool for identifying LUA bugs -- still in development!)

It's good to be back!

Comments

  • Anonymous
    February 03, 2006
    The comment has been removed
  • Anonymous
    February 04, 2006
    Hi Aaron,great to hear from you. I´m looking forward to read more about LUA in Windows Vista and the new Tools. => cool RegardsPhilipp Kohnhttp://blog.kohnonline.de
  • Anonymous
    February 22, 2006
    Hi Aaron,

    In Vista you "Admin" but UAP prompt you for elevation.

    In XP you run as a "User" and you use Run as etc to elevate.

    is the Admin User in Vista equilivent to a Normal User in XP?
  • Anonymous
    February 22, 2006
    Toby Broom - it's not quite equivalent.  It's a little tiny bit like User + MakeMeAdmin, but not really.  Good info about Vista/UAC at these links:

    http://blogs.msdn.com/uac/archive/2006/02/22/537129.aspx

    http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx
  • Anonymous
    March 07, 2006
    Hi Aaron, is there any use to the User account in Vista?  if your running as user with the option to eleviate then is there any diffrence?

    If I set a password for admin account on vista to say stop my kid's eleviating with ease, how does this work with the network access cf winXP?
  • Anonymous
    March 07, 2006
    Toby Broom - Check out the links I posted last time.  There are basically three types of accounts in Vista:

    * the built-in Administrator account, which always runs with full admin privileges;

    * the "protected admin" account (I think that's still what it's called), which runs everything with normal User privileges except as needed - and prompts you with a secure UI before it allows a program to run with elevated permissions - this is kind of like MakeMeAdmin but much better UX and far more secure;

    * the "standard user" account, which always runs with normal privileges.  When something needs to run with elevated privileges, it prompts you with a secure UI to enter credentials for an admin account (built-in admin or a "protected admin").  You can't elevate unless you have the password (or other credentials) for an admin account.

    I'm not sure what you mean regarding "the network access of WinXP"...
  • Anonymous
    March 08, 2006
    >I'm not sure what you mean regarding "the network access of WinXP"...

    I believe he meant that in WinXP if the account does not have a password then it will not have remote access permission.  If you need to have a password on these admin accounts in order to use the new elevation features of Vista then does that also mean that they will be vulnerable to remote attacks?
  • Anonymous
    March 08, 2006
    Mike Drechsler - As with Windows XP, you don't need to have a password for these accounts - and as with XP, the default policy is that local accounts with blank password can be used only for console logon - no remote access.  This is an excellent option if you can trust everyone who has physical access to the computer.  Elevation of a "protected admin" account doesn't require a password - you can be prompted for simple consent via a secure UI.  If you have a password, vulnerability to remote attacks will be mitigated by the on-by-default firewall (as with XP SP2).
  • Anonymous
    April 08, 2006
    The comment has been removed
  • Anonymous
    May 10, 2006
    I need to run IIS as a non-admin on a server...preferably Power User.  Do you know if this is possible?  It would be a great help if you could lead me in the right direction.
  • Anonymous
    May 10, 2006
    Mike:  inetinfo.exe runs as LocalSystem, but web apps run as Network Service by default, which is far less privileged than "Power Users".  You can also easily configure multiple app pools running under different low-privileged service accounts to run web apps in.

    And please note that Power Users is not non-admin -- Power Users is "admin-lite", can easily elevate to Admin/System, and is considered deprecated.
  • Anonymous
    May 10, 2006
    Chelle - sorry for not replying sooner.  If you're not on a domain controller, right-click on My Computer, choose Manage - it should be under Computer Management System Tools.  Another way to get there is to run lusrmgr.msc from the Run dialog or a command prompt.
  • Anonymous
    May 26, 2006
    I see that Microsoft has released its Standard User Analyzer that “helps developers and IT professionals...
  • Anonymous
    June 01, 2006
    Hi Aaron,

    This is a great blog and a great cause. Unfortunately with XP it may be a lost cause as it seems most of the major consumer antivirus applications do not update under limited users (I have had no problems with any other applications I use). I can not get people (I can't even be bothered myself) logging into an administrator account, getting the updates, then logging out again every single day. The best I can do is set local policy to run Internet facing applications as normal users.

    With Vista, not only will antivirus have to work in normal user mode, but I am not sure I will even be running antivirus on the actual client PC (gateways, proxies, etc instead). We will see.

    Andrew
  • Anonymous
    June 02, 2006
    The comment has been removed
  • Anonymous
    June 02, 2006
    Andrew, I was just going to reply to your comment, but I turned it into a blog post:
    http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx
  • Anonymous
    March 17, 2008
    Hi Aaron, When I logon as Power User on my system, Default Web Site does not appear in the IIS Manager. I want to use VS 2005 in a non admin account which is a Power User to develop ASP.net we b projects. But Visual Studio is also throwing access denied error. Please suggest what to do to avoid this error. Thanks Nitin Arora [Aaron Margosis]  Is this on XP or Vista? "Power Users" is not non-admin.  Power Users are Admins who have not made themselves admins yet.