Windows Vista's Least-privilege User Account (LUA)
By: Arie SlobMuch has been written about Windows inability to run "limited" user accounts (as opposed to the "Administrator" account, or as it is known in some other operating systems, the "root" account), specifically on the "consumer" operating systems.
Windows 95, 98 and Me all run with full "Administrator" privileges, even Windows XP will run as "Administrator" out of the box. At the time Windows 9x was introduced this might have looked like a good idea, but the example set by UNIX/Linux at the time was a good one: users run with only limited privileges and require to elevate this privilege for certain (higher risk) administrative functions.
We all know that "least privilege" is an important principle of security. The massive spread of Windows viruses & worms can be attributed in large part to the unlimited access these have on most systems. Once executed, their code runs with the same privilege as the user, and that has meant running under "Administrator" privileges most of the time.
The principle of "least privilege" is based on the notion that if a low-privileged process is compromised, it will do a lot less damage to a system than a high-privileged process would be capable of doing.
Windows XP tried to address this, albeit unsuccessfully. If you try to run Windows XP as a "limited" user, you will run into a number of problems, including (but not limited to):
- Hardly any software will install. If you try to install software, it will usually fail with a cryptic error message (this includes most Microsoft software too).
- Several system functions won't be available (or will present you with an "Access Denied" error), including changing the Date/Time (Figure), configuring Power Options.
- You'll be unable to install printer drivers.
- You can't install security patches.
- You'll be unable to share folders on your machine - the "Share" tab is missing from the folders properties sheet.
- Lots of Windows Administrative tasks won't run.
The single largest problem is probably 3rd party software that will refuse to install & run unless the user is running as administrator. This is because the software is trying to read/write (data) files in the \Program Files\ folder, and/or writing registry entries to HKEY_LOCAL_MACHINE. In most cases this isn't really necessary for the program, but programmers are lazy by nature, they're running as Administrator, so their software gets designed to run as Administrator. According to studies, 90 percent of today's software will not install under anything other than the "Administrator" account, and at least 70 percent of software won't run properly unless the user running it has "Administrator" rights.
So the end effect is that most users are still "forced" to run with Administrative privileges in order to get their work done.
But we all know that browsing the Internet or reading your email as an administrator is dangerous these days. Malware (be it worms, viruses, spyware or other) loves having administrative privileges on your computer (so it can do everything you can do... think about that for a minute).
Give your comments on this article.