Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Security in Longhorn: Focus on Least Privilege

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Security in Longhorn: Focus on Least Privilege

    I found this information today and I would like to share with AO. The short paper discussed the major problem of Windows witch is that most user run under the administrator account and how Microsoft is trying to fix that for Longhorn. I highly suggest for anyone specially applications developer.

    Link : http://msdn.microsoft.com/library/de...eastprivlh.asp
    -Simon \"SDK\"

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    They should have done this years ago. They had the chance to do it when they introduced win2k but didn't.

    But why, you might ask, should users want to run as non-administrators, especially home users? Well, if it were actually easy to do, the home user would reap loads of benefits. Malware (a virus, worm, or other malicious code) loves having administrative privileges. Surfing the Web or reading e-mail as an administrator is just plain dangerous these days. What about your kids? Wouldn't it be nice to allow them to install and play games on your home computer knowing that they won't accidentally break something, install spyware, or remove the content rating limitations you've imposed? Think about it this way: running as an administrator effectively turns off most of the security protections provided by Windows. Home and corporate users alike shouldn't be turning off these protections, especially when connected to the Internet, which has become a rather dangerous neighborhood.

    Getting users and the programs they run to live happily in a least-privilege environment is going to significantly increase the security of the Windows platform.
    I agree with most of this but not the install part. Nobody should be allowed to install anything without admin privileges. But after you've installed it, you should be able to run it on a non-privileged account without any problems.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Nobody should be allowed to install anything without admin privileges.
    You are wrong. If you are using a business computer, you shouldn't able to install anything without admin privileges but for home users, it’s too complicated to switch from admin account to regular account. That why most home users (including me) keep logging and stay log into their admin account. And when they catch malware, the malware can do anything because they are administrator. That why Microsoft is trying to change in Longhorn with this paper.
    -Simon \"SDK\"

  4. #4
    hey but we also know that with win FX in longhorn it will be almost impossible ( well difficult ) for any one to write a virus , if not a torjan horse, may be installing iwill not be as dangerous as it seems in the paper.

    justa thoughty ,iam no security expert
    LOL

  5. #5
    Originally posted here by yourdeadin
    hey but we also know that with win FX in longhorn it will be almost impossible ( well difficult ) for any one to write a virus , if not a torjan horse, may be installing iwill not be as dangerous as it seems in the paper.

    justa thoughty ,iam no security expert
    LOL
    to meet shipping dates, bill gates as recently as 2-3 weeks ago stated that winfs and the new desktop schema would be dropped, and re-introduced, perhaps via an upgrade so that longhorn can makes its shipping date of mid to late 2006?!

    i believe the prob could be a "run-as" solution away ?! but then again, 2 things come to mind,
    1: no matter how intuitiave they make longhorn, artificial intelligence is no match for natural stupidity.
    2: i think they should rather go after user education, like when you buy your box, well mine anyways, after my installation, it goes to microsoft.com. how about adding a learning video as to using the run-as command?! nothing can be made fool-proof though or will there be privacy issues?!
    HO$H Pagamisa. Pro Amour Ludi....

  6. #6

    but mine has win fs

    hey i ve an evaluation version of long horn and it has win fs ,don't know about the full version!!

  7. #7
    yourdeadin, you have a pirated version, not an evaluated version as the only versions released were given to Ms betatesters and PDC testers. Now then, because I am a beta tester for Microsoft Longhorn, I'm going to have to ask you to either delete your copy or face being reported for admitting that you do have an unauthorized version.

    There, now with legalities out of the way.

    how about adding a learning video as to using the run-as command?! nothing can be made fool-proof though or will there be privacy issues?!
    Kind of like the greeting and semi-tutorial that everyone shuts down on XP's first start?

    To meet shipping dates, bill gates as recently as 2-3 weeks ago stated that winfs and the new desktop schema would be dropped, and re-introduced, perhaps via an upgrade so that longhorn can makes its shipping date of mid to late 2006?!
    This is almost correct, except Bill Gates is no longer in charge of microsoft, and thus instead devotes his buisness time to code streamlining, thinktanking, and code ideas rather than buisness descisions. However, they have agreed to hold back WinFS for two primary reasons:

    1. They want Longhorn out in 2006, not 20010
    2. After careful research they've decided that due to the AI-like nature of the WinFS, it will require a great demand of resources. They want to wait until computing power is at such a level that running WinFS will be no different today than say.. explorer.exe running at 20 megs of RAM. So, they are waiting for technology to catch up on coding ideas so WinFS itself won't be a hassel or resource worry by the time proper technology comes out.

    1: no matter how intuitiave they make longhorn, artificial intelligence is no match for natural stupidity.
    You would be suprised, but I do agree. However, there are simply instances in which AI or safemeasures completely thwart a users stupidity. For example, logging in as a normal guest user in Linux and trying to run rm -rf /root You will get the "YOU ARE AN IDIOT AND DON'T HAVE PERMISSIONS" warning. The very act of them being in guest denied them the ability to hurt themselves. Of course, they could just su root, but like using the "Run As" privlege manager in XP... they had better already know what they are doing beforehand. So yes, I agree with you again

    I agree with most of this but not the install part. Nobody should be allowed to install anything without admin privileges.
    I agree and disagree. Think about it this way: Dad buys a family computer. He uses administrator to install the firewall, update, maintain OS cleanliness, and so forth. However, little johhny just bought Big Bird's count the Eggs game and want's to play it. Now, johhny's father is at work, and he can't rush over to log his kid onto administrator for a game, and his mother doesn't know the first thing about this "computer stuff"

    So what do you do?

    You place privileges (default) per thought process (or system application). Is it a game installation? Let it be installed by anyone. Is it a system tool? Let it be installed by only the admin. See what I'm getting at? There are certain things that should require admin privleges and other things that frankly.. I don't give a damn with. Longhorn is attempting to fix this by placing certain files/programs/processes with "intentions" and thus restricting their activity based upon their effect on the OS, effect on the user settings, effect on the internet, and resource usage (amoungst other low level kernel checks that were never mentioned to us in specifics).

    I'm not saying it's foolproof, but it is a HUGE step in the right direction.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I see your point. I've looked at this from a enterprise view.

    You place privileges (default) per thought process (or system application). Is it a game installation? Let it be installed by anyone. Is it a system tool? Let it be installed by only the admin. See what I'm getting at?
    Yes. But this would mean either write access to "Program Files" or the creation of a different install place for setups like this. IMO giving 'normal' users write access to "Program Files" would be a big no-no.

    Or do you want to give the setup the privs? Like the "blessed" applications a PA has? This is starting to sound alot like SUID applications on *nix. We all know these can be a security hazard.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well,

    From an enterprise viewpoint I would say that no-one without admin privileges should be allowed to install software. Hey, isn't support difficult enough as it is?..........why do we have "reference machines", why do we test upgrades and new software before rolling out?

    I take a very "big picture" view of security...................security of the assets, prevention of fraud, business continuity. These are so dependent on IT these days that we cannot afford to ignore them................we should be thinking "corporate security" and IT's role within that.

    Now, this is a concept that has developed alongside WinNT............sort of like a "needs to do" basis. All MS are really saying is "think outside the box.............design your stuff so that "needs to do" can do, but without giving them authority that they don't need; thereby compromising overall security"

    I see all that as just a continuation and refinement of a route they have been going along for some time with their "professional" OSes.

    Now comes the problem, and I will retire into one of my favourite topics: computer history

    When MS took a decision to split their offerings between home and business, we had WinNT and Win95. The "home" product progressed through Win98/98SE/ME

    So there is a whole generation or more of users out there who are used to starting the computer with admin rights, and they don't even know it.

    This is where it will be difficult, as there is a massive knowledge gap between them and people who work in IT or have a good understanding as a commercial user. They will just want to set longhorn so they can do what they were used to doing. "I paid for it and this is how I want it to work" mentality.

    Well, those are my initial impressions

  10. #10
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    I suppose Windows will use something along the lines of a suid-type permission system, something that works quite well in *nix systems. I would think installers should also have digital certificates and whatnot [maybe built-in md5sum checkers that will allow the user to check the digest quickly] and Windows should be able to automatically give needed permissions accordingly with this security system.

    But on the whole I think [and I might be reiterating many opinions] that Windows always tried to remain idiot-accessible, in order to increase their market. So I believe it's hard to imagine a dramatic increase in the level of security options the users will have to make. And the defaults always tend to not be sufficient [because people first explore default configurations of systems before going into trickier exploits]
    /\\

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •