Why Limited User Account computing?

Many readers criticized last week’s column as a pro-Internet Explorer, anti-everything-else screed. I guess they ignored the key theme of the article, which was to say that it’s difficult to code a truly secure browser, no matter who the vendor is. Google released a security and performance fix this week, and hackers continue to find more issues.

Hey, Dr. Bernstein, do you want to prove your alpha-male security software programming skills and seal your place in history? Make us a decently usable Internet browser. You’ve delivered ultra-secure DNS and e-mail server programs, but today’s biggest threats are client-side.

In the midst of all the Chrome arguing, several readers wrote to ask me about the fact that Chrome installs without needing elevation or an administrator security context. This is because Chrome doesn’t modify the normal system-protected areas of the operating system. Instead it installs under the user’s profile. Some readers see this as a potential security issue, as non-admin users are able to install software programs. Others are just glad they didn’t have to answer a Vista UAC prompt for once.

What are the benefits of a Limited User Account (LUA)? An LUA is essentially any security account or context without elevated permissions and privileges beyond that of a normal end-user. Linux, Unix, and BSD have long allowed LUA users to re-configure their session and install software without being logged on as root. Microsoft Windows has been pushing the same idea for at least 10 years, since the release of Windows NT 3.5, but not really strongly until the last five years or so. And it really took Vista, and its highly debated User Account Control (UAC) mechanism to force more vendors into LUA models.

The biggest security benefit of LUA is that software installing and running in a LUA context has a harder time modifying or corrupting the underlying OS’s kernel and system files. Essentially, once a program (or malware) has modified the system files, it isn’t really the vendor’s product anymore. Hence, why you see blue screen crashes in Windows environments (99 percent of which are caused by third-party drivers, third-party modification, or malware).

From a security perspective, most malware, especially the popular client-side malware that exploits a system, only gets the logged on user’s security context. If that user is logged on as Administrator, it’s game over. If that user is an LUA user, then what the malware can do is limited. Perhaps 90 percent (or more) of all of today’s malware will not function correctly, or at all, if the logged-on user is not an Administrator.

LUA means malware is less likely to be accidentally installed by the end-user and end up compromising their whole computer. Without administrative credentials to use to modify the underlying operating system, malware will have a harder time doing certain tasks, such as keystroke intercepting, rootkits, infecting other sessions, installing itself as a service, etc. And anti-malware programs, installed in an elevated mode and hooked into the operating system can more easily find LUA-malware, because it has a harder time hiding (most stealth or hiding mechanisms require OS modification). That’s good for everyone.

But in Windows, LUA users cannot normally install even legitimate software. This isn’t always true, but is true of most programs because they write to system areas (e.g. System32, Windows, Program Files, Services etc.). LUA-enabled applications have always existed and are growing in popularity. They work, without elevated permissions, because they only modify user areas and the currently logged-on user’s session.

Google’s Chrome is an example of this, and Microsoft Windows Vista’s UAC is forcing more vendors to do this, so their users will not be bugged with unnecessary prompts. Microsoft, itself, is writing and re-writing existing applications to install and work in LUA mode. Internet Explorer 8 contains the ability to install per-user (and per-site) ActiveX controls. The Microsoft Office team is working on re-writing its core product to install and function in LUA mode. Windows 7, Microsoft’s next Windows release, will have even more mechanisms to allow, control, and manage LUA applications and settings. Many Web-based applications and cloud services don’t install anything important on the host system. So LUA installs and applications are here to stay and, if anything, growing. You need to be prepared.

What’s the downside then? First, your LUA end-users will be able to install more and more (potentially unapproved) software, including malware, without requiring administrator credentials. Ack, we’re right back where we started before the whole LUA push began! (Not exactly, because we still get the benefits listed above.)

Second, malware almost doesn’t care whether it infects just your user session or the whole system, especially if you’re the only end-user on the system. LUA-based malware can do nearly everything system modifying malware can do to the end-user (e.g. steal passwords, steal their identity, etc.). The way the software accomplishes the bad stuff is different, but what it ultimately does is the same.

And that is the rub — only time will tell. Will LUA efforts significantly minimize the occurence of malware over the long run? Will administrators have a harder time controlling what software, legitimate or not, is and isn’t installed? My guess is no to the first question and yes to the second. And if that is the case, what was all the effort for? If this future becomes true, isn’t it the exact opposite of what security is supposed to do? Shouldn’t we focus our efforts on solutions that do the exact opposite?

I can’t blame vendors. LUA does make it harder for malware to do certain things, and any defense-in-depth block that we can put in the way of malware and malicious hackers, I’m open to investigating. It’s like the dilemma facing antivirus scanners. Antivirus scanners are struggling to be accurate against today’s ever-evolving malware, but try living without it.

The key is to recognize that LUA software will probably become the norm over the next few years, especially with cloud services growing. And if that is true, you’ll need to proactively predict the changes needed to maintain control over your managed systems. The worse thing to do is to act like it was unexpected and let the latest evolution of malware infect all your systems in a second, taking us back yet another big giant step to yesteryear.