Is the forthcoming User Account Protection in Windows Vista a good idea?

by Michael "Mullins CCNA, MCP" | Nov 10, 2005 8:37:00 PM

Tags: Microsoft Windows Vista (Longhorn), Printers, Operating systems, Michael Mullins CCNA, MCP, Microsoft Windows, Least User Access, Microsoft Corp., administrative access, User Account Protection, Microsoft Windows Vista, Security Solutions Newsletter

Takeaway: From the time Microsoft first released Windows NT, system administrators have wrestled with managing user privileges and rights. Heeding users' cries, Microsoft will include the new User Account Protection (UAP) in Windows Vista to help resolve some common issues. Mike Mullins takes a look at UAP and offers his take on how it will change things.

From the time Microsoft first released Windows NT, system administrators have wrestled with managing user privileges and rights. The standard for user access in every business network should be the least privileged user account—or, in Microsoft-speak, Least User Access (LUA). LUA means administrators should only grant users those rights and privileges that are necessary for them to log in to their computers and complete their work.

However, while access to files and folders on local and shared drives has become easier to control, it's always been a daunting task in regard to the complexity of user rights. In addition, there's the concern of the lack of granularity with these rights when it comes to local access to users' workstation operating systems. As the first step in tackling this problem, Microsoft is renaming LUA to User Account Protection (UAP) in Windows Vista, the next version of the OS.

While the LUA model offers tremendous advantages for networks that have stringent security requirements, this model doesn't fit well within most of corporate America or the home network. LUA restricted users from performing common tasks, and Microsoft's solution was to create a service known as Run As. (Why didn't Redmond just call it su and admit the UNIX crowd had it right?)

The Run As service furnished users with broad access by giving them knowledge of an account with elevated access to their systems. Users require access to accomplish certain tasks and functions, and they shouldn't need administrative access for routine use.

UAP approaches the issue differently. It enables the user to perform common functions, but it protects the user and the operating system from malicious operations.

Access and mobility are the future, and Microsoft has finally realized that fact. Most networks have realized the benefit of implementing laptops to increase the mobility of their users, and this complicates the issue for the system administrator or home user.

Microsoft has heeded the cries to fix this problem, and the upcoming release of Windows Vista, scheduled for release in 2005,  will resolve some of the more common issues. The following common user tasks will no longer require administrative access to perform:

• Downloading and installing Microsoft updates
• Creating and establishing VPN and dial-up connections
• Installing printer drivers
• Setting a Wired Equivalent Privacy (WEP) key to attach to a wireless network

Most of these tasks focus on mobile clients that may spend months away from their domain. However, these changes also solve one of the most common user problems reported to the help desk—not being able to print to the new printer.

The last issue that Vista will address is applications. Should a user require administrative access to install and run applications? Microsoft doesn't think so.

Instead, it's implemented a voluntary compliance program where application developers can test and certify their applications—including Microsoft applications. Users will be able to install and operate certified applications without requiring system administrator intervention. Microsoft sees this as a step forward in user access.

Final thoughts

I'm glad that Microsoft has finally come around to addressing some of the most common issues that shouldn't require administrative access. On the other hand, I'm not convinced it's a good idea to grant users on a corporate network the ability to install any application they choose.

Group policy works well for deploying and updating business applications for users logged in under the least privilege model. In my opinion, Microsoft has gone too far by allowing users to install and run their own applications. While this feature is sure to become a key selling point in the home computer market, it has no place in the corporate network.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Print/View all Posts Comments on this article

Worryingalan.graham@...  | 11/11/05

Newsflash: Vista won't be out til 2006. kvhollis@...  | 11/11/05

Maybe 2006...mike@...  | 11/11/05

Configurable?Tony K  | 11/11/05

could bealan.graham@...  | 11/14/05

Windows Updateslibertyaikido  | 11/11/05

WSUS GPOSteve-Oh  | 11/11/05

Too many user rightspizza7  | 11/11/05

I can't see this as a good thing!halibut  | 11/14/05

LUA and the performance of Anti-Spyware/ Registry Toolszczc2311@...  | 11/11/05

certified apps for certifiable users?jdgeek  | 11/15/05

I don't see this as a problem.joe.  | 11/21/05

What about legacy apps?spareher  | 11/21/05

Back in Time  | 11/21/05

User rights and installation.nzamparello@...  | 11/28/05

virii love Avg Joe as adminDWRandolph  | 12/03/05

Missing the point?4u3u  | 12/03/05

thanks for the "elevated" linkDWRandolph  | 12/03/05