From the time Microsoft first released Windows NT, system
administrators have wrestled with managing user privileges and rights. The
standard for user access in every business network should be the least
privileged user account—or, in Microsoft-speak, Least User Access (LUA). LUA
means administrators should only grant users those rights and privileges that
are necessary for them to log in to their computers and complete their work.

However, while access to files and folders on local and
shared drives has become easier to control, it’s always been a daunting task in
regard to the complexity of user rights. In addition, there’s the concern of
the lack of granularity with these rights when it comes to local access to
users’ workstation operating systems. As the first step in tackling this
problem, Microsoft is renaming LUA to User
Account Protection
(UAP) in Windows Vista, the next version of the OS.

While the LUA model offers tremendous advantages for networks
that have stringent security requirements, this model doesn’t fit well within
most of corporate America or the home network. LUA restricted users from
performing common tasks, and Microsoft’s solution was to create a service known
as Run As. (Why didn’t Redmond just call it su
and admit the UNIX crowd had it right?)

The Run As service furnished users with broad access by
giving them knowledge of an account with elevated access to their systems.
Users require access to accomplish certain tasks and functions, and they shouldn’t
need administrative access for routine use.

UAP approaches the issue differently. It enables the user to
perform common functions, but it protects the user and the operating system
from malicious operations.

Access and mobility are the future, and Microsoft has finally
realized that fact. Most networks have realized the benefit of implementing laptops
to increase the mobility of their users, and this complicates the issue for the
system administrator or home user.

Microsoft has heeded the cries to fix this problem, and the
upcoming release of Windows Vista, scheduled for release in 2005,  will resolve some of the more common issues. The
following common user tasks will no longer require administrative access to

  • Downloading
    and installing Microsoft updates
  • Creating
    and establishing VPN and dial-up connections
  • Installing
    printer drivers
  • Setting
    a Wired Equivalent Privacy (WEP) key to attach to a wireless network

Most of these tasks focus on mobile clients that may spend
months away from their domain. However, these changes also solve one of the
most common user problems reported to the help desk—not being able to print to
the new printer.

The last issue that Vista will address is applications.
Should a user require administrative access to install and run applications?
Microsoft doesn’t think so.

Instead, it’s implemented a voluntary compliance program
where application developers can test and certify their applications—including
Microsoft applications. Users will be able to install and operate certified
applications without requiring system administrator intervention. Microsoft
sees this as a step forward in user access.

Final thoughts

I’m glad that Microsoft has finally come around to
addressing some of the most common issues that shouldn’t require administrative
access. On the other hand, I’m not convinced it’s a good idea to grant users on
a corporate network the ability to install any application they choose.

Group policy works well for deploying and updating business
applications for users logged in under the least privilege model. In my
opinion, Microsoft has gone too far by allowing users to install and run their
own applications. While this feature is sure to become a key selling point in
the home computer market, it has no place in the corporate network.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter
, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security