Is the forthcoming User Account Protection in Windows Vista a good idea?

From the time Microsoft first released Windows NT, system administrators have wrestled with managing user privileges and rights. Heeding users' cries, Microsoft will include the new User Account Protection (UAP) in Windows Vista to help resolve some common issues. Mike Mullins takes a look at UAP and offers his take on how it will change things.

From the time Microsoft first released Windows NT, system
administrators have wrestled with managing user privileges and rights. The
standard for user access in every business network should be the least
privileged user account—or, in Microsoft-speak, Least User Access (LUA). LUA
means administrators should only grant users those rights and privileges that
are necessary for them to log in to their computers and complete their work.

However, while access to files and folders on local and
shared drives has become easier to control, it’s always been a daunting task in
regard to the complexity of user rights. In addition, there’s the concern of
the lack of granularity with these rights when it comes to local access to
users’ workstation operating systems. As the first step in tackling this
problem, Microsoft is renaming LUA to User
Account Protection (UAP) in Windows Vista, the next version of the OS.

While the LUA model offers tremendous advantages for networks
that have stringent security requirements, this model doesn’t fit well within
most of corporate America or the home network. LUA restricted users from
performing common tasks, and Microsoft’s solution was to create a service known
as Run As. (Why didn’t Redmond just call it su
and admit the UNIX crowd had it right?)

The Run As service furnished users with broad access by
giving them knowledge of an account with elevated access to their systems.
Users require access to accomplish certain tasks and functions, and they shouldn’t
need administrative access for routine use.

UAP approaches the issue differently. It enables the user to
perform common functions, but it protects the user and the operating system
from malicious operations.

Access and mobility are the future, and Microsoft has finally
realized that fact. Most networks have realized the benefit of implementing laptops
to increase the mobility of their users, and this complicates the issue for the
system administrator or home user.

Microsoft has heeded the cries to fix this problem, and the
upcoming release of Windows Vista, scheduled for release in 2005, will resolve some of the more common issues. The
following common user tasks will no longer require administrative access to
perform:

Downloading
and installing Microsoft updates
Creating
and establishing VPN and dial-up connections
Installing
printer drivers
Setting
a Wired Equivalent Privacy (WEP) key to attach to a wireless network

Most of these tasks focus on mobile clients that may spend
months away from their domain. However, these changes also solve one of the
most common user problems reported to the help desk—not being able to print to
the new printer.

The last issue that Vista will address is applications.
Should a user require administrative access to install and run applications?
Microsoft doesn’t think so.

Instead, it’s implemented a voluntary compliance program
where application developers can test and certify their applications—including
Microsoft applications. Users will be able to install and operate certified
applications without requiring system administrator intervention. Microsoft
sees this as a step forward in user access.

Final thoughts

I’m glad that Microsoft has finally come around to
addressing some of the most common issues that shouldn’t require administrative
access. On the other hand, I’m not convinced it’s a good idea to grant users on
a corporate network the ability to install any application they choose.

Group policy works well for deploying and updating business
applications for users logged in under the least privilege model. In my
opinion, Microsoft has gone too far by allowing users to install and run their
own applications. While this feature is sure to become a key selling point in
the home computer market, it has no place in the corporate network.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE Finding a back-end developer with programming and technical expertise as well as superior collaboration and communication skills will require a comprehensive recruitment strategy. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job. From the hiring kit: TYPICAL ...

PURPOSE Application engineers need to have technical expertise in programming, design, business and the software and hardware required to run the application. This Hiring Kit from TechRepublic Premium provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job. From the hiring kit: DETERMINING FACTORS, DESIRABLE ...

Is the forthcoming User Account Protection in Windows Vista a good idea?