Home » Newsletter » June 2009

By V. Subhash

From the beginning, Unix and GNU/Linux operating systems have had an inherently robust security model. An application or daemon may require super user privileges to start or stop. However, that does not mean the process has superuser privileges over the entire system. The process may have privileges for only those resources it was built to work with.

As a result, 'nix programs are naturally well-behaved applications. At design time itself, programmers know that their applications will have limited privileges. So, their applications are built in a way that they never take things for granted.

In the Windows world, the situation is different. When you install Windows XP, the default account that is created is an administrator account. If you create a new account, the default option is for a computer administrator. As a result, most Windows XP user accounts, including those of software developers, are administrator accounts.

Administrator accounts have access to the entire system. An application started by a user with an administrator account runs with administrator privileges. So, any application started by an administrator user theoretically has access to the entire system.

The implications are enormous. If an application becomes compromised, malicious code riding on that process can destroy or take over the entire system, as it then has administrator privileges or can be escalated to an administrator profile. This is the preferred mode of attack for most malware, as an administrator has fewer restrictions than a Power User or a Guest.

Realizing this, Microsoft adopted a more tougher security model in Windows Vista. This security model has similarities with the Security Enhanced Linux model, developed by the National Security Agency (NSA) of the U.S. government. The main implication of this model is that an application is given only as much privileges it needs to accomplish its job. This ensures that the ill-effects of a compromised application will be limited to the application's demilitarized zone.

In Windows Vista, applications run under reduced privileges even if they are launched by a user with an administrator account. When an application requires higher privileges, User Access Control (UAC) kicks in and asks the user permission for elevated privileges. Only if the user permits it, the application is escalated to a higher profile.

But, UAC came in for a lot of criticism from two sections - from people who ran legacy applications that unwisely assumed they had full privileges and from people who never realized or accepted that the fact that UAC was really a necessity and a blessing.

The creators of UAC knew that the security measure would be annoying. In fact, they thought this annoyance would force users to dump misbehaving applications and also force developers to create applications that could run under minimum privileges.

But, Windows users and software developers have been spoiled for so long time that overnight such a change of attitude was not going to come. And, it would be long before the entire pantheon of popular Windows applications were rewritten to run under minimum privileges.

However, UAC in Windows Vista and Windows 7 is here to stay. Even assuming they were not there, it would not be right for software developers to write applications that took things for granted. Software publishers should also not ask users to disable UAC or its functionality, as a workaround. UAC is not a flaw. Developers should ensure their code will run with the least privileges.

On my system, I use an utility called Drop My Rights (an unsupported Microsoft utility) to run Internet Explorer and other Internet-enabled applications. You can use the tool to see if your application can run properly under minimum privileges. You can use Microsoft's Process Explorer to check the security privileges of an application. If your application passes this test in Windows XP, then it will probably run in Windows Vista and Windows 7 without a hitch. In Windows Server 2003 and Windows Server 2008, there are similar restrictions but things are a bit more complex and outside the scope of this article.

Process Explorer showing security privileges for Internet Explorer instances launched with and without Drop My Rights.

---o0O0o---

Suggested Reading:

• Inside Windows 7 User Account Control by Mark Russinovich, Technical Fellow, Microsoft.
• Windows Vista Application Development Requirements for User Account Control Compatibility
• Certified for Windows Vista Requirements
• Windows 7 Client Software Logo - Technical Requirements & Program Eligibility (This is an XPS document. You may need an XPS viewer.)

Although you may not go for logo certification, you may still find the certification requirements documents listed above very useful. This article deals with just one aspect of Windows Vista/7 application development. There are several other requirements you will need to meet.

---o0O0o---