Gnostice Document Studio
.NET
PDFOne
.NET
Gnostice Document Studio
Java
PDFOne
(for Java)
Gnostice Document Studio
Delphi
eDocEngine
VCL
PDFtoolkit
VCL
StarDocs
Web APIs

Developing Well-Behaved Software For Windows Vista and Windows 7

Never create code that takes everything for granted.
By V. Subhash

From the beginning, Unix and GNU/Linux operating systems have had an inherently robust security model. An application or daemon may require super user privileges to start or stop. However, that does not mean the process has superuser privileges over the entire system. The process may have privileges for only those resources it was built to work with.

As a result, 'nix programs are naturally well-behaved applications. At design time itself, programmers know that their applications will have limited privileges. So, their applications are built in a way that they never take things for granted.

In the Windows world, the situation is different. When you install Windows XP, the default account that is created is an administrator account. If you create a new account, the default option is for a computer administrator. As a result, most Windows XP user accounts, including those of software developers, are administrator accounts.

Question: Why do XP applications fail in Vista? Answer: Most accounts in Windows XP are Administrator accounts. In Vista, even administrator accounts run applications under reduced privileges.

Administrator accounts have access to the entire system. An application started by a user with an administrator account runs with administrator privileges. So, any application started by an administrator user theoretically has access to the entire system.

The implications are enormous. If an application becomes compromised, malicious code riding on that process can destroy or take over the entire system, as it then has administrator privileges or can be escalated to an administrator profile. This is the preferred mode of attack for most malware, as an administrator has fewer restrictions than a Power User or a Guest.

Realizing this, Microsoft adopted a more tougher security model in Windows Vista. This security model has similarities with the Security Enhanced Linux model, developed by the National Security Agency (NSA) of the U.S. government. The main implication of this model is that an application is given only as much privileges it needs to accomplish its job. This ensures that the ill-effects of a compromised application will be limited to the application's demilitarized zone.

In Windows Vista, applications run under reduced privileges even if they are launched by a user with an administrator account. When an application requires higher privileges, User Access Control (UAC) kicks in and asks the user permission for elevated privileges. Only if the user permits it, the application is escalated to a higher profile.

But, UAC came in for a lot of criticism from two sections - from people who ran legacy applications that unwisely assumed they had full privileges and from people who never realized or accepted that the fact that UAC was really a necessity and a blessing.

The creators of UAC knew that the security measure would be annoying. In fact, they thought this annoyance would force users to dump misbehaving applications and also force developers to create applications that could run under minimum privileges.

But, Windows users and software developers have been spoiled for so long time that overnight such a change of attitude was not going to come. And, it would be long before the entire pantheon of popular Windows applications were rewritten to run under minimum privileges.

However, UAC in Windows Vista and Windows 7 is here to stay. Even assuming they were not there, it would not be right for software developers to write applications that took things for granted. Software publishers should also not ask users to disable UAC or its functionality, as a workaround. UAC is not a flaw. Developers should ensure their code will run with the least privileges.

On my system, I use an utility called Drop My Rights (an unsupported Microsoft utility) to run Internet Explorer and other Internet-enabled applications. You can use the tool to see if your application can run properly under minimum privileges. You can use Microsoft's Process Explorer to check the security privileges of an application. If your application passes this test in Windows XP, then it will probably run in Windows Vista and Windows 7 without a hitch. In Windows Server 2003 and Windows Server 2008, there are similar restrictions but things are a bit more complex and outside the scope of this article.

Process Explorer showing security privileges for Internet Explorer instances launched with and without Drop My Rights.
---o0O0o---

Suggested Reading:

Although you may not go for logo certification, you may still find the certification requirements documents listed above very useful. This article deals with just one aspect of Windows Vista/7 application development. There are several other requirements you will need to meet.

---o0O0o---

---o0O0o---

Our .NET Developer Tools
Gnostice Document Studio .NET

Multi-format document-processing component suite for .NET developers.

PDFOne .NET

A .NET PDF component suite to create, edit, view, print, reorganize, encrypt, annotate, and bookmark PDF documents in .NET applications.

Our Delphi/C++Builder developer tools
Gnostice Document Studio Delphi

Multi-format document-processing component suite for Delphi/C++Builder developers, covering both VCL and FireMonkey platforms.

eDocEngine VCL

A Delphi/C++Builder component suite for creating documents in over 20 formats and also export reports from popular Delphi reporting tools.

PDFtoolkit VCL

A Delphi/C++Builder component suite to edit, enhance, view, print, merge, split, encrypt, annotate, and bookmark PDF documents.

Our Java developer tools
Gnostice Document Studio Java

Multi-format document-processing component suite for Java developers.

PDFOne (for Java)

A Java PDF component suite to create, edit, view, print, reorganize, encrypt, annotate, bookmark PDF documents in Java applications.

Our Platform-Agnostic Cloud and On-Premises APIs
StarDocs

Cloud-hosted and On-Premises REST-based document-processing and document-viewing APIs

Privacy | Legal | Feedback | Newsletter | Blog | Resellers © 2002-2024 Gnostice Information Technologies Private Limited. All rights reserved.