LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
A knockout blow for Borland?
MicroFocus has upped its offer for Borland Software to $1.50, hoping to chase off a mystery suitor also pursuing the ALM vendor.
07/06/2009 12:26 PM EST

Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

 

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo


 
print Printable version 
Most Read Latest News Blog Resources
Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

Telerik looks to boost 3D for Silverlight
In a new release of its RadControls component suite, the company introduced a 3D charting ...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Microsoft’s Controversial UAC Spawns Alternatives


By David Worthington
April 1, 2007 — 
Microsoft says that Windows Vista is the most secure version of Windows yet. That claim may have some teeth: The company has built in a bevy of new technologies to harden Windows. One of them, the Windows Vista UAC (User Account Control), is sparking debate about just how sharp those teeth are.

Past versions of Windows gave users administrative-level rights by default, but Windows Vista’s UAC requires users to run with a standard-level user access token. Applications, components and processes that require elevated privileges cause Windows to notify users that administrative authorization is necessary, who must then supply appropriate credentials or stop what they are doing.

Microsoft designed UAC as a failsafe, to limit the damage malicious software can cause to a system, and is uniform across every Windows Vista version. But does UAC make sense in a business environment?

THE PRIVILEGED MANY
Although Microsoft added restricted-access accounts in 1997’s Windows NT, some internal and shrink-wrapped enterprise applications still require elevated privileges to run correctly on Windows, because they were engineered under the assumption that all users had administrator access to the desktop. If an application does not have the privileges it requires for a task, it can stop dead in its tracks.

As it stands today, some IT administrators must hand over local control of the desktop to all users—including limited users—to make applications work. Users with higher privileges can modify system settings, install incompliant applications, and are more vulnerable to malware.

ENTERPRISE READY?
John Moyer, president of BeyondTrust, believes that UAC is unacceptable for the enterprise because it is not policy-based, allows the user too much trust, and runs afoul of least-privilege computing. “Essentially UAC has failed to meet the needs of the enterprise—even restricted users would need administrative credentials. From where we sit, it is a very good solution for the home users. They own the machine and can make those decisions.”

BeyondTrust CTO Marco Peretti chimed in, arguing that it does not make sense for UAC to be the same on all versions of Windows Vista. “Microsoft had to make a choice, and they chose to protect home users over corporate customers,” said Peretti.

A Microsoft spokesperson said that none of the security features in Windows Vista is intended as a “silver bullet” solution to computer security. The spokesperson suggested that Microsoft’s “defense in depth” approach makes Windows Vista more difficult to attack and secure than prior versions of Windows.

Although Microsoft has the technology to keep users in restrictive groups while creating exceptions for applications that require more privileges, it’s not yet integrated with Windows. It acquired two competing solution providers of business-oriented policy-based privilege escalation software in 2006: Desktop Standard and Winternals.

Desktop Standard’s PolicyMaker Application Security and Winternals Software Protection Manager permitted administrators to elevate a specific application or process’ security token according to the user type, group or computer. Microsoft has not shipped any of the products it acquired individually or as part of Windows.

Desktop Standard’s founders walked away from the acquisition with their PolicyMaker Application Security software and became BeyondTrust. Microsoft transformed Desktop Standard’s GPOVault Enterprise software into Microsoft Advanced Group Policy Management and has included it in the Desktop Optimization Pack for Software Assurance.

Michael Cherry, an analyst with research firm Directions on Microsoft, noted in an e-mail that as a general rule of thumb, “Microsoft only brings forward products from an acquisition that match its product plans.”

A COTTAGE INDUSTRY
BeyondTrust’s PolicyMaker is an extension to group policy that implements exemptions for applications requiring administrative-level privileges, while keeping users in the same restricted security context. It is managed through the Microsoft Management Console.

There are rule types for application and ActiveX controls, and network shares for deploying licensed packages. It is centrally managed and transparent to the user, supporting Windows 2000, Windows XP and Windows Vista, on both 32- and 64-bit systems.

BeyondTrust isn’t the only vendor bringing policy-based least-privilege management solutions to the table. Xeriton is selling software targeting the masses: home users and small and midsized businesses that have standardized on Windows 2000 or Windows XP and have not yet adopted Windows Vista.

Xeriton’s WindowsZones modifies security tokens for processes and strips processes of privileges that the process would normally inherit from the user account. Application profiles may also be modified without running the applications.

This approach avoids application compatibility issues that may arise out of Windows Vista’s use of limited user accounts. It is also necessary because of the way that Microsoft implemented the user account system in Windows XP, said Allen Nieman, vice president of business development at Xeriton.

“Microsoft wants people to go to Vista to get UAC; they don’t want to publish a similar User Account Control application. They don’t want to put new technology in an old operating system,” said Nieman.


Share this link: http://www.sdtimes.com/link/30400
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading