Tuesday, March 29, 2005

LUA development

I have been trying for about a year to follow the advice to develop without admin privileges. Keith Brown (see his blog at pluralsight) has been pushing this for several years, and more recently Microsoft has gotten on board. They have some of their people blogging on it and they have produced some tools to help with it. Until MS fixes VS so that one can use it with LUA privilege there seem to be two main approaches. One is to run as non-admin for most use, and launch VS and other needed processes under an admin account. That is what I do.
The other approach is to run with admin rights and reduce privileges to browse the web.
Keith's chapter "How to develop code as a non-admin" discusses the issues and techniques, though I have found that even using his tips I still need to run VS as an admin.

Aaron Margosis (Microsoft) has an excellent blog on this topic. And he has produced several utilities to help run with LUA. PrivToolBar shows effective privileges. MakeMeAdmin will elevate privileges of the current user, though that leads to issues of object ownership (see his blog).
Michael Howard (a Microsoft security guru) has a utility (DropMyRights) to go the other way - that is reduce privileges for your logon while running 'Internet-facing' apps such as Web Browsers or Mail Readers.
There was also a blog or forum starting up on the topic - It is listed below.

References to Articles and Blogs

Full-blown Articles:

Blogs and specific postings:

More links to specific weblog postings (cribbed from others above)

[added July 05]

Michael Howard blogged about his article here.
And a comment on limitations with SSL are discussed here.


Blogger Allan Wolff said...

Aaron Margosis is giving a talk on this at Tech-Ed in June. At his blog he says this is a hot topic.

12:25 PM  
Blogger Allan Wolff said...

I am posting this comment on Aaron's blog:

Congratulations on the interest in your presentation. I am a bit surprised at the popularity numbers you quoted in your post. I'm sorry I can't be there for the many sessions you mentioned on running LUA but I look forward to tuning in to the webcast of your session EARLY wednesday morning. It may be pretty hard on West Coasters who want to tune in, but no problem for me in the Midwest.

I have been trying to follow the gospel on developing as NonAdmin, which Keith Brown has been preaching for several years, and have been serious about it for the past year. Though I still have problems doing some Visual Studio work as Non-Admin your blog and your utilities (MakeMeAdmin and PrivBar especially) have been an essential resource, which I mention on my blog.

There are a few things which I never did get to work (your fix for granting privileges to install printers) and some odd behaviors (the way web-links launch unpredictably under the admin process or user process once you have one IE/Explorer process running in a RunAs Admin window) but it certainly is feasible to run LUA for most activity. In fact, I am promoting it too, by giving a couple of user group talks here in Chicago.

I have discovered one little tweak that I find very helpful for distinguishing Explorer and IE Windows running as Admin from other accounts. Besides Privbar and setting the toolbar backgrounds differently, I set up a custom sounds scheme for the Admin ID. I created a special DISTINCTIVE drumroll sound clip which I assign to the 'Start Navigation' event under Windows Explorer. Then whenever I click on a new object in an Explorer/or IE window running under the Admin ID I am alerted by the distintive sound which reminds my of the dangers where I am. This is particularly noticable for me since I normally run as user with no UI sounds.

6:30 PM  
Blogger Allan Wolff said...

Some more links to relevant articles:

Robert Scoble mentions running NonAdmin last year when discussing layers of Defense in Depth...

Which I found at...

7:04 AM  
Blogger Allan Wolff said...

Someone asked about the batch file I use to launch IE from a command window running under a different user. You only need one line in the batch file which is START "" "%ProgramFiles%\Internet Explorer\IExplore.exe"
The one trick is that it is essential to have the first empty argument which would the title of a command window if simply launching a new instance of the command processor.

12:50 PM  

Post a Comment

<< Home