Least Privilege
Developing software with least privilege in Windows is a major PIA. Hell, running Windows as a user with least privilege is a PIA. I've been working a lot on this problem, and will post my discoveries, frustrations, and solutions in this category.
It has been a great summer that I’ve mostly stayed home, but it’s time to hit the road. Next week I’ll be visiting three INETA user groups to talk about security. At the Inland Empire .NET User’s Group in southern California and Little Rock .NET User Group in Arkansas I’ll be talking about SQL Server 2005 security from a developer’s perspective. At the Dallas .NET User Group in Texas I’ll be talking about least privilege development and showing off Aaron Margosis’ LUA Buglight and other tools. In Dallas, Ron Jacobs from Microsoft’s Patterns & Practices Group will be speaking as well during an extended meeting.
If you’ve in any of these areas those evenings, come join us! Details are on the groups’ Web sites.
I see that Microsoft has released its Standard User Analyzer that “helps developers and IT professionals diagnose issues that would prevent a program from running properly as a standard user.”
First impression: Binary-level information about the resources an app accesses that a non-admin user wouldn’t have access to. Simple interface, lots of information, scanty documentation.
I’ve just played with it a bit, but it’s amazing just how many violations it finds. Be aware, however, that it uses Microsoft’s Application Verifier, so you’ll need to download and install that as well.
Looks interesting, but it’s not the very cool LUA BugLight that Aaron Margosis has been working on.
I’ll post more after I play with the tool more.
Executive Summary: Despite hours of trying, I have had no success installing SQL Server 2005 SP1. Herein lies my sordid tale, and my conclusion that I’ll work on this no longer. Perhaps this post can save someone time trying all the things I did.
I have been trying off and on for about three weeks to install SP1 for SQL Server 2005. I think I wisely decided not to install it when it came out, because that was a couple of days before I headed to DevConnections in Nice, France earlier this month to do five SQL Server 2005 sessions. It’s never good to change configurations so soon before standing in front of people to show them stuff. I downloaded it though, and after I finished my last session I fired up the installation program.
Alas, it was not to install. For the record, I have attempted to install it on an IBM Thinkpad T40 laptop running the Developer’s Edition of SQL Server 2005, lots of memory, running as mere user. The default instance is SQL Server 2000 and I’m updating a named instance of SQL Server 2005.
I will say that I really like the design of the installation package. It makes the options easy, provides plenty of status information (maybe even a bit too much), and let’s you know the outcome. But with all that, I still don’t have it installed after many hours of trying and many attempts.
The first indication of a problem is when it tries to update Database Services. This dialog popped up:
The first couple of times this happened I went and shut down all the services and hit Try Again. That ended up making no difference, so all the subsequent times I just hit Continue, willing to do a reboot as a small cost of getting this thing installed.
Setup then continued on its merry way. A few moments later, though, I was greeted by this unhappy dialog:
Clicking the link did little to enlighten me:
Clicking the View link just lists a gajillion log files. I helpfully click Send Error Report so that Microsoft can share my pain, and installation continues:
Eventually, what can be installed is, and I get the Installation Complete dialog that betrays the fact that installation is very incomplete:
Sadness. I Googled the error message shown at the bottom of the dialog, “Unable to install Windows Installer MSP file,” which leads me to a KB article, “BUG: Error message when you try to install SQL Server 2005 Service Pack 1: "Unable to install Windows Installer MSP file." Yowsa! Microsoft knows about this and has a fix!
Alas. Despite carefully following the directions—heeding, of course, the mandatory, dire warnings about messing with the registry—this does not change the outcome one whit.
So at this point I have updated all but the Database Services and have thrown hours of time that might otherwise been billable down the rabbit hole, never to be seen again. I will make nor further attempt until Microsoft re-releases this service pack. I’m not going to touch a server with SP1 until I’m a lot more confident in the package.
Security Note: I realize that the world isn’t yet attuned to running as a least privileged user, and I also realize that this is server software which has special security needs. So I tried it with RunAs, MakeMeAdmin, and finally—gasp!—logged in using a real Administrator account. The installation wouldn’t run with RunAs, and otherwise there was no difference in the outcome for any of the options. So this isn’t a least privileged user account issue.
Cool! One of the annoyances of running with lesser privileges is not being abot to RunAs MSI packages. Michael Willers provides a solution using a registry hack (via Dana Epp’s Ramblings at the Sanctuary).
Next time I’m an admin I’ll give it a whirl.
I leave for Las Vegas on Sunday morning and arrive in time to attend some pre-conference sessions on Monday at DevConnections.
Here’s what I’m most looking forward to in Las Vegas:
- Geeking out on all the new stuff in the 2005 versions of products. Monday at the show is the official launch, and it’s always great to be part of the party!
- Keynotes by Bjarne Stroustrup and Charles Petzold (and others). I’ve never seen Bjarne speak but as the main person who created C++ it’s got to be interesting. And Charles is always interesting. (By the way, I’m well into his book Code: The Hidden Language of Computer Hardware and Software, which I’ll read more of on the plane. Very, very interesting!)
- Seeing friends from all over the world.
- Sessions by some incredibly bright people who know the technology: Ken Getz, Rocky Lhotka, Dino Esposito, Markus Egger, Billy Hollis, Julie Lerman, Michele Leroux Bustamante, Paul Litwin, Kim Tripp, Dan Appleman, Carl Franklin, Christian Weyer, Itzik Ben-Gan, Gert Drapers, Kate Gregory, and Herb Sutter are just a FEW of them. Wow! The schedule has multiple sessions I want to attend in every time slot!
- It’s been years since I wrote C++ code (I went from C++ to Clipper to VB to VB.NET and C# in my development career), but I’ll be spending time at the C++ Connections conference sessions because there are so many great ones!
- Meeting new people from all over who are doing interesting things with technology. (BTW, if you’re going and are from Alaska, be sure to say hi to me!)
- Great food. The Manadalay Bay is a HUGE resort with everything you could want from Vegas. No wonder I always gain weight at these conferences.
- November in the desert. I hate leaving Alaska during the winter (we’re well into training for skijoring and mushing) but what can I say? The desert in fall and winter is magical!
- A Roasting Bjarne Stroustrup event on Wednesday night. I’ve no idea what this is all about, but it sounds fun!
How can you stand not being there???
Okay, that’s enough exclamation points for one post. In and among all the other stuff going on, I’ll be doing five sessions. In SQL Connections:
- Using the XML Data Type
- Data Encryption in SQL Server 2000
- Security in the CLR World Inside SQL Server
And in Visual Studio Connections:
- Making the Most of Visual Studio 2005’s Security Tools
- Building Applications, Next Generation: MSBuild
I recently finished up a five-part series of articles for Informit.com called Living the Least Privilege Lifestyle. It covers a lot of the tips and tricks I’ve learned as both a developer and a user about how to survive as a member of just the Windows Users group rather than Administrators.
Take a look and let me know what you think! Did I forget anything?
Update: Changed the link to list all five articles, although they appear in reverse order.
I’m just back from SQL PASS, and my next conference trip will be to Lost Wages, Nevada for DevConnections. It is again at the Mandalay Bay Resort on the Strip. I fully expect to spend exactly zero dollars and time on gambling, particularly when the conference chairs have again done an incredible job of assembling content. I’m particularly excited about the addition of C++ Connections, and getting to hear Bjarne Stroustrup’s keynote. All of the conferences have some incredible speakers.
Once again the Visual Studio and SQL Server conference chairs screwed up and picked some of my sessions. Will they never learn???
I’ll be presenting these:
Making the Most of VS 2005's Security Tools
Visual Studio 2005 has a large set of new and old tools that can help make applications more secure and robust. This session will explore how to build secure applications using various tools and techniques for both managed code and native code. Developers can use technologies such as PreFast, FxCop, Integrated Bug Tracking, /GS switch, SafeCRT libraries, AppVerifier, and various Code Access Security tools to analyze source code and diagnose deeply hidden security vulnerabilities. These security enhancements will help make writing secure applications easier than ever before. Your everyday development environment will have the tools you need to build secure applications and, more importantly, verify that they are secure.
Building Applications, Next Generation: MSBuild
How do you build your applications? Hit Rebuild Solution in VS.NET and run with it? Create your own command-line batch files? Use NAnt? Do you use something else fragile, inflexible, and un-integrated with your development environment? Microsoft feels your pain! Coming soon to an OS near you is MSBuild, a tool closely integrated with VS.NET solution files that let you build multiple, flexible build descriptions that are automatically synced up with solution files. Best of all, it exposes every step of the build process that once was hidden deep within VS.NET — you can edit any part of it. By modifying the build process, you can incorporate unit testing, complete database rebuilds and import sample data, develop multiple build scenarios, run utilities like FxCop on the project, and almost anything you want to do every time you build your project. You also have the power to royally screw up your builds beyond recognition! By the end of this session, you'll know whether MSBuild is right for your project and how to put it to best use.
Data Encryption in SQL Server 2000
Sure, SQL Server 2005 has the hot new features, including support for native data encryption on the server. But what if you need in-depth defense in SQL Server 2000? You can implement encryption for data stored in SQL Server 2000 using any of several techniques. The trick is to manage your encryption keys securely and avoid creating a performance nightmare on the server. Learn a few of the more useful encryption techniques to provide this important last line of defense to your critical data stored in SQL Server 2000.
Security in the CLR World Inside SQL Server
One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) in any environment is code access security (CAS). CAS provides a code-based —rather than user-based — authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005's own, greatly enhanced security features? By default your .NET code is reasonably secure, but it’s all too easy for the two security schemes to butt heads and cause you grief. During this session, we'll briefly look at the concept behind CAS, then explore how to make it work for you instead of against you as you take advantage of these advanced programming features in SQL Server.
Using the XML Data Type
With XML as a native data type in SQL Server 2005, you now have two query engines and syntaxes: SQL and the new XQuery. Creating queries that mix the two engines can be daunting — and hazardous to your performance. In this session, explore the XML data type and XML-specific T-SQL functions you can use with it, how to mix and match the syntaxes effectively, and how to build common queries that extract and modify data at a minimum of two levels: relational data and embedded XML.
Paul Litwin, chair of ASP.NET Connections, has started a blog to talk about planning a conference like DevConnections. Interesting stuff…I don’t envy him his job!
Bill McCarthy poses an interesting question about software updates and limited users. The gist is, where do you put program files so that you can update them on a machine used by mere users, without exposing them to additional risk. Using a service seems to be the best option, but it sure seems like way too much complexity to throw at it.
I posted a comment, but don’t think that we’re considering all the options. I’ll have to think about this more.
I’ve been writing a series of articles about living the Least Privilege lifestyle for Informit.com, and the first has finally appeared on the site. The series of (probably) five articles will include most everything that I’ve learned over the last couple of years of doing least privilege, both as a user and a developer.
Give a look and let me know what you think, either here or, if you are willing to log onto informit.com, there.
For a good laugh, check out The Devil's Infosec Dictionary. Ain’t it just the truth!
Some of the definitions hit a bit too close to home, though. Sigh.
via Bruce Schneier
Sheesh. Once again Microsoft is determined to inconvenience legitimate users without giving hackers a pause with their now-mandatory Windows Genuine Advantage program. I was just trying to download the new SyncToy Power Tool for Windows XP and had to go through the rigamarole of validating that I have a legitimate copy of Windows. Isn’t once enough?
So, what Microsoft is saying is that to download anything but non-critical security patches I have to do this validation every single time? The ActiveX control method of validation doesn’t seem to work for me, presumably because I’m running as a non-admin user or because I have IE reasonably locked down. So I have to download and run the 400K tool every time I do a download, then copy and paste the code into the Web page??? Or will this be another example of something that Microsoft tells me I have to loosen my security to enable?
Bah!
At long last, Microsoft Baseline Security Analyzer 2.0 has been released. No idea yet how much better it is, but feel free to post comments about your experiences with it.
I suspect this will once again be a highly recommended tool for helping to keep machines secure.
Ah, the list is finally up of the new Visual Developer - Security MVPs. I'm in some pretty awesome company (when something like this happens, I always feel like a mistake has been made, but I'll not notify Microsoft ;-):
Keith Brown (of course!)
Nicole Calinoiu
Robert Hurlbut (who I just had the honor of meeting at DevTeach in Montreal)
Anil John
Oleg Mihalik
Valery Pryamikov
Raffaele Rialdi
Kader Yildirim
These are the current MVPs who have moved to the new Visual Developer - Security category. Still waiting on the list of brand new MVPs...
Wow! Microsoft has created a new category for MVPs called Visual Developer - Security. I don’t have a precise definition of the category yet, but it is focused on writing secure code using the Visual Studio family of tools.
And I’m pleased to say that I’m one of the inaugural MVPs! I’ve been an MVP for a while, so this is just a change of "core competency" for me. I was originally selected as an ASP.NET and VB.NET MVP but since then I’ve spent as much time with C# and WinForms, as well as SQL Server, with a particular interest in security. So this new category is a good fit for me.
I don’t yet know who my fellow MVPs are in this category, but apparently it is a mix of existing and new MVPs. The announcement should come tomorrow.
I leave tonight for Burlington, Vermont en route to Montreal for DevTeach. Julie Lerman has already detailed my itinerary on her blog, so I won't repeat the details here, other than I plan to hang out back in Burlington for one day and do a long day hike on a section of Vermont's Long Trail. Then back to the grind. It'll be nice to hang out with Julie and Rich, as well as their delightful, slobbery Newfoundlands, Tasha and Daisy.
DevTeach, now in its third year, is one of my favorite conferences. Jean-Rene Roy and his wife and staff do a great job of putting it together and keeping it focused and intimate, a fun experience in the geekiest way. Last year Jean-Rene even got a standing ovation at the closing session. How often do you see that at a conference???
This year I'm doing four sessions, covering a variety of current and upcoming technologies:
Security Through Least Privilege
Least Privilege is one of the first principles of developing secure applications. But what does it mean? How do you do it? Why is it so critical? This session will explore how to develop apps that give the absolute minimum permissions to every user and login and still meet application and user requirement, as well as explore—gasp!—why developing without admin privileges on your development machine leads to much stronger and secure apps. Code access security is a great feature of the Common Language Runtime, but requires that you live the unprivileged lifestyle yourself. Least privilege isn't easy to use or implement, but in this day and age it is the only way you and your users have reasonable confidence in the security of an application. Come learn how to life the partially trusted life.
Store .NET App Data Securely
In the age of Code Access Security and partially trusted applications, where can you store application data? All applications need to save configuration and runtime data somewhere, but common solutions like the registry, databases, and disk files are fraught with security issues. This session explores various options for storage where you may not need special permissions. For example, .NET's isolated storage provides a secure, protected place to store data without the security issues of writing to a disk outside of your Web application and subdirectories. During this session we'll explore how to put these storage options to use in .NET applications while avoiding potential sources of security holes.
Visual Studio 2005's New Security Tools
Visual Studio 2005 includes new security tools that will provide static security defect detection, prevention, and mitigation features for both unmanaged and managed code. More than ever before, your everyday development environment will have the tools you need to build secure applications and, more importantly, verify that they are secure. There are still no guarantees that your apps will be bullet-proof, but at least you can rest easy that they are reasonably free of the most widely exploited security holes. Come learn about these tools and start helping your users rest better at night.
Using the XML Data Type
With XML as a native data type in SQL Server 2005, you are now faced with two query engines and syntaxes, good old SQL and the new kid, XQuery. It can be daunting to create queries that mix the two engines and it can be hazardous to your performance. This session will explore the XML data type and XML-specific T-SQL functions you can use with them, how to mix and match the syntaxes effectively, and how to build common queries that extract and modify data at a minimum of two levels: relational data and embedded XML.
Between that, the fun events, cool conference sessions from some amazing speakers, and getting to see my dear Aunt Marg, it'll be a great few days! If you're in the area, come on by. And there are a couple of user group sessions on Monday night.
I wrote an article for MSDN that provides an overview of the new security features in SQL Server 2005, aimed at developers: Keep Bad Guys at Bay with the Advanced Security Features in SQL Server 2005.
Feel free to rate it, if you like it! ;-)
One of the worst security features in .NET 1.0 and 1.1--although thankfully a rather obscure one--was the -s switch on caspol that let you turn off CAS on that machine. What a horrible setting to make available.
I had heard that 2.0 was going to remove the switch, I was quite happy. Alas, it was not to be: Shawn says that it's still there. But the news is not all bad...you can switch it off but only as long as the command prompt is open where you turned it off. And it sounds like it's a good decent implementation.
The argument Shawn puts forward is that it is a useful debugging feature. Fair enough. But I shudder to think what happens when a mere user discovers the switch. Of course, if s/he isn't running as a member of the Administrators group, it's a moot problem. Hmm, and I guess caspol is part of the Framework SDK.
Okay, I feel better.
But please! Practice safe computing and never use -s!!!
Today I stumbled across one of the very specific reasons why developing code as a member of the local or domain Administrators group is a bad idea.
If you follow Microsoft's recommendations for SQL Server authorization, you use Windows integrated security for your apps that access SQL Server. That means that when you run code against the database, you, as a member of the Administrators group, are automatically a member of the dbo role in any database. So your code is executing with complete control over the database you're accessing.
Fine for development, but just imagine the bugs you're building into your code! A non-admin user running your code is likely to have far less permissions in the database and your code breaks because of all the objects the user doesn't have permissions for. Even if you catch the exceptions so that the app dies gracefully, your app is going to be unusable to that user without a LOT of rework.
Just say no to developing code as a member of the Administrators group!
I'm in the process of evaluating what seems to be a cool product, PortSight Secure Access Enterprise Edition, version 2.2. This is the product description from their Web site:
Secure your WinForms, WebForms and Web Services and integrate them with Active Directory. PortSight Secure Access for .NET allows you to manage users and their access to WinForms and WebForms applications, Web Services and Web content. It features user roles, permissions, audit trail, delegation and import from Active Directory. It’s delivered with an easy-to-use Web Interface and re-usable ASP.NET and WinForms controls that make it easy to integrate security into your application.
So it is designed to enhance the security of custom apps by making it easier to integrate with security infrastructure. Cool!
What's not cool is that the app itself doesn't run unless you have admin privileges. In particular, its Catalog Manager, the tool used to manage security repositories in SQL Server, fails in various operations when running as a mere user. Once it is installed, registering the product using Help | Register Product fails with a worthless error message because it writes to the application directory in c:\Program Files, a security breach. Creating a new catalog seems to succeed, as indicated by the "installation has been completed successfully" message shown in the image below (click on it for the full image). But the same dialog indicates that there was an error registering the catalog, with not explanation of the problem. Since the new catalog is not registered, it is unusable.
I suspect that I've just scratched the surface of such problems, but it doesn't matter. I'll never find them.
Uninstalled.
The .NET framework team has a survey up, asking for developers to give them information about how and whether they use Code Access Security to build partially trusted applications. You can find the link on the .NET Framework Developer Center site. Click on the Let Us Know What You Think link there to start.
If you want to see improvements in how all this works, give them some feedback!