Home Security Least User Access or Least-privileged User Access (LUA)

Least User Access or Least-privileged User Access (LUA)

Previously known as Separation of Credentials

System Administrators (SAs) should practice the principle of least privilege when granting administrative privileges to computers. Starting with Windows Vista and Server 2008, Microsoft introduced a feature called User Account Control (UAC). When enabled, UAC requires a user to confirm actions and provide elevated credentials when they try to perform administrative tasks such as installing software. UAC makes it easy to accomplish an administrative task without logging on to the console of a system using an administrative credential. Even on soon-to-be legacy operating systems, such as Windows XP and Server 2003, you can use run-as to run elevated tasks while logged in to the console as a standard user access account.

Some programs do not function when run under a standard user account. Typically this is do to a restricted ACL on the program’s installation files or registry keys. Identifying the trouble spot and adjusting the ACL can fix this problem, without having to grant a non-system administrator user an elevated privilege account.

This page provides information about setting up and using LUA accounts in the USGS domain, including how to troubleshoot and fix programs that do not run well under a LUA account.

Using Run-as to Elevate Privileges

In Microsoft Windows, you can run programs as a different user than the currently logged on user. The Secondary Logon service must be running for this to work.

Use the context menu

Right-click on the application or shortcut and choose Run as administrator. If the option is not listed in the context menu, try holding the Shift key when you right-click to see additional options.
Right click on shortcut

Provide the appropriate credentials and click Yes to allow the application to run.

Use the command line

The Runas command can be run from the command line, as well. The basic syntax of the command is runas /smartcard /user:<domain>\<username> program. Other options can be viewed by typing runas /? at the command prompt. Note that when you are prompted for a password, no text or other symbols will appear while typing it.

The following example will prompt for a smart card PIN and then open a new command prompt window using elevated credentials:

runas /smartcard /user:gs\dventet-ou cmd

Command Prompt

Enter your smart card PIN. It will not be displayed:

Enter PIN

Press Enter and you will see the message below as it attempts to run as the alternate credentials:

Attempting to start

The new window will indicate in the title bar that it is running under the smart card credential. This is a little misleading because it does not specify the actual privileged account that we entered. An easy way to confirm which credentials it is running as is to type whoami at the prompt and press Enter. You should see your privileged account listed. Not all programs will have a visible indicator like this, although Windows Task Manager could be utilized to view running processes along with which account they are running as.

In the case of the command prompt windows, you can also set the default properties of the window to be different when run under the elevated account. This makes it easier to differentiate between a regular and elevated command prompt.

Modify a shortcut

A shortcut to a program can be modified to always ask for admin credentials when launched.

Right-click on the program shortcut and choose Properties.

In the Properties window, click Advanced….
Shortcut properties

Check the Run as administrator checkbox and click OK and then OK again.
Checkbox checked

Now you will be prompted for credentials each time you launch the modified shortcut.

Create a new shortcut

Right-click the desktop or whichever directory you want to create the shortcut in. Select New->Shortcut from the context menu.
New shortcut

Type or browse to the location of the runas command. Add the /smartcard /user and the program portion of the runas command. Click Next. This example will prompt for credentials to open the Java control panel:

C:\windows\system32\runas /smartcard /user:gs\dventet-ou “C:\Program Files (x86)\Java\jre1.8.0_45\bin\javacpl.exe”
runas java

Type a name for the shortcut and click Finish.
Shortcut name

You will be prompted for your PIN each time you launch the shortcut.
Credentials prompt

Third-party Tools to Help Avoid Granting Elevated Access
Sysinternals Process Monitor

Utility from Sysinternals that can be used to track down possible access issues, among other things.

More information: http://technet.microsoft.com/en-us/sysinternals/bb896645

LUA Buglight

LUA Buglight is a GUI application that helps to identify why an application fails to run for a LUA account. This can help an administrator make adjustments so that the end user can run the application without requiring elevated credentials.

A “LUA bug” refers to an application that works properly when run with elevated privileges, but fails to work under a LUA (Limited User Account or Least User Access) user credential – when there is no technical or business reason for requiring elevated privileges. Usually, these bugs are due to the program attempting to make changes to a file under %Program Files% or directly to a key under HKLM in the registry. LUA Buglight is a utility that quickly identifies these bugs, allowing administrators to deploy fixes without having to grant users unnecessary elevated credentials.

Download LUA Buglight 2.2 (supports Win7/Win8 and corresponding server platforms) here: http://blogs.msdn.com/b/aaron_margosis/archive/2012/11/28/lua-buglight-2-2-with-support-for-windows-8.aspx

Problems of Privilege: Find and Fix LUA Bugs: http://technet.microsoft.com/en-us/magazine/cc160944.aspx

Using LUA Buglight:

  • Log on with an Administrative account and launch LUA Buglight. It must be started as a NON-Elevated Administrator account. LUA Buglight will request to be elevated when logging begins.
  • If desired, click on Tools – Advanced Options to modify the default log location or enable/disable file and registry virtualization (Vista and higher).
  • Use the Start and Stop buttons to start and stop logging. Start will launch the program – test any particular functions as needed. Stop Logging to launch the Reporter (it can also be opened under the Tools menu). View the File System and Registry tabs to view file and registry issues that were identified by LUA Buglight.
Third-party Tools to Use with Elevated Access Accounts
PrivBar

Toolbar for Internet Explorer and Windows Explorer that displays the integrity level or privilege level of the current page or window.

More information: http://blogs.msdn.com/b/aaron_margosis/archive/2011/09/01/privbar-update.aspx

Setting up a Privileged Account Strategy in Active Directory

Domain accounts can be created for those users who have a need for an account with elevated privileges.

Certified Organizational Unit Administrator (COUA) and Domain Admin (DA) accounts will be created after authorization has been received and routed through the USGS Service Desk.

See Setting up a Privileged Account Strategy in Active Directory for more information.

Settings for Common USGS Applications

This section is In Progress. To submit something to be added to this section, email GS Help Windows.

Sites for Further Reading/Information

LUA, LUA, LUA http://www.wintellect.com/blogs/jrobbins/lua-lua-lua

Using a Least-Privileged User Account http://technet.microsoft.com/en-us/library/cc700846.aspx

Least-Privilege Technology Still Swimming Upstream, But Making Progress (July, 2009) http://www.darkreading.com/end-user/least-privilege-technology-still-swimmin/218401443

User Account Control http://technet.microsoft.com/en-us/library/cc731416(v=ws.10).aspx

Computer World article “Removing admin rights stymies 92% of Microsoft’s bugs” February 3, 2009

Least Privileges for macOS

The “Make Me Admin” process for macOS Jamf enrolled machines permits users who have a documented business need for Administrative access to their macOS device for 15-minutes at a time. For more information, please click on the link for Make Me Admin for macOS page.

Comments are closed.