Wednesday, May 24, 2006

"Microsoft Standard User Analyzer"

Microsoft Standard User Analyzer

"Overview
The Standard User Analyzer helps developers and IT professionals diagnose issues that would prevent a program from running properly without administrator privileges. On Windows Vista, even administrators run most programs with standard user privileges by default, so it is important to ensure that your application does not have administrator access as a dependency.

Using the Standard User Analyzer to test your application can identify the following administrator dependencies and return the results in a graphical interface:

• File access
• Registry access
• INI files
• Token issues
• Security privileges
• Name space issues
• Other issues

This tool also complements the Application Compatibility Toolkit (ACT) 5.0. ACT 5.0 will include a User Account Control agent that you can deploy to user desktops to identify applications that require administer privileges. The Standard User Analyzer is designed to be run on the developer or tester’s workstation to test and troubleshoot a specific application. Issues identified with the Standard User Analyzer can also be entered into you ACT 5.0 database so you can track the application compatibility across your environment."


Interesting and something that could be useful as our industry (Windows software development) moves toward least privilege (which is not moving fast enough as I find myself having to unscrew too many things my wife, son and daughter do to their PC’s because of their admin priv’s... okay, also sometimes I do to my machines because of my admin priv’s... ;)

As a developer I know it would help to see exactly what in my apps that need to be tweaked to allow them to be run by "Standard Users".

I’d really like to see something like this baked into VS. Like the "Debug this application with the selected permission set" option you can turn on for ClickOnce sandbox testing/debugging. Something where I could set the user account the app will run under when I run it from the IDE. And of course still be able to have the debug user experience we now have...

Of course I could just remove my account from the local admin group and run/code/debug least privilege..
Na, I need what hair and brain cells I have left... ;)

Still this utility sounds like a nice step forward.

7 comments:

  1. Really, you should be developing as a standard user. Our team has been doing this for months now. There are a couple of small issues (relating to windows services and installation testing), but other than those it has been a painless process. We're using VS2005, and we have the same set of rights as any other desktop user in our organisation. Doing this has stopped us needing a tool like this, as we can't write the bad stuff to start off with.

    ReplyDelete
  2. I agree and I think you're right, that would be a much easier and cleaner. And it's great to hear from someone who does code like that...

    But there are some enterprise and third party apps that I need to run that require me to be in the Local Admin group. Some are even so ugly that Run As isn't an option...

    I'd like to yell, "stop the admin madness," but if a man yells in a forest but no one listens, does he make a sound (or only hurt his throat)?

    I'm just not in a position where I can do anything about my Environment, but I CAN control the app's I build and deploy... So at least I can try to "do the right thing". Hence my interest in this...

    Again, thanks for the comment... It gives me some hope for the future.

    ReplyDelete
  3. No worries. It really does take a bit to get your head around it initially, but once you do its so easy.

    We have the same issue here, with regard to third party apps. We need to link two different applications (one a web interface and the other a VB6 app). In the end, we put the VB6 app on a citrix server and locked it down as hard as we could, while giving the users enough privileges to run it. If it was on the same box, that would present a big headache.

    Fortunately, the whole business here is very security oriented, from the CEO down to the office administrator, and we simply wouldn't use an application that couldn't run in our environment. A luxury at this point in time, but hopefully soon a very standard mindset.

    I find it frightening how many dev shops still work as admin when they don't need to. A lot of them are too lazy to think about what's involved. They don't realise they can just switch of admin and see what breaks. They might be very surprised.

    The fact that all Microsoft devs run as admin is simply stunning. Admitedly, those working in the OS division might have a requirement for it, but without knowing how they work it's a tough call to make.

    Vista should solve your problem in the long run, as you can sandbox those apps.

    Keep up the good work with the blog. :)

    ReplyDelete
  4. Downloaded it and used it to analyze one of my apps. It produces a ton of stuff that I don't know what to do with. FOr example, it says I have errors because I'm trying to get or create registry entries when I never did anything with the registry in my code. There's other cryptic messages like:

    "CreateFileMappingA: Section 'MSCTF.MarshalInterface.FileMap.EPC..BBOCDB' has no namespace" or

    "Section: (\BaseNamedObjects\_nlsplus_charinfo_1_0_3627_11_nlp) access 0x20004 granted to 'O:BAD:(A;;CCLC;;;WD)'"

    What the heck and I supposed to do with that? There's tons of similarly cryptic stuff. Basically it listed about 350 errors and warnings and I don't have a clue where to go in my code to fix any of them.

    ReplyDelete
  5. I know what you mean...

    I ran it too for one of my apps, got results somewhat like yours, and now I'm trying to figure out what the heck it means (and how to use it).

    The output wasn't what I was expecting, that's for sure.

    ReplyDelete
  6. If you figure it out, post a follow up. As of now I just don't know how to deal with what it tells me so I'm not planning on using it.

    ReplyDelete

NOTE: Anonymous Commenting has been turned off for a while... The comment spammers are just killing me...

ALL comments are moderated. I will review every comment before it will appear on the blog.

Your comment WILL NOT APPEAR UNTIL I approve it. This may take some hours...

I reserve, and will use, the right to not approve ANY comment for ANY reason. I will not usually, but if it's off topic, spam (or even close to spam-like), inflammatory, mean, etc, etc, well... then...

Please see my comment policy for more information if you are interested.

Thanks,
Greg

PS. I am proactively moderating comments. Your comment WILL NOT APPEAR UNTIL I approve it. This may take some hours...