Sunday, July 31, 2005

LUA LUA, oh baby - you've got to grow

As I mentioned, I've been playing with the OS formerly known as Longhorn. One of the key deliverables this time around is that it is now supposed to be actually possible to run as a "User" or in LUA (Least-privileged User Access or Limited User Account depending on who you talk to) mode. With LUA, apparently we won't all laugh when MS publishes a security bulletin claiming that if we were running as a limited user, we would not be vulnerable to a certain issue. Today we all do laugh as next to nobody actually runs as a LUA user (outside of kiosks and the like) because nothing works correctly.

So, as part of the testing I tried to change the Time Zone. Nope, NADA, not gonna do it. Since the TIME can be security critical, but the Time Zone itself CANNOT (on NTFS, file time stamps are stored as GMT and the display in explorer adds offsets for the current time zone, also Kerberos uses GMT and ignores time zone offsets) it should be something that a LUA user can change. After all, when they travel from the US to Kazakhstan their appointments in Outlook should show in local time - not 12 hours off from local time. So changing the Time Zone is a fairly critical operation for people who globe-trot.

Lest you ask - I did go through the policy settings and found that although there is a setting to allow either just Administrators or Administrators and Power Users to change the system time - there is nothing about the time zone and lowly LUA folks.

Come on MS - let's not screw this up yet again. We really do WANT to run as LUA users. Let us do it this time.

No comments: