Applying the Principle of LUA on Windows XP

Microsoft have released a white paper on “Applying the Principle of Least Privilege to User Accounts on Windows XP” which I assisted in reviewing.

Running Windows or any OS for that matter with only the level of access required is a Defense in Depth strategy, which means taking a layered approach. However it’s not easy as an IT Administrator or Developer to run in LUA mode and get your job or tasks done, this paper will assist in running Windows in a LUA mode.

In addition and as mentioned before, I highly recommend Aaron Margosis excellent Blog on running with LUA, if you can’t find a solution to something regarding LUA the answer or reason will be over at Aaron’s Blog.

View the Whitepaper or download a Word version now!!

More patching & ISO Image from MS

More patching from the usual Microsoft monthly patch updates. All are critical, so get patching again!! Details of the January Bulletin also incorporate the WMF update, more info here.

Microsoft has also made available an ISO image of this months updates for Windows Update only, which means the office, Exchange and other updates are not included. Still, this is a handy download and I’ve found it useful already. Details and download from here.

You are running with LUA (Non-Admin).. right?

In my previous post about “More on the WMF vulnerability” and what can you do, I assumed everyone is running with a LUA (Least-Privileged User Account) aka an account without Admin rights, member of the user group only or domain users only.

I should have stated as Point 1. Run with a LUA account!!

So just in case you are still running an admin account to do your email and surf the web, now might be a very good time to change this BAD habit!!

For more info see Aaron Margosis excellent Blog… it’s the best resource around on running LUA with Windows.

Running with LUAP is a must!


Running your Windows machine or any machine for that matter should always be carried out with a LUAP (Limited User Access Privilege) i.e. a NON-ADMIN Account!!

The problem is most people don’t and this is predominetly due to Windows default logon from a factory install CD as Administrator.

Is it a pain to run with a non-admin account, well not really, there are a few tricks and tweaks that you can make. Perhaps if you are using a machine for Games only, then you might have an argument.

Take a look at this blog from Aaron Margosis of Microsoft