The Truth About User Privileges
Denying your users full system privileges is in style
November 8, 2006
Has the time finally come for the least-privilege user -- you know, setting your Windows client machines to run without system administrator rights?
Leaving admin power on a user's desktop can invite trouble, especially with today's more targeted attacks. That trouble can come in the form of malware that gets on the machine, as well as trouble with users loading apps they shouldn't, security experts say.
Minimizing user rights on a machine is not a new concept, but it may become more of a standard practice with Microsoft's soon-to-be released Windows Vista user account protection, which lets "nonprivileged" users operate mundane tasks that once required admin privileges. (Windows XP, for instance, requires a user to have administrative rights to connect to an ad-hoc wireless network.)
Today, some Windows applications just won't run properly on a desktop without administrative rights. "It's a dirty little secret people sweep under the rug because they're not able to do much about the problem. A lot of applications and pieces of environments won't work if users aren't given admin rights," says Steve Kleynhans, vice president for Gartner's client platforms group. "If you can get applications to function with lower rights, in a lot of cases it hampers the user experience."
Many enterprises already configure their desktops with minimal user rights rather than the whole enchilada of admin rights. Thomas Ptacek, a researcher with Matasano Security, says these days, enterprises more often than not are setting their desktops at least privilege. "There is a definite trend towards least privilege in enterprises," he says. "Least privilege contains threats -- a zero-day exploit in your mail reader is less viscerally terrifying if it only gets you a normal user account."
Mark Loveless, security architect for Vernier Networks, says user privilege problems stem more from the applications themselves. "Most don't take advantage of the security features there in Windows. Not everything has to run with full system privileges all the time," Loveless says. "Part of the problem is application developers don't think they can code it where it doesn't require full system privileges."
Vista could help change all that. Aside from its user account control feature, apps will run better on the OS if they don't demand administrative privileges, experts say. "Microsoft is pushing a model where your code runs better if it doesn't demand administrative privileges," says Dan Kaminsky, director of penetration testing for IOActive. "If you want your stuff to work better, it [must] operate in this sandbox."
But Matasano's Ptacek says in the end, the least-privilege user setting doesn't matter. In addition to the scarcity of apps being written for it, least privilege doesn't necessarily stop malware. "Normal users have to be able to open new network connections to make benign applications work," he says. "A reliable exploit in a 'non-privileged' network service is still a mass-casualty threat."
And it's the Web app that guards payroll data, for instance, not the user's Windows admin account, he says. "Matasano writes advisories to vendors after finding flaws that let 'guest' users rewrite databases or add and delete new users," he says. "Who cares about [Windows desktop] system privileges?"
— Kelly Jackson Higgins, Senior Editor, Dark Reading
About the Author
You May Also Like