Steve Lamb's Blog

Security Matters

Blogs

There's a great White Paper detailing how to run Windows XP with the least privilege

  • Comments 3
  • Likes

Browse here to view the paper titled "Applying the Principle of Least Privilege to User Accounts on Windows XP" - it give a good explaination of how to reduce the amount of time both you and your users need to be logged in with Administrative privileges. I think it's pretty well accepted that running as admin is generally a bad idea from a security perspective as any code you run (either deliberately or accidentally) will also run with privilege - this is often the route that malicious software uses to exploit machines.

Think about Browser Helper Objects (BHO) for a moment. These are effectively ActiveX style extensions that can be installed into Internet Explorer to provide additional browsing features and interface richness. IF YOU'RE running with admin privileges BHOs can be silently installed on your system - there are plenty of malicious BHOs out there. If you visit a site that has malicious (or safe) BHOs then they'll fail to install if you're running as a regular user.

This approach of running with less privilege will get much easier with Windows Vista but in the meantime it's important to learn how to adopt the principle of least privilege for Windows XP.

Work with your in house developers to encourage them to develop with least privilege too as that way the code they write is more likely to be able to operate with least privilege too.

Comments
  • Encouraging developers to drop the "administrators" membership is tricky, though. Even leaving aside the ego issues (which I still maintain could be avoided by renaming the account / group to "janitors"), VS.NET 2003, which is still in use at most places, requires the SeDebugPrivilege in order to debug processes - despite the fact that it isn't actually required. VS.NET 2005 gets around this, and if you're developing a user application, you should do as much of your development as a restricted user as possible. That way you don't end up with a listing on http://www.threatcode.com Testing the administrator out of an application (i.e. running tests to see if the application fails to work properly from a restricted user's account) is no substitute for never having developed it in there in the first place.

  • Alun> I love the idea of renaming the Admin user/group to "Janitors"! Thanks for your comments

  • Steve: Thanks for the link - I'm all in favour of LUA. Alun: I use VS.NET 2003, and I'm not in the local admins group (or at least not with my primary logon account). I am in the "Debugger Users" and "VS Developers" groups, and that does the trick. Arguably that's not a huge improvement, but at least it's a step in the right direction. However, if you use VB6 then you have to be a local admin - I haven't found any way around that. Even logging in as a basic user and doing "Run As..." to just run that app with elevated privileges doesn't work, which is annoying.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment