Many of us are concerned about the ever increasing threat to information security and business continuity posed by malicious software. The more I study malicious software the more I believe that as an industry we need to focus our efforts upon preventing malware getting onto our systems in the first place. One of the most effective ways to reduce the risk of malware compromising your systems is to sign onto computer systems using accounts that have the minimum amount of privilege. Least User Access (LUA) is a widely used term to describe the use of least privilege.
Emerging services such as Microsoft’s OneCare offering can be used to take care of security updates and anti-virus / malware.
I will write a more detailed posted in the next few days explaining how to adopt the principle of least privilege. The article will provide practical advice that you can apply to existing systems be they Windows XP, a Microsoft Server platform or LINUX **this post has been edited as I accidentally typed LINIX**.
Windows Vista defaults to using least privilege (via "User Account Control") through the operating system including the services and applications. Even if you login using an account with administrative privileges Windows Vista will prompt you to approve the use of privilege as it’s required. Internet Explorer 7 defaults to running in “protected mode” on Windows Vista meaning that it is unable to write data outside the “Temporary Internet Files” of the user’s profile. The behaviour of “protected mode” means that malicious software is unable to reconfigure the system and therefore the risk of compromise even from unknown vulnerabilities is much reduced.
Dealing with Malware through proactive measures such as adopting the principle of least privilege is a classic case where changing your process can enable you to continue enjoying the benefits of technology without suffering the pain of security compromise and down time.
Aaron Margosis continues to provide excellent advice with regard to the importance of using least privilege
Not meaning to sound questioning!!! But is 'LINIX' meant to be 'Linux', I'm lost as I have no clue what LINIX is and nor does Wikipedia!!!
IMHO I believe home users will get fed up UAC & LUA being implemented in some configurations, many people still can't figure out programs are typically under the Start menu and that a mouse has two or more buttons for a reason (unless one's a dirty little Mac user)... I'm already dreading the calls 'Matt, it's asking for credentials? I have no clue what an admin account is I thought I was.' And so they whack out their faithful 20 year old Amstrad. What even more people fail to accept is that 4, 5 years old or more technology is not new!! I digress. Basically it's great for setups at work where everything can be implemented through the standard image the office configures and implements the rest through MMC/AD etc. but what about where people do their online banking and ordering... home I reckon they'll switch it off as they'll consider it a nuisance as soon as a plugin is required for a site (I myself have some really obscure ones yet on really popular sites). This is getting really verbose and whiney so I'll shutup now!!
Matt> Thanks for pointing out my Typo.
I've written a new post to discuss your comments - please feel free to respond to the new post
April 17, 2006 Good Morning: Happy Monday! Quite a few things popped up on Friday and over the weekend, mostly focusing on Windows vs. Linux and vulnerabilities. Amazingly enough, that is still news almost every day. I continue to advise folks to