Steve Lamb's Blog

Security Matters

Why should your users use least privilege on their corporate computers?

Why should your users use least privilege on their corporate computers?

  • Comments 9
  • Likes

If a business allows it's users to install whatever software they choose and/or make configuration changes then they run the increased risk of the security of the machine being compromised. I recommend wherever possible businesses should refrain from giving end users administrative rights over the machines they use thereby preventing users from installing software (that affects the system as a whole) or making configuration changes that affect the system as a whole.

 

Regular user accounts CAN still customise items that just affect the current user such as the desktop background and in principle most day to day activities should be possible without using an Administrator level account.

 

By installing a piece of software the user is implicitly trusting both the author and distributor of the software that there aren't any backdoors or security vulnerabilities in the software itself. In addition there are many cases of malicious software "piggybacking" onto/into perfectly legitimate code due to the distribution point (often a website) being compromised. To ensure effective security it's critical to only install software from sources you have reason to trust.

 

If the user is allowed (due to having administrative rights over their machine) to make configuration changes then they could accidentally disable security features such as the firewall thereby rendering them ineffective.

 

Some applications don't work properly when run without admin rights and whilst ideally such code should be replaced, in the real world that's often not feasible in the near term. Vista makes life easier but you certainly CAN run XP without admin rights AND be productive - I did so for a couple of years. In such situations I advise giving each user TWO accounts - one with admin rights and one without - encouraging them to use the non-admin account as much as possible to reduce their attack surface AND EXPLAIN TO THEM that their machine is less likely to "break" due to malware/accidental mis-configuration while they are using that account.

Comments
  • We have laptops that are used for "students" to take tests on.

    We try very hard to never allow users to have local admin on their computers however this causes us no end of grief when they need to sit exams.

    We have software from a certain exam board (who shall remain nameless). You would think that a company who designs testing software for use in a classroom environment would have software that did not require admin rights as the implications of letting students loose on machines with full access are fairly obvious.

    To top everything off this vendor does not provide a proper install routine so we have to use a VBscript to run the correct exe files in order & then create shortcuts etc...

    In order to get it running without admin rights we examined the folders the program accesses and then permission then with CACLS for "everyone - full" as part of our homebrew vbscript installer.

    Our current issue with them is  that the program randomly creates folders on the root of the C drive depending on what test is being run. When we explained this behaviour to the lead developer he couldn't tell us why it did this?!!

    Anyway I guess what I'm saying is I wish more software companies gave a damn about trying to "doing the right thing" with their programs, sometimes I wonder if our company is the only one out there that is having such issues with software vendors because they all still just run everything as admin.

    Ben.

  • P.S why do comments take sooo long to appear? are they on manual verify?

  • That's all well and good until some silly app decided that it "has" to have admin rights to install AND run.  A lot of dev tools have this and some come from the likes of Microsoft so it's all well and good saying such things but HOW exactly can you do this AND have a usable system without having to log in and out constantly for differents apps with their associated requirements for admin rights.

  • Bibble> Yes comments are on "manual verify" to deal with comment spam and the occasional expletive. I've posted your comment within 1/2 a business day I'm surprised you think that's a long time.

    Please do keep contributing as you comments are interesting

  • Hi Steve,

    Sorry i wasn't meaning to complain about the comment speed i was just checking as i keep thinking that i didn't actually press the "submit" button or some such.

    I posted my initial comment within 10 minutes of the main post & it only showed up this morning (Monday 21st) - I know that's over the weekend, does that mean there is something else going on so they don't show?

    Ben.

  • Ben> Thanks for checking. You should have received a message (online) letting you know that comments are moderated hence there will be a delay. Perhaps it wizzed off screen before you noticed it.

  • Steve

    I'm sorry but surely it's not that simple.  Forcing users to use standard/limited accounts rather than admin accounts does not prevent them from installing software.  There is a large proportion of software out there especially the downloadable type (which from a security prespective we're most worried about) that can install without any admin rights being required.  

  • Darren> It's always writing something in a few words and getting the point across. I agree that standard users can install software by default - the thing is that they can't change the config of the machine as a whole OR install software that affects other users.

    I worry most about browser helper objects being installed by users. I'd love to hear more about your concerns - please either comment or email me using mailto://stephlam@microsoft.com

  • Steve

    My concerns are around people really understanding what a limited user account can and can't do and I do know that some people point blank believe that you just can't install any software.  While they cannot make system wide changes they can certainly install software and while it may be software that other users cannot access, it certainly can affect them.  I've found numerous machines over the years that have ground to a halt because limited users were still able to install everything including games, gambling utilities plus who knows what else along the way.  

    I would be intersted to hear your throughts/worries on BHOs (which is probably a different blog entry) and why they rate as a high concern to yourself compared to any other piece of spyware/malware etc that you can catch/download on the Internet.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment