Re: Minimizing User Rights Can Increase Security

[InfoSec News <alerts () infosecnews org>]

Forwarded from: PaulBlair (at) westhillscollege.com

> http://www.eweek.com/c/a/Security/Minimizing-User-Rights-Can-Increase-Security/
>
> By Brian Prince
> eWEEK.com
> 2008-02-05



> In its defense, Microsoft has built the User Account Control feature 
> into Windows Vista, allowing IT administrators to elevate their 
> privilege for specific tasks and application functions while still 
> running most applications, components and processes with a limited 
> privilege.

For IT administrators like me, Vista and UAC in it's default 
configuration actually makes it harder to run our desktops securely and 
carry out administrative tasks related to a Windows domain. This is 
because while UAC is activated, you cannot launch programs as other 
users - you can only click "allow". This present a problem when you 
launch a domain related administration tool and you need to launch it 
using your domain administrator account.  The solution to the problem 
was to do as we had done previously with Windows 2000 and XP - that is 
run our desktops as regular users. When you are a non-administrative 
user, The UAC prompt allows you to specify any user you want.


> Other companies such as Symark Software and BeyondTrust also look to 
> address the issue of least privilege with their software.
>
> A least-privilege approach, some argue, ensures that users always 
> logon with limited account privileges, and can be used to restrict the 
> useof administrative credentials to certain individuals and for 
> certaintasks, such as installing programs. Malware sometimes is 
> written to exploit elevated privileges and thus spread more rapidly, 
> offering businesses another reason to restrict privileges. However, 
> doing so can affect business productivity, which makes some businesses 
> weary.

May I suggest the website, nonadmin.editme.com. There are some great 
information on running Windows as a limited user and for the budget 
challenged, a ton of free tools in the "Useful Tools" section, some of 
which emulate "sudo" found in UNIX-type OSs.


> "The loss of local administration rights [to] many companies seems a 
> very burdensome prospect, because their internal software programming 
> realm doesn't even think about operating their installations orrunning 
> their processes under a minimal elevation of rights," said Spherion 
> Senior Technical Architect Gilroy Freeth, who helped remove 
> administrative rights on some 3,500 client machines for the National 
> Nuclear Security Administration's site in Nevada.

It is a burdensom task, but well worth it. When we yanked admin rights 
from all of our employees several years ago, aside from the near 100% 
reduction in "adware" infections, we noticed a near 100% drop in other 
mysterious Windows breakdowns. When users don't have local admin rights, 
Windows becomes much more reliable than the hardware it is installed on.


-Paul

Paul Blair
Information Technology Services
West Hills Community College


"Understanding the scope of the problem is the first step on the path to
true panic.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn