Taking Least Privilege to the Max

Opinion: If you really want to control privileges of users thoroughly, there is a way.

Symantec is arguing that Windows Vistas User Access Control features are too intrusive, and perhaps they have a point. Theres no reason to assume Microsoft got things perfect. Windows has a rich history of third parties adding value and making it better.

One of my favorite improvements on user access control in all current versions of Windows is BeyontTrust Privilege Manager, a program that is still remarkably alone in providing certain powerful security features for Windows.

User access control is all about setting the privileges for users when accessing certain resources. The heart of the problem being discussed by Symantec is that when you set a general level for a user, and presumably the philosophy these days is that you set the user to have a limited set of rights, you are inevitably going to misestimate what they need for particular tasks.

/zimages/5/28571.gifeWEEK Labs says that Internet Explorer security is enhanced by Vista capabilities. Click here to read more.

The main benefit of this is to limit the damage that bugs and exploits in the application can do on a system. When you read vulnerability disclosures you often see a line about the attacker only having the same privileges as the user of the application, and this is an important restriction.

Vistas LUA deals with this by asking the user for more privileged credentials when a task is run that requires them. Nothing shocking here; Mac OSX has done this for years and been praised for it.

There are two approaches to application privileges: building up and dumbing down. Privilege Manager and Vista support both, in different ways. With building up, described above, you start out with an unprivileged user and grant them the privileges they need, and only what they need, on an on-demand basis.

With dumbing down, you start out with a privileged user, like an administrator, and decrease rights when running potentially dangerous applications like Internet Explorer.

Windows Vista users use the building up approach as a general matter, which is why they see the privilege checks Symantec is talking about.

They also use the dumbing down approach in a couple of ways. When logged in as Administrator, Vista tries to dumb down automatically and reminds the user if an app is using privileged operations. Also IE7 itself, even when run by an Administrator, runs in a specially-crippled configuration. (You might say IE is on probation for life, and with its record the sentence is deserved.)

Next page: LUA & Windows history.