Ending the Blame Game

Opinion: Applying limited permissions to protect systems may work better than simply blaming the user for security breaches.

Its not engraved in stone or gracing the edifice of any corporate headquarters, but the following adage is well-established in the IT departments of corporations, universities and government agencies around the world: "When in doubt, blame the user."

Its an amazingly versatile tool. Did a virus slip past your desktop anti-virus product? Blame the user! Did a Web site download a Trojan horse to your network—which has, in turn, compromised a bunch of your critical servers? You guessed it—blame that darned user.

Theres some merit to this approach. IT managers and CISOs (chief information security officers) tell me about users who open suspicious e-mail attachments despite repeated warnings not to.

Users also like to click on Web links in e-mail and instant messages that lead them to sites doing "drive-by downloads," which exploit browser vulnerabilities to install rootkits and other malicious programs.

/zimages/2/28571.gifClick here to read another argument for "least privilege" computing.

But after youre done blaming your users, what then? The ever-growing lists of "gotta have" security ware—gateway and desktop anti-virus, network and desktop firewalls, network intrusion prevention and host intrusion prevention, IM security—wont protect you from users determined to be the weakest link.

A better, simpler and more elegant solution might be to limit users permissions on their own computers, locking down browser features that make it easy to pull down executable content from the Internet and preventing them from installing unauthorized programs.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The concept of reduced or limited privileges is well-established but was pushed aside with the advent of Windows, which has made it difficult to run programs as a user with "least privileges."

Thats changing. Vista, the next version of Windows, will feature UAP (User Account Protection), a Microsoft attempt at limited user accounts. UAP will limit a users right to perform certain high-risk tasks, such as launching a program or making changes to the Windows registry.

UAP will make it easier to stifle click-happy users, but, as weve seen before, with other "save me from myself" technologies, that doesnt mean it will get adopted. The plain truth is, its easier to slip into insecurity—extending administrative permissions to one user or set of users to solve a short-term problem—than stand in the way of productivity.

Developers and IT managers have a lot of work to do before least-permission policies can be enabled in an enterprise. And persuading upper management to stick with the model in the face of some short-term exigency will be even tougher. The payoff will be worth it, though: no more blaming the user.

Paul F. Roberts can be reached at paul_roberts@ziffdavis.com.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.