Its not engraved in stone or gracing the edifice of any corporate headquarters, but the following adage is well-established in the IT departments of corporations, universities and government agencies around the world: “When in doubt, blame the user.”
Its an amazingly versatile tool. Did a virus slip past your desktop anti-virus product? Blame the user! Did a Web site download a Trojan horse to your network—which has, in turn, compromised a bunch of your critical servers? You guessed it—blame that darned user.
Theres some merit to this approach. IT managers and CISOs (chief information security officers) tell me about users who open suspicious e-mail attachments despite repeated warnings not to.
Users also like to click on Web links in e-mail and instant messages that lead them to sites doing “drive-by downloads,” which exploit browser vulnerabilities to install rootkits and other malicious programs.
But after youre done blaming your users, what then? The ever-growing lists of “gotta have” security ware—gateway and desktop anti-virus, network and desktop firewalls, network intrusion prevention and host intrusion prevention, IM security—wont protect you from users determined to be the weakest link.
A better, simpler and more elegant solution might be to limit users permissions on their own computers, locking down browser features that make it easy to pull down executable content from the Internet and preventing them from installing unauthorized programs.
The concept of reduced or limited privileges is well-established but was pushed aside with the advent of Windows, which has made it difficult to run programs as a user with “least privileges.”
Thats changing. Vista, the next version of Windows, will feature UAP (User Account Protection), a Microsoft attempt at limited user accounts. UAP will limit a users right to perform certain high-risk tasks, such as launching a program or making changes to the Windows registry.
UAP will make it easier to stifle click-happy users, but, as weve seen before, with other “save me from myself” technologies, that doesnt mean it will get adopted. The plain truth is, its easier to slip into insecurity—extending administrative permissions to one user or set of users to solve a short-term problem—than stand in the way of productivity.
Developers and IT managers have a lot of work to do before least-permission policies can be enabled in an enterprise. And persuading upper management to stick with the model in the face of some short-term exigency will be even tougher. The payoff will be worth it, though: no more blaming the user.
Paul F. Roberts can be reached at firstname.lastname@example.org.