Least Privilege Can Be the Best

Opinion: Forcing administrator privileges to be set as the default for all accounts leaves users exposed to malware.

Want fewer security hassles? Demote yourself!

Want to do something right now that can help protect you from malware? Then stop being an administrator. No, I am not suggesting a career change, though I suppose that would have much the same effect. Rather, I hope youll consider using your desktops administrator account only when absolutely necessary and creating a user account for general computing.

Why am I making this suggestion? Because too many people do all their computing as administrators—even those whose user name is something besides "Administrator."

This opens their machines to all the malware the Internet has to offer. Reducing your privileges can stop malware that requires administrator privileges to create its mayhem, making this perhaps the easiest way to improve system security.

Advocates call this "least privilege" computing because everyone operates with as few privileges as are necessary to get their work done. In his blog, Microsofts Aaron Margosis says this decreases a users exposure to Internet threats.

As to why this is important, Margosis slides into some metaphors I hadnt thought of:

"Well, if you were a surgeon, would you always want to hold an unsheathed scalpel in your hand? Or would you prefer to keep it in a safe place until you actually need it? Does that metaphor work? How about running with sharp scissors?"

In his blog, Margosis explains specifically how malware can exploit administrative rights to harm your machine and discusses why developers shouldnt do programming as administrators. He also takes his Microsoft colleagues to task for not always setting the best example.

/zimages/6/28571.gifRead Larry Seltzers opinion here about Microsofts participation in the malware removal market.

All this sounds pretty good so far, but weve learned that behind every silver lining lies a big dark cloud, which in this case is the "gotcha" of least-privilege computing: Some apps dont run unless they have admin rights. If you change your user properties from administrator to "standard," some of your applications might stop working. Become a "restricted user" and even more software may break.

My friend, Susan Bradley, discovered this when she tried to secure her own desktop at the accounting firm where she works. She grabbed some screen shots of apps that failed.

(If you want to try this, open the User Accounts control panel in Windows XP and create a new account with reduced privileges. I dont actually recommend changing your current account, which you will still want to use at least occasionally.)

Why does least-privilege computing break applications? Because of programmers who write everyday applications that require them. Why do they do this? Because using admin rights made it easier to write certain programs. It also didnt used to be a big deal. This type of development, however, encouraged all user accounts to be set up with admin privileges by default, opening the door for some of the malicious code were fighting today.

(It should be mentioned that Mac OS X and other Unix-based operating systems assume users run in a restricted mode and thus avoid these sorts of problems.)

/zimages/6/28571.gifClick here to read more about new least privilege-based anti-malware software from Hewlett-Packard Labs.

I am aware of no "complete" list of apps that break when a non-administrator tries to run them. But I can point you to a couple of sites that encourage programmers to write better code and that include some examples of programs that dont work.

Keith Brown has gone so far as to create a "Hall of Shame" of applications that require admin mode to run. Susan Bradley has a site, Threatcode.com, which also lists applications and provides links to resources.

With 20/20 hindsight, its now easy to criticize developers for overstepping the bounds of good programming practice. Some vendors are offering fixes that allow their apps to run in a reduced privilege environment. Users can also use an admin log-on when they run specific programs and a standard or restricted log-on the rest of the time.

I hope you will experiment with this, as I have been. Reducing privileges may be the easiest thing we can do to protect systems from the malware invasion.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.