I usually don’t do new years resolutions because I think that they are absurd. This year, however, I am going to make a concerted effort to take a more active role towards security besides giving talks on the topic. I am going to eat my own dog food and… say it, come on you can do it, get it out… apply the principle of least privilege to my daily computing both at work and at home </exhale>.
The principle of least privilege is a security philosophy that is applied on software and systems to ensure that only the rights, or actions necessary are available to a given user- no more and no less.
In the Windows world, there are really only two extremes- users and administrators. It is quite common, especially in my line of work, to work as an administrator. Working as an administrator is the antithesis of least privilege, because as an admin, I have rights to all objects and permission by default. This is undesirable for a number of reasons:
1. As a developer, working as an administrator hides the deployment-time realities that inevitably exists on client sites and target servers. It is very unlikely that users and applications are running as administrators (at least they shouldn't be), so developing software as an administrator is really setting one self up for future problems.
2. Any malicious software or scripts that run on a machine while you are logged in as an administrator also run as an administrator- with unlimited privileges. One need only look to the world famous viruses that wreaked havoc on systems everywhere costing businesses millions. I LOVE YOU and MELISSA ring a bell?
So, having made this oath, I have removed my domain account at work from the local Administrators group, effectively making it a regular user account. I then created a separate, "highly privileged" account with the word "admin" appended to the end of my regular user name. Since I spend the better part of my days in Visual Studio, I also added my regular user account to the VS Debuggers and VS Developers local groups for reasons that are too involved to go over here.
Starting today, I will log in with my regular user account and post back with my findings, problems and workarounds. If working under least privilege proves tenable, perhaps I can entice you folks in the community to follow suit.
Here's to a safe and secure new year!
Windows Vista, the newest Windows release, applies the principle of least privilege out of the box through a technique, or feature called UAC which stands for User Account Control. UAC prompts users to explicitly opt-in to actions taken- before they happen- so that malicious code can't do harm to the system without the user's consent. Sure, this is a bit patronizing (picture grandma clicking "Yes"), but it is a step in the right direction. But this is only one feature of UAC. UAC also enforces the principle of least privilege by running the current user as a regular user. If the user interacts with objects that require escalated privileges, Vista prompts the user for the credentials to a highly privileged account. This is the automated functional equivalent of ...Run As in Windows 2000 and Windows XP.
One day, when I get an extra, say, 8 hours to play, I can’t wait to get the latest release bits installed. Until then, I’ll keep hammering on with Windows XP and Windows Server 2003.