Running with Least Privilege

Chapter 5

Running with Least Privilege

There exists in the field of security the notion of always performing tasks with the least set of privileges required to perform those tasks. To cut a piece of plastic pipe, you could use a hacksaw or a chainsaw. Both will do the job, but the chainsaw is overkill. If you get things wrong, the chainsaw is probably going to destroy the pipe. The hacksaw will do the job perfectly well. The same applies to executable processes they should run with no more privilege than is required to perform the task.

Any serious software flaw, such as a buffer overrun, that can lead to security issues will do less damage if the compromised software is running with few privileges. Problems occur when users accidentally or unintentionally execute malicious code (for example, Trojans in e-mail attachments or code injection through a buffer overrun) that runs with the user s elevated capabilities. For example, the process created when a Trojan is launched inherits all the capabilities of the caller. In addition, if the user is a member of the local Administrators group, the executed code can potentially have full system privileges and object access. The potential for damage is immense.

All too often, I review products that execute in the security context of an administrator account or, worse, as a service running as SYSTEM (the local system account). With a little thought and correct design, the product would not require such a privileged account. This chapter describes the reasons why development teams think they need to run their code under such privileged accounts and, more important, how to determine what privileges are required to execute code correctly and securely.

Viruses, Trojans, and Worms In a Nutshell

A Trojan, or Trojan horse, is a computer program containing an unexpected or hidden function; the extra function is typically damaging. A virus is a program that copies itself and its malicious payload to users. A worm is a computer program that invades computers on a network typically replicating automatically to prevent deletion and interferes with the host computer s operation. Collectively, such malicious code is often referred to as malware.

Before I discuss some of the technical aspects of least privilege, let s look at what happens in the real world when you force your users to run your application as administrators or, worse, SYSTEM!