The Case for Least Privilege

Previous page
Table of content
Next page

Several years ago, when Microsoft launched its "Protect Your PC" marketing campaign, it promulgated three requirements as paramount to security:

  • Fully patched system

  • Firewall installed and running

  • Up-to-date antivirus

There were a few rebels, including the two authors, who claimed that not only was one item missing, it was more important than at least one of the three on that list: not running as an administrator. The reason why Microsoft left that particular one out though was very clear: you can't have more than three top-three most important security features. And, Windows XP, which was the current client operating system at the time, did virtually nothing to help people run as a non-admin. The reason for this was really easy: the number of software developers, both at Microsoft and outside, that ran as non-admins was, well, if not zero, so certainly in the single-digits. The number of software developers outside Microsoft that ran as non-admins was lower still. The number of program managers at Microsoft that ran as non-admins was around two. In fact, and perhaps even more appalling, the number of marketing folks involved in the Protect Your PC campaign that ran their day-to-day workstation as nonadmins was also hovering around zero!

The fact was that almost nobody that had responsibility for the OS, or any app running on it, ran as a non-admin! The result was very predictable: it was virtually impossible for end users to run as a non-admin unless they were either quite savvy, or had a significant support structure to do the things they couldn't do. To make things even worse, the public did not demand applications that ran with least privilege on a broad scale. We all kept buying applications that would only run if we were admins. This did not give Microsoft or Independent Software Vendors (ISV) much of an economic incentive to develop better applications.

There were some lone voices in the wild. Our good friend Aaron Margosis was pontificating on his blog (http://www.blogs.msdn.com/aaron_margosis/default.aspx) about how to run as a non-admin. So was Michael Howard (http://www.blogs.msdn.com/michael_howard/). A few brave souls, Keith Brown (http://www.pluralsite.com/wiki/default.aspx/Keith/HallOfShame.html) and Susan Bradley (http://www.threatcode.com/), started trying to shame developers into fixing their products by listing software that does not work properly as a non-admin.

So, what's the fuss about? Why is least privilege such a big deal? Well, simply put, because of the power that admins wield.


Previous page
Table of content
Next page
Windows Vista Security. Securing Vista Against Malicious Attacks
Windows Vista Security. Securing Vista Against Malicious Attacks
ISBN: 470101555
EAN: N/A
Year: 2004
Pages: 163
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
FileMaker Pro 8: The Missing Manual
Mastering Delphi 7
PMP Practice Questions Exam Cram 2
Web Systems Design and Online Consumer Behavior
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy