What is Least Privilege Security?

Least Privilege Security is the practice of assigning users and programs the minimum permissions required to complete a given task. For example, if your daily duties include checking e-mail, surfing the Internet, and running a human resources application, then your user account should not be granted administrator privileges on your desktop. None of these tasks warrant anything more than standard user privileges. A standard user does not have any administrative access to the local system, and as such is not able to change critical settings that might affect system stability, security, or other users on the same machine. While this is a simplification, as it's likely that less privileges are required to run these applications than those granted to a standard user, it becomes impractical to study the privileges required for each and every operation that a user might carry out. Today, Least Privilege Security is most often referred to when discussing the protection of systems, rather than information in computer systems. As we enter an age when regulatory compliance and protection of information becomes more prevalent, it's interesting to note that Least Privilege Security is just as much about protecting information as it is about protecting the system—both go hand in hand. Programs generally run with the same set of privileges that are granted to the user. So, if you accidently launch a piece of malware from the Internet while you are logged in with administrator privileges, the malware has the ability to make the same changes and access the same information as your high-privileged administrator account.

Note

Most current malware relies on users having administrative privileges to install. If more users run with non-admin accounts, the situation is likely to change. Least Privilege Security should be further secured with the use of antivirus software and other protection technologies, such as Software Restriction Policy and AppLocker.

Limiting the damage from accidental errors with Least Privilege Security

Considering the threat landscape has changed beyond recognition in recent years, users will often counter least privilege accounts, insisting that I'll be careful or I know what I'm doing. When users undertake risky activities such as browsing the Internet (computer expert or not), it's impossible to be sure that malevolent software won't be accidently launched through malicious code embedded in web pages, which is intended to launch silently without the user's knowledge, or exploit an unpatched vulnerability in the operating system. While antivirus software can provide a certain degree of protection, many exploits cannot be detected by even the best antivirus programs. A defense-in-depth strategy that includes both antivirus and Least Privilege Security, among other measures, is far more effective than any one protection mechanism alone. Users often have blind faith in antivirus, software believing it will protect them from all evil. Browsing the Internet is just one example of a risky activity. Malware can find its way into systems through removable media, CDs, and e-mail, and then propagate throughout a network, causing untold amounts of damage and lost productivity.

Reducing system access to the minimum with Least Privilege Security

A word processor is unlikely to need privileged access to a system. If we limit the level of privilege that an application has to a system, so users can perform only the tasks required to complete the job, then maintaining systems becomes much easier. Privileges can be assigned to user accounts through the built-in administrators and users groups in Windows NT, providing system administrators with an easy way to restrict privileges for the majority of users. While this doesn't necessarily achieve true Least Privilege Security—for example, why would a word processing application need to change a system's power scheme—it is a reasonable trade-off between security, manageability, and usability in most production environments.