Network Security Through the Principle of Least Privilege
By Stephen Bucaro
In network security, the term "privilege" refers to a users ability to access certain data and
resources, and their ability to make configuration changes to a computer or the network.
The "principle of least privilege" means giving a user only those privileges which are required
to do their work.
Some administrators, being very busy and tired of being pestered by users, will simply grant
full administrator privileges to many users. In fact, It's very common for administrators
to give laptop users full administrative privileges to their computers. This allows the users to
install hardware or software to their laptop.
When a user's account allows them to install software, it also allows them to inadvertently
install malware. And that malware receives the same administrative rights as the user.
Although there may be valid reasons to give users administrative rights to their computers,
this significantly increases the risk of the computer being compromised, and these risks can
affect many areas of an organization's operations.
It's important for system administrators to understand the log on process. When a user logs
on to a computer, the operating system authenticates the user's credentials and starts an
instance of the Windows desktop. This desktop runs with the user's security context with
the logged on user's access rights and permissions. Any viruses or spyware on the computer
also receives that user's security context, access rights and permissions.
If a user logs on and authenticates as a member of the local Administrators group, any program
that the user starts will run with the full administrator rights to that computer. Administrative
rights allows the user to carry out the following actions:
&bull Install, run, and uninstall programs.
&bull Install and uninstall device drivers.
&bull Install, start, and stop services.
&bull Install, start, and stop processes.
&bull Create, modify, and delete registry settings.
&bull Replace operating system files.
&bull Configure firewall settings.
&bull Control event log entries.
&bull Access the Security Accounts Manager (SAM).
Because a user with administrative rights can make these system-wide changes, so can any
program that a user with administrative rights runs, including malicious software. For the majority
of computer users, these rights are unnecessary and significantly increase the risk to the computer.
If a user logs on and authenticates as a standard user they can access only a reduced number
of resources and are able to make changes to only particular areas. Standard users rights allow the
user to can carry out only the following tasks:
&bull Run programs.
&bull View the status of device drivers.
&bull View the status of services.
&bull View running processes.
&bull Create, modify, and delete registry settings only within HKEY_CURRENT_USER, and read registry settings in HKEY_LOCAL_MACHINE.
&bull Read most operating system files.
&bull View firewall settings.
&bull View system and application log entries only.
Users can still carry out tasks that are required for them to do their jobs, such as attach to
a wireless network, install signed Plug and Play drivers, and change desktop settings.
During installation Windows 7 creates a default administrator account, named Administrator.
This account is not associated with any password and is disabled by default. The installation then
requests a user name and password which it uses to create the first account, which joins the
Administrators group. This account is equivalent to the original built-in Administrator account,
except that when used to perform administrative level functions it is prompted by the User
Account Control (UAC) From this account you can create and manage all other user accounts.
It is recommended, even if there is only one user of the computer, that you create a second,
standard user account for daily use. This standard user account will not allow malware that
finds its way onto the system to receive administrator rights, thus creating a higher level of security.
If you should require administrative privileges for managing the system, you can always log on
with the first account.