What's your approach to making sure that your users and administrators are working with only the minimum of privileges they need to perform their tasks? I've read and heard about many solutions, but most seem fairly cumbersome and rely on users and administrators to remember and take the trouble to use them. The first three Security Pro VIP articles listed below present techniques that you can try to limit users' and administrators' privileges the majority of the time, yet give them increased access when they need it.
Microsoft has tried to address the least-privilege problem, most recently with Windows Vista's User Account Control (UAC) feature, but this solution is far from perfect. Standard users are prohibited from performing tasks that they sometimes need to do, such as installing applications and ActiveX controls, unless they can provide the administrator account name and password. Whether you have the UAC prompts turned on or off, unless your users are already accustomed to strict software-installation limitations, you're likely to receive increased Help desk calls from new Vista users encountering the new prohibitions. The last two articles below cover Vista UAC.
If none of these solutions seems adequate for your situation, perhaps a third-party product will do the trick. BeyondTrust recently released Privilege Manager 3.5, which aims to enforce least privileges for recent Windows versions. The Privilege Manager administrator uses Group Policy to set security policies for users and groups, deciding who can install which applications and perform what tasks. Then, for Windows Server 2003, Windows XP, and Windows 2000 users, and for Vista users in environments in which UAC is either off or on but set to not prompt, Privilege Manager elevates the privileges of approved applications and runs them in the user's security context or denies unapproved applications. For Vista with UAC set to prompt, Privilege Manager acts the same way as for earlier Windows versions for approved applications, but for unapproved applications, users see the UAC prompt and either supply admin credentials and obtain admin privileges or, if they can't supply the credentials, are prevented from installing the application.
Scott McCarley, director of marketing for BeyondTrust, told me, "We're the only way to provide administrators with a way to configure an environment where the end users can run applications without administrator privileges or administrator passwords. .... Microsoft is stating that the most secure way to run Vista is with UAC on and using BeyondTrust Privilege Manager to elevate the application. They suggest running UAC in no prompt mode to get the benefits of Internet Explorer Protected mode, but then you use Privilege Manager to elevate the specified applications. The user will never see any prompting, and the administrator will have full control over what privileges applications run with."
Pricing for Privilege Manager 3.5 starts at $30 per seat. For more information about the software, go to the BeyondTrust Web site.
For government departments or businesses that need to demonstrate that they're enforcing a least-privilege policy, Privilege Manager could be an answer. Businesses with less stringent requirements might find some new ideas and help for implementing them in the articles below. What solution do you use to enforce least privileges? Go to the Security Pro VIP forum and share what works for your company.
Security Pro VIP Least-Privilege Articles
to Be Least (October 2005)
Solutions such as Fast User Switching and RunAs can help you honor least privilege.
Guest Accounts to Fight Malware (December 2005)
Run vulnerable apps such as email and browsers under limited-permission accounts.
Concepts: Get the Most from Least Privilege (September 2005)
Determine which privileges various roles require, create groups to manage those roles, then apply the concept to groups, services, and administrators.
Vista's Take on Least Privilege (October 2006)
A look at Vista's UAC.
Malicious Software with Windows Vista (January 11, 2007)
A brief description of the UAC property User Interface Privilege Isolation (UIPI) and the fact that the built-in Administrator account is hidden and disabled by default in Vista.