Using a Least-Privileged User Account - 01 Apr 2005

Anyone who has been a victim of viruses, worms, and other malicious software (malware) will appreciate the security principle of "least privilege." If all processes ran with the smallest set of privileges needed to perform the user's tasks, it would be more difficult for malicious and annoying software to infect a machine and propagate to other machines. Today, due to awkward complications that arise when it is employed, least privilege is not in active use on most Microsoft Windows-based systems. However, with the release of the next Windows operating system, codenamed "Longhorn," almost every user will be able to make regular, daily use of this important security principle.

The Security Principle of Least Privilege
If low-privileged processes are compromised, they will do a lot less damage to a system than high-privileged processes are capable of doing. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents.

Given the obvious security benefits, there is a huge desire, both in home and corporate environments, to run Windows using non-administrator accounts. Unfortunately, almost all Windows users today continue to use an administrator account for their daily tasks. A host of nefarious users and applications rely on being able to use the victim's administrator privileges for such dirty work as destroying or stealing data, reconfiguring another application, or installing a key logger that sends each of the unsuspecting user's keystrokes off to some unknown location on the other side of the Internet.

Issues When Running with LUA
Why, you might ask, do so many users run with an administrator account if running with a least-privileged user account (LUA) is such a well-understood and highly desirable state of affairs?

One reason for so many Windows users running with an administrator account is that "Administrator" is the default type for new accounts on Windows XP, Windows 2000, and Windows Server 2003. Unfortunately, this is only the tip of the iceberg-many applications and even some common Windows-based tasks also expect users to have administrator privileges. As a result, these applications and tasks will fail to operate correctly when launched by a LUA user.

However, the LUA iceberg is drifting into warmer climes as developers spend time and effort to make the LUA experience vastly better for LUA users in the "Longhorn" release of Windows. The goal of these LUA improvements is to mitigate the risks caused when everyone runs as administrator. Almost everyone will be able to run as LUA and still complete their regular daily work, all without encountering undue hardship, necessitating special workarounds, or requiring patches for most applications built for earlier versions of the operating system.

Secure Your Systems with LUA
In the meantime, however, we encourage you to secure your own systems by setting all daily-use user accounts to run with least privileges. Setting up an account to use least privileges is not difficult, nor does it take long to become familiar with the few workarounds required to keep things up and running smoothly.

For best practices, tips, and tricks to run Windows successfully as a non-administrator, I highly recommend Aaron Margosis' "Non-Admin Blog." I have personally been running as LUA at work and at home for almost six months and, with the help of the tips and tricks in Margosis' blog, have rarely encountered an insurmountable difficulty.

In the rare situation where you absolutely must run as an administrator on a machine that you use for email and Web browsing, I also recommend Michael Howard's article on MSDN, "Browsing the Web and Reading E-mail Safely as an Administrator." Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.