- Perspective: Solutions for the Least-Privilege Dilemma
- Keep My Data Safe!
- Coming this Month
- August 2007 Articles in Print-Friendly Format
- Share Your Security Tips and Get $100
Solutions for the
What's your approach to making sure that your users and administrators are working with only the minimum of privileges they need to perform their tasks? I've read and heard about many solutions, but most seem fairly cumbersome and rely on users and administrators to remember and take the trouble to use them. The first three Security Pro VIP articles listed below present techniques that you can try to limit users' and administrators' privileges the majority of the time, yet give them increased access when they need it.
Microsoft has tried to address the least-privilege problem, most recently with Windows Vista's User Account Control (UAC) feature, but this solution is far from perfect. Standard users are prohibited from performing tasks that they sometimes need to do, such as installing applications and ActiveX controls, unless they can provide the administrator account name and password. Whether you have the UAC prompts turned on or off, unless your users are already accustomed to strict software-installation limitations, you're likely to receive increased Help desk calls from new Vista users encountering the new prohibitions. The last two articles below cover Vista UAC.
If none of these solutions seems adequate for your situation, perhaps a third-party product will do the trick. BeyondTrust recently released Privilege Manager 3.5, which aims to enforce least privileges for recent Windows versions. The Privilege Manager administrator uses Group Policy to set security policies for users and groups, deciding who can install which applications and perform what tasks. Then, for Windows Server 2003, Windows XP, and Windows 2000 users, and for Vista users in environments in which UAC is either off or on but set to not prompt, Privilege Manager elevates the privileges of approved applications and runs them in the user's security context or denies unapproved applications. For Vista with UAC set to prompt, Privilege Manager acts the same way as for earlier Windows versions for approved applications, but for unapproved applications, users see the UAC prompt and either supply admin credentials and obtain admin privileges or, if they can't supply the credentials, are prevented from installing the application.
Scott McCarley, director of marketing for BeyondTrust, told me, "We're the only way to provide administrators with a way to configure an environment where the end users can run applications without administrator privileges or administrator passwords. .... Microsoft is stating that the most secure way to run Vista is with UAC on and using BeyondTrust Privilege Manager to elevate the application. They suggest running UAC in no prompt mode to get the benefits of Internet Explorer Protected mode, but then you use Privilege Manager to elevate the specified applications. The user will never see any prompting, and the administrator will have full control over what privileges applications run with."
Pricing for Privilege Manager 3.5 starts at $30 per seat. For more information about the software, go to the BeyondTrust Web site.
For government departments or businesses that need to demonstrate that they're enforcing a least-privilege policy, Privilege Manager could be an answer. Businesses with less stringent requirements might find some new ideas and help for implementing them in the articles below. What solution do you use to enforce least privileges? Go to the Security Pro VIP forum and share what works for your company.
Security Pro VIP Least-Privilege Articles
to Be Least (October 2005)
Solutions such as Fast User Switching and RunAs can help you honor least privilege.
Guest Accounts to Fight Malware (December 2005)
Run vulnerable apps such as email and browsers under limited-permission accounts.
Concepts: Get the Most from Least Privilege (September 2005)
Determine which privileges various roles require, create groups to manage those roles, then apply the concept to groups, services, and administrators.
Vista's Take on Least Privilege (October 2006)
A look at Vista's UAC.
Malicious Software with Windows Vista (January 11, 2007)
A brief description of the UAC property User Interface Privilege Isolation (UIPI) and the fact that the built-in Administrator account is hidden and disabled by default in Vista.
—Renee Munshi, Security Pro VIP Editor
Keep My Data Safe!
That was the message delivered by a group of 406 US residents over the age of 18 who responded to an online survey designed to gauge how a data breach affects consumers' views of a company. Ninety-five percent said there's no excuse for a company to expose a customer’s confidential information. Ninety-four percent said that companies should use technology to prevent data from being stolen, and the same percentage said that businesses should pay for any associated costs if data is stolen. Respondents also overwhelmingly said that they had less trust and respect for companies that had experienced data breaches.
Although a large majority of the respondents expressed strong feelings in general about the obligation of businesses to keep customer data safe, smaller numbers appeared to feel an immediate and personal threat. Eighty percent of respondents believed that their preferred stores do protect their personal information. Forty-two percent said they've lost trust in some stores because they'd heard these businesses had lost customers’ credit card numbers or other private information, but only 27 percent said they don’t shop online because they're afraid of having personal or credit card information stolen, and only 21 percent have stopped going to a particular store because the chain had customer confidential records stolen. Perhaps people still feel fairly secure because only a relatively small number, 30 percent, know someone who has been notified by a company that his or her information has been stolen or exposed.
The survey was conducted by Infosurv for Tablus, a maker of content loss prevention products. You can register to get a copy of the survey results at the Tablus Web site.
Coming this Month
Eventing 6.0" by Jan De Clercq
Event Viewer's improved interface, use of XML, and new event-forwarding feature make it easier to proactively manage events.
This article is now live on the Web.
IPsec to Isolate a Domain" by Russell Smith
You can prevent an infected machine from contaminating your network by creating a barrier to isolate your domain. Check out how to create a simple IPsec policy and use Group Policy to push it out.
Coming September 13.
Security for Exchange 2007" by John Howie
Forefront for Exchange is designed to overcome the limitations of any one email server antivirus product by running up to five antivirus engines simultaneously. See how to set up and manage Forefront on Exchange 2007 servers that host mailboxes.
Coming September 20.
Randy Franklin Smith answers your Windows security questions.
Coming September 27.
August 2007 Articles in Print-Friendly Format
If you're someone who prefers your newsletters in printed form, check out this .pdf file. It contains all the security articles posted on the Security Pro VIP Web site in August. Print and enjoy!
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.