Monday, April 04, 2005

Security Principle: Least Privilege

One of the most important concepts in the IT security world is that of least privilege. When you create a user account and give it access permissions, you should give that account the least amount of privileges that the account requires to perform it's function. Following this principle will save you an incredible amount of time and hassle when administering a network and maintaining the security of your system(s).

With 5 years of Linux administration and 10 years of administering Windows machines, it is increasingly apparent to me that the biggest cause of security breaches is that of too much user privilege. I see many shops where the administrators are running as administrator or root on the machines that they use for email, web-browsing, and non-administrative tasks. I also see a MS Windows environment where it is incredibly difficult for a user to not run as administrator and still get normal day-to-day tasks done -- but it is possible. When administering a network with 30 users on Windows XP/2K machines for 1.5 years I had no virus or worm outbreaks, and no loss of data. I did experience one incident of spyware when a user played a joke on another user by installing a screen-saver. On every network that I administered where the users were able to access the administrator account(s), there were always problems with virus outbreaks and worms causing hours of work for me to recover the systems.

I have heard from some system administrators and even security professionals that it is not possible to force users to not run with administrator privileges. This is not a correct statement or thought process. If you take the time to learn how to administer your systems properly, it will save you time in the long run. Unix and Linux have the 'su' command that will allow you to temporarily become an administrator to perform administrator functions. MS Windows has the 'Run-as' command that works fairly well to do the same. You should NEVER have to login to your system as the administrator user account. It is very difficult with MS Windows to maintain this security policy, but it is doable. One of the best ways to get used to this practice is to do it at home, where I'll bet most people do not! I can honestly say that I do not login to my machines as root unless I am performing administrative tasks, and then I logout as soon as I am done.

The following link from Microsoft gives a good overview of tools and methodologies which help run with least privilege: article.

No comments: