The Truth about User Privileges - Tech Learning

The Truth about User Privileges

Has the time come to set your Windows clients to run without system administrator rights?
Publish date:

Courtesy of Dark Reading Leaving admin power on a user's desktop can invite trouble, especially with today's more targeted attacks. That trouble can come in the form of malware that gets on the machine, as well as trouble with users loading apps they shouldn't, security experts say. Minimizing user rights on a machine is not a new concept, but it may become more of a standard practice with Microsoft's soon-to-be released Windows Vista user account protection, which lets "nonprivileged" users operate mundane tasks that once required admin privileges. (Windows XP, for instance, requires a user to have administrative rights to connect to an ad-hoc wireless network.) Today, some Windows applications just won't run properly on a desktop without administrative rights. "It's a dirty little secret people sweep under the rug because they're not able to do much about the problem. A lot of applications and pieces of environments won't work if users aren't given admin rights," says Steve Kleynhans, vice president for Gartner's client platforms group. "If you can get applications to function with lower rights, in a lot of cases it hampers the user experience." Many enterprises already configure their desktops with minimal user rights rather than the whole enchilada of admin rights. Thomas Ptacek, a researcher with Matasano Security, says these days, enterprises more often than not are setting their desktops at least privilege. "There is a definite trend towards least privilege in enterprises," he says. "Least privilege contains threats -- a zero-day exploit in your mail reader is less viscerally terrifying if it only gets you a normal user account." Mark Loveless, security architect for Vernier Networks, says user privilege problems stem more from the applications themselves. "Most don't take advantage of the security features there in Windows. Not everything has to run with full system privileges all the time," Loveless says. "Part of the problem is application developers don't think they can code it where it doesn't require full system privileges." Vista could help change all that. Aside from its user account control feature, apps will run better on the OS if they don't demand administrative privileges, experts say. "Microsoft is pushing a model where your code runs better if it doesn't demand administrative privileges," says Dan Kaminsky, director of penetration testing for IOActive. "If you want your stuff to work better, it [must] operate in this sandbox." But Matasano's Ptacek says in the end, the least-privilege user setting doesn't matter. In addition to the scarcity of apps being written for it, least privilege doesn't necessarily stop malware. "Normal users have to be able to open new network connections to make benign applications work," he says. "A reliable exploit in a 'non-privileged' network service is still a mass-casualty threat." And it's the Web app that guards payroll data, for instance, not the user's Windows admin account, he says. "Matasano writes advisories to vendors after finding flaws that let 'guest' users rewrite databases or add and delete new users," he says. "Who cares about [Windows desktop] system privileges?"



Limiting user hard drive space

Question: How do I limit the size of the user's drive? The IT Guy says: You can configure user accounts in Windows or Macintosh computer environments to permit file saving only on network user folders. When you specify the details for those user accounts, you can limit the amount of server hard drive space

Image placeholder title

The Cloud

When it comes to running a district’s online operations, the general consensus of this working group was not answering the questions “if?” or “why?” go with a cloud-based strategy but “when?” and “how best?”

Image placeholder title

The Cloud

When it comes to running a district’s online operations, the general consensus of this working group was not answering the questions “if?” or “why?” go with a cloud-based strategy but “when?” and “how best?”

Users changing IP addresses

Question: Can a user change his or her IP address location? The IT Guy says: Technically speaking, it is possible to change the IP address that your computer is using, yes. However, the Internet Service Provider’s router must be configured to accept your IP settings, and that is not something a casual user can

Talking to Students About Cyber-Ethics

Sharing software may seem like an easy way for school administrators to economize when budgets are tight. But making unauthorized copies of a copyrighted software program or downloading it for free from the Internet is often illegal and it can place computer data and systems at risk. It also sends a message that it's

User Profiles and Data Security

Question: How do we manage user profiles and secure data? The IT Guy says: User profiles are generally best managed at the server level. By having students login either with a generic user id or individual user ids, the server can trigger custom scripts to map drives and assign rights. My article "A Beginner's