Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:59 AM
Connect Directly

The Truth About User Privileges

Denying your users full system privileges is in style

Has the time finally come for the least-privilege user -- you know, setting your Windows client machines to run without system administrator rights?

Leaving admin power on a user's desktop can invite trouble, especially with today's more targeted attacks. That trouble can come in the form of malware that gets on the machine, as well as trouble with users loading apps they shouldn't, security experts say.

Minimizing user rights on a machine is not a new concept, but it may become more of a standard practice with Microsoft's soon-to-be released Windows Vista user account protection, which lets "nonprivileged" users operate mundane tasks that once required admin privileges. (Windows XP, for instance, requires a user to have administrative rights to connect to an ad-hoc wireless network.)

Today, some Windows applications just won't run properly on a desktop without administrative rights. "It's a dirty little secret people sweep under the rug because they're not able to do much about the problem. A lot of applications and pieces of environments won't work if users aren't given admin rights," says Steve Kleynhans, vice president for Gartner's client platforms group. "If you can get applications to function with lower rights, in a lot of cases it hampers the user experience."

Many enterprises already configure their desktops with minimal user rights rather than the whole enchilada of admin rights. Thomas Ptacek, a researcher with Matasano Security, says these days, enterprises more often than not are setting their desktops at least privilege. "There is a definite trend towards least privilege in enterprises," he says. "Least privilege contains threats -- a zero-day exploit in your mail reader is less viscerally terrifying if it only gets you a normal user account."

Mark Loveless, security architect for Vernier Networks, says user privilege problems stem more from the applications themselves. "Most don't take advantage of the security features there in Windows. Not everything has to run with full system privileges all the time," Loveless says. "Part of the problem is application developers don't think they can code it where it doesn't require full system privileges."

Vista could help change all that. Aside from its user account control feature, apps will run better on the OS if they don't demand administrative privileges, experts say. "Microsoft is pushing a model where your code runs better if it doesn't demand administrative privileges," says Dan Kaminsky, director of penetration testing for IOActive. "If you want your stuff to work better, it [must] operate in this sandbox."

But Matasano's Ptacek says in the end, the least-privilege user setting doesn't matter. In addition to the scarcity of apps being written for it, least privilege doesn't necessarily stop malware. "Normal users have to be able to open new network connections to make benign applications work," he says. "A reliable exploit in a 'non-privileged' network service is still a mass-casualty threat."

And it's the Web app that guards payroll data, for instance, not the user's Windows admin account, he says. "Matasano writes advisories to vendors after finding flaws that let 'guest' users rewrite databases or add and delete new users," he says. "Who cares about [Windows desktop] system privileges?"

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Vernier Networks Inc.
  • Gartner Inc.
  • Matasano Security LLC Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Stop Defending Everything
    Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
    Small Business Security: 5 Tips on How and Where to Start
    Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
    Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
    Jai Vijayan, Contributing Writer,  2/13/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-17
    Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
    PUBLISHED: 2020-02-17
    Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
    PUBLISHED: 2020-02-17
    ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
    PUBLISHED: 2020-02-17
    ELTEX NTP-RG-1402G 1v10 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
    PUBLISHED: 2020-02-17
    Symmetricom SyncServer S100, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).