Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:59 AM
Connect Directly

The Truth About User Privileges

Denying your users full system privileges is in style

Has the time finally come for the least-privilege user -- you know, setting your Windows client machines to run without system administrator rights?

Leaving admin power on a user's desktop can invite trouble, especially with today's more targeted attacks. That trouble can come in the form of malware that gets on the machine, as well as trouble with users loading apps they shouldn't, security experts say.

Minimizing user rights on a machine is not a new concept, but it may become more of a standard practice with Microsoft's soon-to-be released Windows Vista user account protection, which lets "nonprivileged" users operate mundane tasks that once required admin privileges. (Windows XP, for instance, requires a user to have administrative rights to connect to an ad-hoc wireless network.)

Today, some Windows applications just won't run properly on a desktop without administrative rights. "It's a dirty little secret people sweep under the rug because they're not able to do much about the problem. A lot of applications and pieces of environments won't work if users aren't given admin rights," says Steve Kleynhans, vice president for Gartner's client platforms group. "If you can get applications to function with lower rights, in a lot of cases it hampers the user experience."

Many enterprises already configure their desktops with minimal user rights rather than the whole enchilada of admin rights. Thomas Ptacek, a researcher with Matasano Security, says these days, enterprises more often than not are setting their desktops at least privilege. "There is a definite trend towards least privilege in enterprises," he says. "Least privilege contains threats -- a zero-day exploit in your mail reader is less viscerally terrifying if it only gets you a normal user account."

Mark Loveless, security architect for Vernier Networks, says user privilege problems stem more from the applications themselves. "Most don't take advantage of the security features there in Windows. Not everything has to run with full system privileges all the time," Loveless says. "Part of the problem is application developers don't think they can code it where it doesn't require full system privileges."

Vista could help change all that. Aside from its user account control feature, apps will run better on the OS if they don't demand administrative privileges, experts say. "Microsoft is pushing a model where your code runs better if it doesn't demand administrative privileges," says Dan Kaminsky, director of penetration testing for IOActive. "If you want your stuff to work better, it [must] operate in this sandbox."

But Matasano's Ptacek says in the end, the least-privilege user setting doesn't matter. In addition to the scarcity of apps being written for it, least privilege doesn't necessarily stop malware. "Normal users have to be able to open new network connections to make benign applications work," he says. "A reliable exploit in a 'non-privileged' network service is still a mass-casualty threat."

And it's the Web app that guards payroll data, for instance, not the user's Windows admin account, he says. "Matasano writes advisories to vendors after finding flaws that let 'guest' users rewrite databases or add and delete new users," he says. "Who cares about [Windows desktop] system privileges?"

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Vernier Networks Inc.
  • Gartner Inc.
  • Matasano Security LLC Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/17/2020
    Cybersecurity Bounces Back, but Talent Still Absent
    Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
    Meet the Computer Scientist Who Helped Push for Paper Ballots
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-09-19
    An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
    PUBLISHED: 2020-09-19
    ** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
    PUBLISHED: 2020-09-19
    An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.