Using least privilege concepts, Microsoft has tightened the security of system services. To reduce the attack surface, Vista's system services run with a minimum set of privileges. The service control sc command-line tool lets system administrators query and change the system privileges assigned to services. Microsoft has attempted to improve UAC in Windows 7 by making it quieter and more configurable.
While there is no doubt that UAC is more configurable in Windows 7, it is for you to decide whether or not it is improved. Windows 7 provides users with a less annoying experience, but with the prospect that their systems could be silently compromised.
When designing UAC for Windows 7, Microsoft endeavored to strike the right balance between usability and security. Windows 7 gives users more control over UAC behavior, and the new features can also be configured in Group Policy. It includes a license to run a virtualized instance of Windows XP and a new version of Virtual PC, which can integrate applications running inside a virtual machine with the Windows 7 desktop—blurring the line between installed and virtualized programs.
Least Privilege Security in Unix-based operating systems. In Unix-based operating systems it is common to log in with a restricted set of privileges for everyday use, and to switch to a different user account with administrative privileges, when required. Traditionally, Unix offered an all-or-nothing approach to privilege assignment. Accounts either had administrator or standard user privileges.
This model has been supplemented in modern distributions with the ability to assign privileges in a more granular fashion.
Discretionary Access Control DAC is where system administrators assign access to a set of objects, such as a directory of files, and allow the user to change the security properties of those files. The user becomes the owner of the directory and can modify the security properties of all files within that directory.
MAC helps prevent the flow of sensitive information from a high-privileged account to a lower one. Focusing on users' roles rather than objects and resources, as with DAC, is a more natural way for system administrators to control access to data across an organization.
DAC enforces basic least privilege concepts to protect operating system files and registry keys using groups, which are collections of users, whereas RBAC roles are collections of permissions. As servers are usually considered crucial to an organization, operators are often granted limited privileges to perform a restricted set of duties. A common example of this is management of backups in remote offices. Employees responsible for backup may have limited IT knowledge, but they need to change tapes and log on to the server to check for running backup jobs.
It's preferable not to assign unqualified personnel administrative privileges on a server and create an additional significant risk. In the same way that a firewall is supplied with all inbound ports blocked requiring an admin to specifically open individual ports for Internet traffic to traverse one of the firewall's network interfaces to the corporate intranet modern operating systems elevate privilege only when necessary.
The firewall system of all ports closed, by default where the factory configuration prevents network traffic flowing from an untrusted to trusted network, also makes the device simple to configure. Issuing a command to open one or two ports is easier than trying to shut off hundreds of ports, leaving just a few open.
Least Privilege Security is often applied to servers as a matter of course, but the idea of desktop security is regularly limited to the concept of antivirus software and possibly a personal firewall. The benefits that least privilege brings to servers also apply to desktops. Though considered a security principle, the biggest benefit of Least Privilege Security is that it aids change and configuration management.
Every time you log in to a computer with administrative privileges, there's the potential that the system's configuration may undergo unsanctioned changes, knowingly or otherwise. Least privilege helps to maintain the intended configuration of a system, but at the same time giving the flexibility to change it if permitted by corporate policy enables System Administrators to maintain and manage who can change what.
Least Privilege Security enables system administrators maintain better standardized environments and reduce support costs. If the helpdesk can be reasonably certain of a system's configuration, it's much easier to support that system. If users are allowed to change important configuration settings without a good reason, the help desk faces a much tougher job, increasing the time required to resolve problems, thus driving up costs.
Least Privilege Security also prevents users from circumventing controls implemented by system administrators. If a user has administrative privileges, with the right knowledge, it's possible to circumvent Group Policy.
Ultimately, if a user has administrative privileges, there's likely a way to break into a system even if other controls are in force. Good change and configuration management provides stability. How often are support staff faced with queries such as it was working ok yesterday? Computers don't stop working without a reason. Something must have changed. If system administrators can prevent unwanted change, these types of queries can be reduced. Wouldn't it be nice to know that every time a user switches on their system, they can be sure that it will work as expected?
If users are prevented from making unintentional changes to critical system components on the desktop, the risk of malicious or unsanctioned software finding its way onto corporate systems is significantly reduced. The likelihood of users being infected with drive-by internet attacks, rootkits, or worms is minimized as users need to specifically give permission for such software to run.
A large number of today's malicious programs require administrative privileges to install. Therefore, a standard user is far less likely to infect a machine accidentally.
Even if a standard user account becomes infected with a virus, the damage it can do is considerably less than if they had been granted administrative privileges. You may be thinking that there are ways around some of the protections that Least Privilege Security provides, and you would be right. However, it must be understood that Least Privilege Security should be used as one layer of a comprehensive defense-in-depth strategy, and that other technologies such as Software Restriction Policies, Windows Firewall, and antivirus software, should be deployed to provide complete protection.
Many organizations are subject to regulatory compliance, and all such regulations require that users are given only the privileges required to complete their work. Even if your business is not subject to regulation, it should be considered best practice to implement Least Privilege Security, to boost customer trust. Sensitive data is easily stolen from users if layered protection is not in place. If keylogging software is silently installed on a user's machine, then the program may be able to transmit captured data to its author without the user's knowledge.
A comprehensive defense-in-depth security strategy would be almost certain to prevent such an attack. Least Privilege Security can also help organizations to manage software licensing. While it doesn't necessarily remove the need to audit programs installed across an enterprise, enforcing a standard image using least privilege reduces the chances that your business will fall out of compliance through unauthorized or unlicensed applications being installed on desktops.
Least Privilege Security shouldn't be viewed as a panacea for all security-related problems. It's perfectly possible that malware could install itself by exploiting an unpatched security vulnerability, which might have otherwise required administrative privileges to install.
Freely available software on the Internet is often packaged in portable or a per-user form, which usually indicates that it can be installed without administrative privileges. Consequently, Least Privilege Security alone cannot prevent all unauthorized software appearing on your network, and should be used in conjunction with Software Restriction Policy.
Least Privilege Security does a good job of protecting critical system components and configuration, but a virus could still infect a fully patched system.
The damage would likely be limited to an individual user's profile, leaving the underlying system untouched. This damage limitation mechanism, provided by Least Privilege Security, makes any virus outbreak on your network less serious and easier to clean up. The biggest reason to avoid least privilege on the desktop is that striking a balance between usability and security is much harder on a desktop than on a server.
However, technologies do exist to help implement least privilege successfully on the desktop. The single biggest roadblock in running as a standard user is application compatibility. Windows developers have become used to logging in to their machines with administrative privileges. This inevitably results in software that requires administrative privileges to work correctly. One of Microsoft's goals with User Account Control is to try to change this practice, and force programmers into developing software as a standard user.
Application compatibility problems with Least Privilege Security range from programs failing to launch, to not retaining user settings. Error messages appearing at inopportune moments, inconveniencing users, and making it appear that the application wasn't designed to run on the system where it's installed are a result of bad practice on the part of developers. Earlier versions of Intuit's QuickBooks software for small businesses were probably the most well-known Least Privilege Security compatibility offenders.
Until recently, it was a requirement for users of QuickBooks to be a member of the administrators, or pre-Vista power users group, forcing many businesses to risk the integrity of their systems by allowing users to run with administrative privileges. Fortunately today, most commonly used off-the-shelf enterprise applications will run with least privilege user accounts.
For legacy applications and other programs that are still incompatible with Least Privilege Security, there are many technologies that can be used to solve compatibility problems, such as virtualization techniques and compatibility shims, which will be covered in the second half of this book.
Security is always a trade-off against usability, and least privilege is no exception. Implementing Least Privilege Security prior to Windows Vista involved a lot of work, and most system administrators simply didn't have the time, resources, or management backing to make it work in such a way that it would be accepted by end users. That's not to say that it's impossible to implement Least Privilege Security in Windows XP, but it does require time and testing on your part.
There are many common settings that users can't change as a standard user in Windows XP. User Account Control has addressed most of these issues in Vista and Windows 7. Let's take a look at the issue of changing a system's time zone, date, or time. As a standard user in Windows XP, you cannot change any of these settings.
Changing the date and time is protected because Kerberos , the standard network authentication protocol in Windows and later, relies on date and time synchronization for successful authentication with a domain controller. If a system's date and time doesn't fall within close range of the domain controller, the user will not be able to log in.
Hackers can manipulate the date and time to cover their tracks and as such this provides another reason to restrict access to these settings. For non-domain computers, Windows synchronizes the time and date with an Internet time server, so standard users don't require access to modify time and date settings.
Time zone is another matter as it simply changes the way the time is displayed to users, not affecting their ability to log in if the time zone is different to the server's. Prior to Windows Vista, standard users were not able to change the time zone, causing much frustration for notebook users. It may not seem such a big deal to most system administrators, but users are not likely to accept that they can't change the time zone on their notebook if they travel a lot, deeming it as a problem with their system.
The time zone is just one example of a problem you will encounter when implementing Least Privilege Security in Windows XP. As you can see, removing administrative privileges in Windows XP is likely to create problems very quickly if the change is not carefully planned. Though Least Privilege Security makes it harder for users to break their systems, it also makes it more difficult for users to fix problems or make necessary changes without involving the help desk.
This may not be a problem for desktops that are located in an office with easy access to IT support, but for remote workers without administrative privileges, should a serious problem occur, there could be a long wait before a solution is implemented.
Help desks often rely on remote workers to change important system settings to fix serious problems. This is somewhat of a catch situation, as it's likely that if a user doesn't have administrative privileges, those important settings can't be modified and the system will work reliably, but should something need to be changed, the user has to call the help desk.
It's commonplace for system administrators to rely on remote workers, who rarely visit the office, to install operating system updates and third-party software patches, which requires administrative privileges. Issues also arise when users want to install hardware. If a suitable driver isn't already available on the system, a standard user cannot add a new device driver. Many smaller businesses don't require users to adhere to a list of supported hardware, further exacerbating the problem.
There are certain categories of employees, such as engineers and sales representatives, who may need to install or update software on a regular basis. Even in a large organization, it may not be possible to deliver all such software automatically from a central distribution point. Help desks are not used to supporting Least Privilege Security as it's not the standard configuration in older versions of Windows. Along with many Windows professionals, first-level support and help desks often have little understanding of the Windows security model.
To support Least Privilege Security, system administrators and help desks need to have a good understanding of basic security principles such as the Windows security model, User Account Control, and how to solve common problems related to Least Privilege Security.
So, before implementing Least Privilege Security in your enterprise, you need to consider training costs for support staff. While my own experience shows that in most cases implementing Least Privilege Security on the desktop is more than worth the effort, I'm not expecting you to take my word for it that least privilege is going to make a big difference to your organization's bottom line.
Fortunately, there is independent evidence pointing to the fact that Least Privilege Security does make a difference. Measuring the productivity of an information worker is much harder than for a traditional blue-collar worker. System performance and reliability plays only a small part in what constitutes user productivity, with usability, familiarity, and transactional efficiency also playing a role.
While there is plenty of anecdotal evidence supporting the benefits of Least Privilege Security, getting hard figures is difficult. The best way to persuade management to adopt a desktop least privilege project in your organization is to conduct your own trials with a small but varied group of users, and compare variables such as the quantity of help desk tickets raised, user satisfaction, and productivity comparisons before and after least privilege is trialed. Running these tests will also give you some insight into the technical problems that will be specific to your organization.
You should also set an example and run as a standard user, elevating to an administrative account only when necessary, to demonstrate to the users and management that least privilege is a feasible solution for everyone. Without least privilege on the desktop, it's impossible to truly reap the benefits of a centrally managed infrastructure.
Small businesses without a managed infrastructure benefit from improvements in Vista and User Account Control. While not all of Vista's security features can be emulated in XP, larger organizations can configure XP to run accounts as a standard user, and reap the benefits of Least Privilege Security. A study carried out by eWEEK before the release of Windows Vista showed that organizations that deployed least privilege for users on Windows and XP experienced a significant decrease in the number of successful security exploits.
Changes in Vista make it more difficult to compromise the operating system and Internet Explorer. This isn't without its downside, as attention has moved to exploiting third-party software. Research by BeyondTrust, a company that produces software to help enterprises eliminate administrative privileges, shows that running as a standard user mitigates 92 percent of known security vulnerabilities on Windows systems. We should now have a full understanding of the principle of Least Privilege Security and its implementation in Windows, from the early days of no real security in consumer editions of the operation system to today's push towards Least Privilege Security in Windows 7.
Before proceeding to the next chapter, we have:. Understood how system privileges are used to control the aspects of an operating system's configuration that users can change. Familiarized ourselves with the principle of Least Privilege Security, and how it is implemented in different versions of Microsoft Windows.
Become aware of the technical advantages and disadvantages that Least Privilege Security brings to desktop computing. In the next chapter, we will move on temporarily from the technical aspects of implementing Least Privilege Security on the desktop, to talk about the cultural and political challenges, which for many can be harder to overcome. Russell Smith is an independent IT consultant who specializes in management and security of Microsoft-based IT systems.
Russell also has extensive experience as an IT trainer. About this book Least Privilege Security is the practice of assigning users and programs the minimum permissions required to complete a given task. Publication date: July Publisher Packt. Pages ISBN Chapter 1.
Looking at the benefits of implementing Least Privilege Security on the desktop. What is privilege? Guests Guests have the same access as members of the Users group by default, except that the Guest account is further restricted.
Network Configuration Operators Members in this group have some administrative privileges to manage configuration of networking features. Power Users Power Users is included for backwards compatibility, but has been deprecated and has no administrative privileges. Remote Desktop Users Members in this group are granted the right to log on remotely. Users Users are prevented from making accidental or intentional system-wide changes and can run most applications.
Note While members of the administrators group in Windows aren't completely unrestricted, it is possible to override operating system protections and make any desired changes. Note The built-in administrator account is disabled out of the box in Vista and Windows 7, and UAC prompts are not triggered for this account by default.
While there are benefits in implementing Least Privilege Security on the desktop, there are many technical challenges that you will face when restricting privileges.
This book contains detailed step-by-step instructions for implementing Least Privilege Security on the desktop for different versions of Windows and related management technologies. It will provide you with quick solutions for common technical challenges, Microsoft best practice advice, and techniques for managing Least Privilege on the desktop along with details on the impact of Least Privilege Security.
The book begins by showing you how to apply Least Privilege Security to different categories of users. You will then prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings.
You will identify problems with applications caused by Least Privilege Security using the Application Compatibility Toolkit. This book will help you configure User Account Control on multiple computers using Group Policy and support Least Privilege user accounts using reliable remote access.
Then, you will modify legacy applications for Least Privilege Security, achieving the best balance between compatibility and security by using Application Compatibility shims. The book will help you implement best practices for working with ActiveX Controls in a managed environment.
A practical handbook containing detailed step-by-step instructions for implementing Least Privilege Security on Windows systems. Control and change system privileges.
Benefit from implementing Least Privilege Security on the desktop and overcome the most common technical and political problems and challenges when implementing Least Privilege Security. Clearly explain and justify the benefits of Least Privilege Security for your organization. Apply Least Privilege Security to different categories of users and get buy-in from management. Analyze logon scripts for Least Privilege compatibility. Prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings.
Mitigate the problems and limitations users may face when running with a Least Privilege Security account. Chapter 5: User Account Control Achieve a seamless user experience by using the different components and compatibility features of User Account Control. Connect to remote systems with administrative privileges using different techniques. Enable remote access using Group Policy and Windows Firewall. Chapter 7:Microsoft Windows Application Compatibility Infrastructure Modify incompatible applications on the fly and achieve the best balance between compatibility and security by using Application Compatibility shims.
Create shims using Application Compatibility Toolkit 5. Repackage legacy setup programs in Windows Installer. Implement best practices for working with ActiveX Controls in a managed environment.
Force an application to launch with standard user privileges even if the user is an administrator. This practical handbook has detailed step-by-step instructions for implementing Least Privilege Security and related management technologies. It has solutions to the most common technical challenges and Microsoft best practice advice. It also covers techniques for managing Least Privilege on the desktop.
0コメント