With Marco Peretti, CTO, BeyondTrust.
Question: What is the principle of least privilege?
Peretti: The principle of least privilege was coined by the Department of Defense almost 30 years ago. It's been around for a while. It was introduced as a best practice to limit the damage by an innocent or malicious security breach. The principle states that a subject or user should be granted the least amount of access to accomplish their task. It's a general concept but maps pretty well to security. In the Windows environment, we have to map the set of operating system privileges to each given application. The problem is that in Windows there are many users who log in as administrators with full administrative privileges, thereby violating the principle. This is an issue because most malware requires administrative privileges to do damage. Recently, for instance, Microsoft issued a number of security patches. Many for Excel and Word are for vulnerabilities that enable exploitation by simply receiving the documents. The damage they can do to the station depends on the privileges held by users.
Question: It sounds like it would be hard to actually deploy a system based on this idea. What are some of the complexities?
Peretti: Up to now, we've a sketched a principle. The challenge is to apply the principle. What OSs allowed until XP and Vista was to simply let users run programs which required administrative user names and passwords. [Stopping that] brought in other problems. … The nature of Windows is that even a single application that required administrative privileges promoted the provisioning of administrative privileges for all applications including malware. The reason we developed the solution is that it was very difficult to implement a least privileged environment because so many applications require administrative privileges.
Question: So how did you proceed?
Peretti: What we did first of all is to turn all users into regular users from administrators. Then we planned privileges on a per-application basis. You have administrator-defined rules determining what privileges are required for a given application. Keep in mind this would not be for all applications, only applications that require special privileges to run. That approach is implemented by Vista. It's called user account control (UAC). When it detects an application requiring additional privileges for the user, it prompts them to say whether it should elevate or not. UAC is for home users, where the user is his own administrator. At the corporate level, the decision on what rights are given for a specific application is a matter of corporate policy, as opposed to the user making their own decision.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
This was first published in January 2007