Forwarded from: PaulBlair (at) westhillscollege.com > http://www.eweek.com/c/a/Security/Minimizing-User-Rights-Can-Increase-Security/ > > By Brian Prince > eWEEK.com > 2008-02-05 > In its defense, Microsoft has built the User Account Control feature > into Windows Vista, allowing IT administrators to elevate their > privilege for specific tasks and application functions while still > running most applications, components and processes with a limited > privilege. For IT administrators like me, Vista and UAC in it's default configuration actually makes it harder to run our desktops securely and carry out administrative tasks related to a Windows domain. This is because while UAC is activated, you cannot launch programs as other users - you can only click "allow". This present a problem when you launch a domain related administration tool and you need to launch it using your domain administrator account. The solution to the problem was to do as we had done previously with Windows 2000 and XP - that is run our desktops as regular users. When you are a non-administrative user, The UAC prompt allows you to specify any user you want. > Other companies such as Symark Software and BeyondTrust also look to > address the issue of least privilege with their software. > > A least-privilege approach, some argue, ensures that users always > logon with limited account privileges, and can be used to restrict the > useof administrative credentials to certain individuals and for > certaintasks, such as installing programs. Malware sometimes is > written to exploit elevated privileges and thus spread more rapidly, > offering businesses another reason to restrict privileges. However, > doing so can affect business productivity, which makes some businesses > weary. May I suggest the website, nonadmin.editme.com. There are some great information on running Windows as a limited user and for the budget challenged, a ton of free tools in the "Useful Tools" section, some of which emulate "sudo" found in UNIX-type OSs. > "The loss of local administration rights [to] many companies seems a > very burdensome prospect, because their internal software programming > realm doesn't even think about operating their installations orrunning > their processes under a minimal elevation of rights," said Spherion > Senior Technical Architect Gilroy Freeth, who helped remove > administrative rights on some 3,500 client machines for the National > Nuclear Security Administration's site in Nevada. It is a burdensom task, but well worth it. When we yanked admin rights from all of our employees several years ago, aside from the near 100% reduction in "adware" infections, we noticed a near 100% drop in other mysterious Windows breakdowns. When users don't have local admin rights, Windows becomes much more reliable than the hardware it is installed on. -Paul Paul Blair Information Technology Services West Hills Community College "Understanding the scope of the problem is the first step on the path to true panic. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Feb 07 2008 - 02:42:09 PST