For as long as I’ve been a Windows engineer (and it’s a long time!), balancing the needs of the user with the needs of the security folks has always been a huge challenge. Users want access to everything, all the time—they want to be able to browse anywhere and install any software they find to get their job done. On the other side, the security folks want to protect an organization’s assets—be they customer information, intellectual property or the ability to sell a product.
These seemingly incongruous needs often come to a head on the Windows desktop, which is the main entry point for the user into an enterprise network. In this whitepaper, I’ll examine this age-old struggle and help you understand how you can find the right balance with something I call “Best Privilege.”
Where We’ve Been
When Windows NT 3.5 came out in the mid-90s, I spent a lot of time trying to figure out how to make it manageable in an enterprise environment. This new platform represented a lot of challenges and opportunities for the typical user desktop. Coming from the bad old days of Windows 9x, where there really was no security model to speak of, NT represented a major advancement for the Windows platform in the granularity and flexibility of the security model. But with it came many challenges.
How do you find the right mix of giving your users the control they need without giving away the keys to the bad guys?
Most Windows applications were written to assume that the user had full control over their system—from registry to file system—the whole thing was an open playing field for an application to do what it wanted. Given that, most IT shops, when faced with the complexity of this new security model and being under the gun to get applications up and running, opted to grant their users “administrator-equivalent” access over their desktops. The reality was that in the pre-Internet days of Windows NT, this “administrator-for-everyone” practice wasn’t very risky. As the Internet became the dominant mechanism for communication, and the risks of attack from outside an organization’s walls increased exponentially, this policy has proven flawed. Amazingly, however, this practice of granting full rights over a system has continued, unabated, even to this day.
However, with the reality of what that means overwhelming most IT shops when malware strikes, this is rapidly coming to end. These days all the talk is about getting to “least privilege”—reducing what the user can do on their system to the absolute minimum set of tasks. But what does that mean and how exactly do you get there? Or, perhaps the better question is, how do you find the right mix of giving your users the control they need without giving away the keys to the bad guys? How do you get to “Best Privilege?”
But Why is it Bad?
You may be reading this and thinking, “Why is it so wrong to have my users run as local Administrator on their Windows?” It’s a fair question if you’ve been lucky enough to avoid having your user’s machines compromised by viruses or malware. The problem with a user running as administrator is, simply put everything they do runs with full rights to do anything on their Windows desktop.
One Thing to Note About the Power Users Group — On XP this group is not much less powerful than the local Administrators group. If you think you are doing better by putting your users in this group, don’t rely on it—it can do almost as much as a full administrator.
So you can imagine that if a user downloads some software they find on the Internet, it’s a simple matter to run the installer to install it fully onto the system, and you have no idea what that software does or where it came from. Similarly if the user clicks on one of those nasty emails that contains some attachment that spreads a worm, that worms executes on their machine as…that’s right…an administrator. It has full access to do whatever it wants on that machine.
If the user was not an administrator, the unlicensed software or worm may not have sufficient rights to actually successfully install, because limited users are prevented from writing to key areas in Windows, such as the C:WindowsSystem32 folder, C:Program Files and the HKEY_LOCAL_MACHINE registry hive. Many application installs will simply fail when they can’t write to these locations.