Sunday, July 31, 2005

Setting Up Least Privilege

In Win XP, accounts come in two flavors, Administrator and "Limited". You must have at least one administrator account to install/remove software, install/remove hardware drivers, install "Critical Updates" from Microsoft, and apply virus definition updates. To protect a Win XP computer against most all malware and spyware, create a "Limited" account, and use that account to surf the web and access your email (the two activities with the greatest malware exposure). One can use the administrator account(s) for all other tasks (although for convenience, you may want to explore performing other tasks from within a "Limited" account, in addition to surfing and email). On one level, that is all there is to it.

The word "Limited" is in quotes because the label is unfortunate -- superficially, who wants to be "limited"? In Linux and Unix, the same kind of account has a more neutral label: "regular user". One can look at the "Limited" label this way: use of a "Limited" account will limit the damage malware and spyware can inflict on your computer.

Microsoft has recently decided to downplay the term "Limited" by referring to the least privilege account by its initials, "LUA", for Limited User Account, and pronouncing the initials as "loo-ah".

Before creating a "Limited" account for surfing and email, it would be best to have already chosen the names for your Administrator and "Limited" accounts. Ideally, you should choose names that make it easy to remember whether an account is Administrator or "Limited". I would personally recommend that you covert any account with a person's name to a "Limited" account, and set up one or more administrator accounts with functional names. Putting the name "Administrator" on an account would be OK (although I use "Grand Wizard" for the administrator accounts on the machines that I administer). In many situations, it would generally be better to keep the issue of who gets administrator access separate from the naming issue, and to do this by making all accounts with any person's name equal and "Limited".

Also note that some information from Microsoft implies that each person can have one and only one account -- this is not so. Each person that uses a computer can have more; for example, can have two accounts, one administrator and one "Limited" account. To get the most out of least privilege, every user of a computer should surf the web and access your email from a "Limited" account, as malware and spyware that can get on the computer through one account affects the whole computer, including everybody else who uses that computer.

Naming decisions here are not set in concrete -- you can always add more accounts later. You can rename existing accounts, but this makes for inelegant subdirectory names under "Documents and Settings" -- see the section below "Win XP User Files". I personally prefer to create a new account and delete the old account rather than rename. If you take this approach, be extra careful to copy all files and "favorites" settings from the old account to the new account before deleting the old account.

To create a new account, go to the Control Panel, select User Accounts, and click on "Create a new account". The screen will prompt you to give the account a name. The name does not need to be a person's name, but can be. (All the Win XP machines that I administer have a "Limited" account called "Surfer", for -- you guessed it -- surfing the web.) As stated above, it is better to decide on a naming plan that makes sense for you before launching into this.

There is an option here, you can either keep the new account as an Administrator or make it "Limited". The default choice is Administrator under Win XP. You can choose to make the new account a "Limited" account by clicking on that option. Later, you can come back to the User Accounts dialog (accessed through the Control Panel) and change the account type, from administrator to "Limited" or vice versa. In actual practice, it is sometimes necessary to do this.

People who already have two or more accounts on a Win XP system will know the initial screen that says, "To begin, click your user name". If your Win XP system has a single account only, Windows bypasses the initial screen. So after setting up a "Limited" account, you must make a choice after turning on your computer. Once you are in an account, you can tell which account you are in by clicking on the Start button -- the name of the account is at the top of the Start Menu.

I would also recommend protecting all administrator accounts with passwords. This will prevent some future, clever malware from getting administrator privileges even though you are using least privilege account. Without password protection, malware would be theoretically able to access administrator privileges and install itself even though the person is using a least privilege account. On a shared computer, it would be OK for all users who get administrator access to know the single password for a single administrator account (that is the way it works in my office, but my office is small). Different arrangements would work in different settings, but leaving any administrator account without password protection is inviting trouble down the road.

One possible incentive system that could work in some homes and office settings would be to password protect all administrator accounts, while not password protecting some or all least privilege accounts. From the user's perspective, getting into a least privilege account is easy (no password required), while getting into an administrator account requires putting in a password. Hence the incentive for using a least privilege account.


At 11:35 PM, Anonymous Money said...

Hi blogger:)

It is a pleasure to re-read throught your blog posts. Since it is up to date and interesting I shall also place some notes about it on my note. My visitors will be able to follow through yours...


At 2:15 AM, Anonymous Anonymous said...

There are several Laws, both inside the state and Nationwide, that regularly afford 5,000 tips. [url=]online casinos uk[/url] online casinos uk A nice matter with regards to a Liberate toy Bonus is that situation Piece other sites volition go along to Offer up bonuses as you Cause higher interest bets.


Post a Comment

<< Home