Sunday, July 31, 2005

Using a Least-Privileged User Account

Win XP is fully least-privilege capable. There are only two rubs,
  • Microsoft does not support the use of least-privilege on Win XP; you are basically on your own, and
  • Deploying least privilege in Win XP may be more or less convenient, depending on the applications used on each computer.
With respect to the "convenience factor", many applications today are not least-privilege compatible. However, there are three items of good news:
  1. As far as we are aware, of the many applications out there that are NOT least-privilege compatible, none block the use of least privilege. Rather, they just make the use of least privilege protection less convenient for the end users of such applications. For everyone else, it is clear sailing.
  2. The highest risk activities are surfing the web and opening email, and the applications most commonly used (Internet Explorer and Outlook/Outlook Express) are least-privilege compatible. (FireFox is also least-privilege compatible.) So today, every Win XP user can apply least-privilege protection where it is needed most. (Internet Explorer and Firefox are least-privilege compatible right out of the box, while Outlook might require some setup steps, namely moving the Outlook data files to a new directory -- see the section "Win XP User Files".)
  3. Trying least privilege is risk free, and zero cost. This is the worst-case scenario: you go back to using the computer exactly as you are using it now -- without least privilege protection (for the vast majority of Windows XP users).
The only bad news is that setting up least privilege definitely requires some setup in the Control Panel, and may require moving files from one location to another. If you are not comfortable with tackling such tasks on your own, it would be better for you to pass, or get help if you really want least privilege protection for your computer.


Post a Comment

<< Home