Principle of Least Privilege
The Principle of Least privilege simply put requires that in a computing system every process, user, and program must be able to access only information and resources that are necessary to its job duty. The principle of least privilege was first introduced in the mid 1970’s. The book â€œFault Tolerant Operating Systemsâ€ by Peter J. Denning is referred to as the original source of the principle of least privilege. The principle of least privilege is also known as: principle of minimal privilege, least privilege, and principle of least authority.
When properly implemented the principle of least privilege would limit data loss, viral infection, ad-ware and mal-ware infestation. Lost data would be prevented because only trusted users would have access to confidential information. Malicious users and malicious applications would have a difficult time gaining access to confidential files. Most virus, ad-ware and mal-ware require administrative access to install on a system. By running an account with lower privileges many malicious applications cannot install themselves.
Although it is seems like a simple task to limit user access to information and network resources, the principle of least privilege can be very difficult to implement. The difficulty comes when software is developed requiring administrative privileges. Software is sometimes developed this way because developers don’t take the time needed to create roles and user privileges for certain applications. In the short term it is easier to grant administrative access to all users but long term this can expose the system to unwanted viruses leading to severe network problems. Since this development style is relatively common, the principle of least privilege is difficult to implement and should be used along with other security measures.
On the positive side, as more is learned about the spread of computer viruses and mal-ware, programmers and software companies are taking a step in the right direction to restrict access to system resources. A good example of this is Microsoft’s new operating system Windows Vista. Vista now runs Internet Explorer 7 in a low privilege mode. This new mode is said to prevent mal-ware from installing itself without warning. Windows Vista has been on market for less than a month, time will tell how well this new mode will prevent the spread of mal-ware and viruses. Even if this does not work for Internet Explorer 7 more companies need to follow suit and develop software that restricts the access to only needed resources.
The principle of least privilege can be very difficult to implement and keep my first job out of college was a System Administrator job for a small printing company. When I started the company was on an NT4 domain with 30 Windows machines. The operating systems on these machines ranged from Windows 98 all the way through Windows XP. Most workstation on the network run Windows NT 4.0, not the some secure in 2004. As if legacy operating systems were not enough of a security threat all users on the network had administrator user account privileges.
Being new at network domain administration I was not entirely sure where to begin. I begin by researching and learning more about my new network and how things ran. Once I had figured out everyone’s job role and the basics of what they did daily I started to draft a group policy. The policy I was trying to remove all the administrative accounts from the network expect one administrator account.
With the policy in place everything worked smoothly. The users were able to get into their email, use the internet and access accounting information all the tasks they needed to accomplish. Only two people had access to the new administrator account. I had all 30 employees running at either domain users or power users. Then we acquired a small company and had to add their invoice system to our network. The invoice system was older and poorly programmed it required all users that needed to access the system to run as local administrators. This caused problems with my group policy. Five employees in the customer service department needed to access to this invoicing system. This meant I had to change my groups and increase the privileges of those five employees.The network was running as normal with these individuals running as local administrators. That is until one of my users, who was known for downloading screensavers, download something they should not have. This small download caused a lot of damage to this computer. The download included a trojan horse. After discovering this compromised system I remove it from the network so it could not harm other computers. I then backing up and re-imaging the machine which took nearly three hours out of my day. Once the machine was back to normal I scanned the network to make sure no further problems had occurred.
This instance showed me the power of least privilege and proper user training. Had this user been running as a domain user the program with the trojan horse most likely would not have been installed. It would not have installed because the user would not have had the rights to install software. Had this been the case I would not have had to spend so much of my day cleaning up something that could have easily been prevented.Although implementing group policy with least privilege in mind can be very difficult the benefit are clear. The time should be taken to properly plan out your group policy and limit user privilege and access to only that which is truly needed. Depending on the size of the organization and the complexity of the network this could take as few as a handful of groups or several hundred groups. Administrators also need to be careful what software and services they install on the network these products can also run with escalated privileges.
The principle of least privilege is not the end all solution when it comes to information security. Even with properly implemented group policy using least privilege a network can be comprised. Least privilege should be used in combination with other security methods. Client anti-virus and firewalls along with least privilege can eliminate a significant number of attacks to client computers. Like any security product or principle you need to layer your security to create a defense in depth approach to information security.