Patrick Talmadge

The Principle of Least privilege simply put requires that in a computing system every process, user, and program must be able to access only information and resources that are necessary to its job duty. The principle of least privilege was first introduced in the mid 1970’s. The book “Fault Tolerant Operating Systems” by Peter J. Denning is referred to as the original source of the principle of least privilege. The principle of least privilege is also known as: principle of minimal privilege, least privilege, and principle of least authority.

When properly implemented the principle of least privilege would limit data loss, viral infection, ad-ware and mal-ware infestation. Lost data would be prevented because only trusted users would have access to confidential information. Malicious users and malicious applications would have a difficult time gaining access to confidential files. Most virus, ad-ware and mal-ware require administrative access to install on a system. By running an account with lower privileges many malicious applications cannot install themselves.

Although it is seems like a simple task to limit user access to information and network resources, the principle of least privilege can be very difficult to implement. The difficulty comes when software is developed requiring administrative privileges. Software is sometimes developed this way because developers don’t take the time needed to create roles and user privileges for certain applications. In the short term it is easier to grant administrative access to all users but long term this can expose the system to unwanted viruses leading to severe network problems. Since this development style is relatively common, the principle of least privilege is difficult to implement and should be used along with other security measures.

On the positive side, as more is learned about the spread of computer viruses and mal-ware, programmers and software companies are taking a step in the right direction to restrict access to system resources. A good example of this is Microsoft’s new operating system Windows Vista. Vista now runs Internet Explorer 7 in a low privilege mode. This new mode is said to prevent mal-ware from installing itself without warning. Windows Vista has been on market for less than a month, time will tell how well this new mode will prevent the spread of mal-ware and viruses. Even if this does not work for Internet Explorer 7 more companies need to follow suit and develop software that restricts the access to only needed resources.

The principle of least privilege can be very difficult to implement and keep my first job out of college was a System Administrator job for a small printing company. When I started the company was on an NT4 domain with 30 Windows machines. The operating systems on these machines ranged from Windows 98 all the way through Windows XP. Most workstation on the network run Windows NT 4.0, not the some secure in 2004. As if legacy operating systems were not enough of a security threat all users on the network had administrator user account privileges.

Being new at network domain administration I was not entirely sure where to begin. I begin by researching and learning more about my new network and how things ran. Once I had figured out everyone’s job role and the basics of what they did daily I started to draft a group policy. The policy I was trying to remove all the administrative accounts from the network expect one administrator account.

With the policy in place everything worked smoothly. The users were able to get into their email, use the internet and access accounting information all the tasks they needed to accomplish. Only two people had access to the new administrator account. I had all 30 employees running at either domain users or power users. Then we acquired a small company and had to add their invoice system to our network. The invoice system was older and poorly programmed it required all users that needed to access the system to run as local administrators. This caused problems with my group policy. Five employees in the customer service department needed to access to this invoicing system. This meant I had to change my groups and increase the privileges of those five employees.The network was running as normal with these individuals running as local administrators. That is until one of my users, who was known for downloading screensavers, download something they should not have. This small download caused a lot of damage to this computer. The download included a trojan horse. After discovering this compromised system I remove it from the network so it could not harm other computers. I then backing up and re-imaging the machine which took nearly three hours out of my day. Once the machine was back to normal I scanned the network to make sure no further problems had occurred.

This instance showed me the power of least privilege and proper user training. Had this user been running as a domain user the program with the trojan horse most likely would not have been installed. It would not have installed because the user would not have had the rights to install software. Had this been the case I would not have had to spend so much of my day cleaning up something that could have easily been prevented.Although implementing group policy with least privilege in mind can be very difficult the benefit are clear. The time should be taken to properly plan out your group policy and limit user privilege and access to only that which is truly needed. Depending on the size of the organization and the complexity of the network this could take as few as a handful of groups or several hundred groups. Administrators also need to be careful what software and services they install on the network these products can also run with escalated privileges.

The principle of least privilege is not the end all solution when it comes to information security. Even with properly implemented group policy using least privilege a network can be comprised. Least privilege should be used in combination with other security methods. Client anti-virus and firewalls along with least privilege can eliminate a significant number of attacks to client computers. Like any security product or principle you need to layer your security to create a defense in depth approach to information security.

Computers, Security

These two comics are a very good example of how people do not pick very good passwords.

Thank you Dilbert.com

Computers, Security

I stummbled on this article from Peter Gutmann explaining the copy protection built into Windows Vista. The article states that Vista will down grade video and audio reproduction on protected media if Vista can not protect the media.

Vista also has built in tilt bits to help protect from hacked hardware. Vista checks its hardware regularly against these tilt bits to see if it is still valid. It sounds like Microsoft is a little paranoid about getting sued or being hacked. I am not sure any of this extra code will make Vista more secure from hackers and malware. In fact it might make it easier for hackers to mess with your system. Vista’s tilt bits might have opened a door for hackers to change a hardware configuration on your system which would cause Vista to do a “Reboot” in order to restore correct functionality.

Check out Peter Gutmann’s full article here.

Computers, General

It has finally been released the Apple iPhone will be out in June for Cingular. The phone looks very cool and looks like it has a great user interface. I will have to play with one before I plop down my $599. I like several of the features in the iPhone: multi touch screen, random access voice mail, full iPod, and the new internet browser.

I do have mixed feelings with Apple saying that they invented the multi touch display because several months ago I saw the video of Jeff Han at TED. Jeff Han is a research scientist for NYU’s Media Research Lab, and the inventor of an “interface-free” touch-driven computer screen. I hope that Jeff Han and NYU made a lot of money off Apple since they are saying they invented this technology.

Here is the video of Jeff Han demoing this UI at TED.

Here is the video of the iPhone.

You make your own judgments about this multi touch technology. Is Apple stealing this technology like it did with its Original Macintosh OS. I guess this is how the technology industry works everyone reverse engineers other products.

Computers, General

Bush Proposes Faith-BasedFirewalls for Government Computers

By Brian Briggs

Washington D.C.—President Bush announced that by 2008 all government computers should be protected from outside attacks by the faith-based firewall called Protection From Above (PFA) from Houston-based software developer Christisoft.

“For too long we have turned to proven software companies with expertise in computer security for protection, now our computers will be protected by the power of prayer at a much lower cost to taxpayers,” said Bush.

Estimates show the US government spent $1.2 billion dollars to secure their computer systems at various agencies, which many Republicans think is an indulgence the government can’t afford.

“With the faith-based firewall and other faith-based security software from Christisoft we could save billions over the next ten years. That’s money that can be returned to the most generous of taxpayers,” said the President.

Bush also cited doubts about the efficacy “of science-based computer security” though he didn’t use that word exactly.

The software requires no installation or maintenance fees, but only a onetime registration fee for unlimited computers.

Joel Osgood, founder of Christisoft, said, “With the one time registration fee, a company’s entire network of computers joins our network of computer security prayer specialists. The power of prayer can heal the soul and can also protect you from nasty denial of service attacks and viruses.”

Specialists in IT departments at various government agencies said they weren’t contacted by the White House for any feedback on the system and they believe the President’s decision would be “disastrous” for computer security.

Osgood refuted critics who said prayer can’t protect from cyberattacks by saying, “Computers are extremely complicated devices that mere humans couldn’t dream of understanding. It takes the power of God to do that.”

Any security breaches in the PFA software are countered by a double-prayer guarantee.

Osgood said Christisoft’s customer list includes a Fortune 500 company currently being delisted from the New York Stock Exchange.

Computers, Security

Socket 775
Process 65nm
Clock Speed 2.66Ghz
Front Side Bus 1066Mhz
L1 Cache 64KB + 64KB
L2 Cache 2 X 4MB

I don’t know about you but I can’t wait. I will not drop the $1,100 on the chip but when it gets down around the $600 range. I will really start thinking about it. I just can’t believe the times we are in. I remember my old 486 thinking that was the greatest thing. Now we have 4 very fast processors on one chip. Just Amazing…

Computers