If you've ever been responsible for implementing IT system security in an organization, whether for servers or any other networked devices, you'll know what a tough job it can be. While upper management expects the IT department to keep the company's data safe from hackers and unauthorized access, users and middle management often have other ideas about what constitutes good security, preferring to circumvent security policy or have themselves exempted, without a valid business reason. Sometimes complaints about security are justified, due to poor design or execution.
Security is often bolted on to projects as an afterthought, rather than being an integral part of a design from the outset. Poorly implemented security makes you, the IT guy, unpopular. So, where security isn't an absolute necessity, it's regularly omitted for the sake of an easy life. To make matters worse, many IT professionals have a limited understanding of security, not knowing their ACLs (Access Control Lists) from their integrity levels, making it difficult for uninitiated staff to support a properly secured environment.
To minimize problems, personal firewalls are often disabled and users' rights are elevated. While such actions may be acceptable as part of the troubleshooting process, such configuration changes frequently remain permanent. If effectively managing security on servers and network devices causes enough problems with uncooperative coworkers who demand unrestricted access 24/7, then security on the desktop is not only likely to start a mutiny (if not well implemented), but it also comes with a unique set of technical challenges that are difficult to surmount, even for seasoned system administrators.
Least Privilege Security may sound like a complicated principle that only those with a degree in computer science can comprehend. But the reality is that anyone who has configured a basic firewall or router is likely to have encountered this most basic security principle, consciously or not, and that it has a natural place in desktop computing, just as in any other IT sphere.
In this chapter we will cover the following topics:
Exploring the principle of Least Privilege Security, and how it is implemented in different versions of Microsoft Windows.
Understanding how system privileges are used to control the aspects of an operating system's configuration that users can change.
Looking at the benefits of implementing Least Privilege Security on the desktop.
Examining how to overcome the most common technical and political problems and challenges while implementing Least Privilege Security.
Each user that logs in to NT-based versions of Microsoft Windows, does so with a set of system privileges. Privileges differ from permissions in that they give users the ability to perform an action, whereas permissions allow access to an object such as a file or registry key. There are many privileges used to control access to various system functions, ranging from the ability to change the system time to restoring files and directories. Rather than assigning each user account with privileges individually, a set of built-in groups are provided with pre-assigned privileges. Users are then added to groups, in a form of role-based access control, as the following table describing built-in groups in Windows 7 illustrates:
|
Group |
Description |
|---|---|
|
Administrators |
Administrators have almost complete and unrestricted access to the computer domain. |
|
Guests |
Guests have the same access as members of the Users group by default, except that the Guest account is further restricted. |
|
Network Configuration Operators |
Members in this group have some administrative privileges to manage configuration of networking features. |
|
Power Users |
Power Users is included for backwards compatibility, but has been deprecated and has no administrative privileges. |
|
Remote Desktop Users |
Members in this group are granted the right to log on remotely. |
|
Users |
Users are prevented from making accidental or intentional system-wide changes and can run most applications. |
The two most frequently used built-in groups are Users and Administrators. If your user account is assigned to the Administrators group, you have a high level of privilege on the system and can perform almost any task that isn't specially protected by the operating system.
Note
While members of the administrators group in Windows aren't completely unrestricted, it is possible to override operating system protections and make any desired changes.
In contrast, if your user account is assigned to the Users Group, you can run installed programs and change settings that won't affect system stability, but you can't install software to the restricted Program Files directory, or modify protected areas of the registry or Windows directory. The Power Users group was often used in Windows NT, 2000, and XP, but was essentially an administrator with a few less privileges. Microsoft decided to deprecate this group in Windows Vista, preferring system administrators to assign users to either the users or administrators group, as it was easy for power users to escalate to administrative privilege. You should, however, note that the Power Users group still exists in Vista and Windows 7 for compatibility reasons, but isn't assigned any privileges.