Book Image

Least Privilege Security for Windows 7, Vista and XP

By : Russell Smith
Book Image

Least Privilege Security for Windows 7, Vista and XP

By: Russell Smith

Overview of this book

Least Privilege Security is the practice of assigning users and programs the minimum permissions required to complete a given task. Implementing this principle in different versions of Microsoft Windows requires careful planning and a good understanding of Windows security. While there are benefits in implementing Least Privilege Security on the desktop, there are many technical challenges that you will face when restricting privileges.This book contains detailed step-by-step instructions for implementing Least Privilege Security on the desktop for different versions of Windows and related management technologies. It will provide you with quick solutions for common technical challenges, Microsoft best practice advice, and techniques for managing Least Privilege on the desktop along with details on the impact of Least Privilege Security.The book begins by showing you how to apply Least Privilege Security to different categories of users. You will then prepare a desktop image with Least Privilege Security enabled from the start and deploy the new image while preserving users' files and settings. You will identify problems with applications caused by Least Privilege Security using the Application Compatibility Toolkit. This book will help you configure User Account Control on multiple computers using Group Policy and support Least Privilege user accounts using reliable remote access. Then, you will modify legacy applications for Least Privilege Security, achieving the best balance between compatibility and security by using Application Compatibility shims. You will install per-machine ActiveX Controls using the ActiveX Installer Service (AxIS). The book will help you implement best practices for working with ActiveX Controls in a managed environment. Finally, you will deploy default Software Restriction Policy (SRP) or AppLocker rules to ensure only programs installed in protected locations can run and blacklist applications using SRP or AppLocker.
Table of Contents (19 chapters)
Least Privilege Security for Windows 7, Vista and XP
Credits
About the Author
About the Reviewers
Preface
12
Provisioning Applications on Secure Desktops with Remote Desktop Services

Least Privilege and your organization's bottom line


While my own experience shows that in most cases implementing Least Privilege Security on the desktop is more than worth the effort, I'm not expecting you to take my word for it that least privilege is going to make a big difference to your organization's bottom line. Fortunately, there is independent evidence pointing to the fact that Least Privilege Security does make a difference.

Determining the affect of Least Privilege Security on productivity

Measuring the productivity of an information worker is much harder than for a traditional blue-collar worker. System performance and reliability plays only a small part in what constitutes user productivity, with usability, familiarity, and transactional efficiency also playing a role. While there is plenty of anecdotal evidence supporting the benefits of Least Privilege Security, getting hard figures is difficult. The best way to persuade management to adopt a desktop least privilege project in your organization is to conduct your own trials with a small but varied group of users, and compare variables such as the quantity of help desk tickets raised, user satisfaction, and productivity comparisons before and after least privilege is trialed. Running these tests will also give you some insight into the technical problems that will be specific to your organization. You should also set an example and run as a standard user, elevating to an administrative account only when necessary, to demonstrate to the users and management that least privilege is a feasible solution for everyone.

Reducing total cost of ownership

Without least privilege on the desktop, it's impossible to truly reap the benefits of a centrally managed infrastructure. Research by IDC covering 141 enterprises with 1,000 to 20,000 users shows that central management can save up to $190 per PC a year. Small businesses without a managed infrastructure benefit from improvements in Vista and User Account Control. While not all of Vista's security features can be emulated in XP, larger organizations can configure XP to run accounts as a standard user, and reap the benefits of Least Privilege Security.

Improved security

A study carried out by eWEEK before the release of Windows Vista showed that organizations that deployed least privilege for users on Windows 2000 and XP experienced a significant decrease in the number of successful security exploits. Vista was developed using the Secure Development Lifecycle (SDL) and with new features, such as UAC and service hardening, it is more secure than Windows XP. Microsoft's Security Intelligence Report for July to December 2008 (SiRv6) shows that malware infected Vista SP1 roughly 60 percent less than XP SP3. Changes in Vista make it more difficult to compromise the operating system and Internet Explorer. SiRv6 shows that Microsoft software was targeted 35 percent less in Vista than XP. This isn't without its downside, as attention has moved to exploiting third-party software. Research by BeyondTrust, a company that produces software to help enterprises eliminate administrative privileges, shows that running as a standard user mitigates 92 percent of known security vulnerabilities on Windows systems.