The Principle of Least Privilege
Summary
CIT follows the best practice of securing campus systems by setting all daily use accounts to run with least privileges. The key is to use the elevated administrative privileges only when you need to install software or perform other tasks that require that level. This standard business practice helps to minimize the risk of damaging a system’s configuration or infecting the machine with malicious software like a virus or trojan horse.
Purpose
The Principle of Least Privilege means that the user logs on with an account that has the minimum privileges for everyday or routine activities, such as running web browsers or Microsoft Office or email programs.
The term “privilege” is the grouping of security settings that define the permissions of a user to complete specific tasks either on their computer or on a network. Basically, administrative privileges allow you to change settings on the computer while also providing unrestricted access to create, delete and modify files or folders. It also allows you to make system wide changes like creating or deleting accounts, altering security settings or amending someone’s account details, like changing a password. The honest truth is that you don’t need administrator rights for simple day-to-day tasks like emailing, creating or editing documents or browsing the Internet.
The problem with the term “administrator” is that it implies a certain level of power or by removing administrative rights suggests a lack of trust. However, when looked at in the context of computers the concept of Administrator should not be thought of in these terms. Instead, think of it as minimizing your exposure to viruses, spyware and all manner of electronic nasties on the Internet.
If you look at the current majority of threats to computers, they are from user interaction with the Web through tools like browsers and email clients. If you are logged on with administrative privileges, malicious software could do things like reformat your hard drive, delete all your files, create a new user account with administrative access, etc. Some malware works only because the user browsing the Web is an administrator. When logged on with administrative privileges, the built-in protection against modifications is circumvented. Furthermore, a review of all vulnerabilities documented in last year's Microsoft Security Bulletins shows that removing admin rights can mitigate the effects of 92 percent of critical Microsoft vulnerabilities.
Policy
All campus computer users should avoid logging on for everyday use with an account that has administrative rights.
Ideally, the computer administrator account should only be used to:
- Install, upgrade, repair, backup or restore the operating system and components
- Install service packs (SPs) or programs that require administrative privileges
- Configure critical operating system parameters
- Take ownership of files that have become inaccessible