Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


September 06, 2007

Solutions for the Least-Privilege Dilemma


A Web Exclusive from Windows IT Pro
Renee Munshi
Pro VIP Perspective
InstantDoc #96995
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join | See More Products / Software Articles Here | Reprints
Or sign up for our VIP Monthly Pass!

What's your approach to making sure that your users and administrators are working with only the minimum of privileges they need to perform their tasks? I've read and heard about many solutions, but most seem fairly cumbersome and rely on users and administrators to remember and take the trouble to use them. The first three Security Pro VIP articles listed below present techniques that you can try to limit users' and administrators' privileges the majority of the time, yet give them increased access when they need it.

Microsoft has tried to address the least-privilege problem, most recently with Windows Vista's User Account Control (UAC) feature, but this solution is far from perfect. Standard users are prohibited from performing tasks that they sometimes need to do, such as installing applications and ActiveX controls, unless they can provide the administrator account name and password. Whether you have the UAC prompts turned on or off, unless your users are already accustomed to strict software-installation limitations, you're likely to receive increased Help desk calls from new Vista users encountering the new prohibitions. The last two articles below cover Vista UAC.

If none of these solutions seems adequate for your situation, perhaps a third-party product will do the trick. BeyondTrust recently released Privilege Manager 3.5, which aims to enforce least privileges for recent Windows versions. The Privilege Manager administrator uses Group Policy to set security policies for users and groups, deciding who can install which applications and perform what tasks. Then, for Windows Server 2003, Windows XP, and Windows 2000 users, and for Vista users in environments in which UAC is either off or on but set to not prompt, Privilege Manager elevates the privileges of approved applications and runs them in the user's security context or denies unapproved applications. For Vista with UAC set to prompt, Privilege Manager acts the same way as for earlier Windows versions for approved applications, but for unapproved applications, users see the UAC prompt and either supply admin credentials and obtain admin privileges or, if they can't supply the credentials, are prevented from installing the application.

Scott McCarley, director of marketing for BeyondTrust, told me, "We're the only way to provide administrators with a way to configure an environment where the end users can run applications without administrator privileges or administrator passwords. .... Microsoft is stating that the most secure way to run Vista is with UAC on and using BeyondTrust Privilege Manager to elevate the application. They suggest running UAC in no prompt mode to get the benefits of Internet Explorer Protected mode, but then you use Privilege Manager to elevate the specified applications. The user will never see any prompting, and the administrator will have full control over what privileges applications run with."

Pricing for Privilege Manager 3.5 starts at $30 per seat. For more information about the software, go to the BeyondTrust Web site.

For government departments or businesses that need to demonstrate that they're enforcing a least-privilege policy, Privilege Manager could be an answer. Businesses with less stringent requirements might find some new ideas and help for implementing them in the articles below. What solution do you use to enforce least privileges? Go to the Security Pro VIP forum and share what works for your company.

Security Pro VIP Least-Privilege Articles

Learn to Be Least (October 2005)
Solutions such as Fast User Switching and RunAs can help you honor least privilege.

Use Guest Accounts to Fight Malware (December 2005)
Run vulnerable apps such as email and browsers under limited-permission accounts.

Core Concepts: Get the Most from Least Privilege (September 2005)
Determine which privileges various roles require, create groups to manage those roles, then apply the concept to groups, services, and administrators.

Windows Vista's Take on Least Privilege (October 2006)
A look at Vista's UAC.

Fighting Malicious Software with Windows Vista (January 11, 2007)
A brief description of the UAC property User Interface Privilege Isolation (UIPI) and the fact that the built-in Administrator account is hidden and disabled by default in Vista.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Q. How can I use the command line to obtain a list of all the applications installed on my computer?

...

Windows SBS, EBS 2008 Hit RC1, Home Server PP1 Ships

Find out how to download the RC1 versions of Windows SBS 2008 and EBS 2008, and discover what's new in the PP1 update to Windows Home Server. ...
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.


ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Shortcut Guide to SQL Server Infrastructure Optimization
With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Become a fan of Windows IT Pro on Facebook!
Join us on Facebook and be a fan of Windows IT Pro!

Continuous Data Protection and Recovery for Exchange
Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.

Rev Up Your IT Know-How with Our Recharged Magazine!
The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!

Tips to Managing Messaging
Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.

Get It All with Windows IT Pro VIP
Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST files.

Bandwidth Monitoring Tool from SolarWinds
Identify largest bandwidth users in seconds. Get the free download now.

Transform Your Data Center at Brocade Conference 2008
Storage networking industry’s premier event at the MGM Grand, Las Vegas, September 22 - 24, 2008

Are You Litigation Ready?
Collecting and processing electronic data for e-discovery can be time-consuming and expose a business to significant legal risks. Get prepared with this free white paper

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

KVM over IP Solutions
Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound
IT Library Technical Resources Directory Connected Home Windows Excavator SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing