Udostępnij za pośrednictwem


Using a Least-Privileged User Account

by Jenni Merrifield
User Experience Program Manager
Windows Security Access Control Team

On This Page

Introduction
The Security Principle of Least Privilege
Issues When Running with LUA
Secure Your Systems with LUA
Moving Forward

Introduction

Anyone who has been a victim of viruses, worms, and other malicious software (malware) will appreciate the security principle of “least privilege.” If all processes ran with the smallest set of privileges needed to perform the user's tasks, it would be more difficult for malicious and annoying software to infect a machine and propagate to other machines. Today, due to awkward complications that arise when it is employed, least privilege is not in active use on most Microsoft Windows–based systems. However, with the release of the next Windows operating system, codenamed “Longhorn,” almost every user will be able to make regular, daily use of this important security principle.

The Security Principle of Least Privilege

If low-privileged processes are compromised, they will do a lot less damage to a system than high-privileged processes are capable of doing. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents.

Given the obvious security benefits, there is a huge desire, both in home and corporate environments, to run Windows using non-administrator accounts. Unfortunately, almost all Windows users today continue to use an administrator account for their daily tasks. A host of nefarious users and applications rely on being able to use the victim's administrator privileges for such dirty work as destroying or stealing data, reconfiguring another application, or installing a key logger that sends each of the unsuspecting user's keystrokes off to some unknown location on the other side of the Internet.

Issues When Running with LUA

Why, you might ask, do so many users run with an administrator account if running with a least-privileged user account (LUA) is such a well-understood and highly desirable state of affairs?

One reason for so many Windows users running with an administrator account is that "Administrator" is the default type for new accounts on Windows XP, Windows 2000, and Windows Server 2003. Unfortunately, this is only the tip of the iceberg—many applications and even some common Windows-based tasks also expect users to have administrator privileges. As a result, these applications and tasks will fail to operate correctly when launched by a LUA user.

However, the LUA iceberg is drifting into warmer climes as developers spend time and effort to make the LUA experience vastly better for LUA users in the “Longhorn” release of Windows. The goal of these LUA improvements is to mitigate the risks caused when everyone runs as administrator. Almost everyone will be able to run as LUA and still complete their regular daily work, all without encountering undue hardship, necessitating special workarounds, or requiring patches for most applications built for earlier versions of the operating system.

Secure Your Systems with LUA

In the meantime, however, we encourage you to secure your own systems by setting all daily-use user accounts to run with least privileges. Setting up an account to use least privileges is not difficult, nor does it take long to become familiar with the few workarounds required to keep things up and running smoothly.

In the rare situation where you absolutely must run as an administrator on a machine that you use for e-mail and Web browsing, I also recommend Michael Howard's article on MSDN, "Browsing the Web and Reading E-mail Safely as an Administrator." Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

Moving Forward

This article briefly discussed the security principle of least privilege and the benefits of using LUA for daily tasks, followed by a short list of reasons why most Windows users continue to use administrator accounts anyway. It wrapped up with a call to readers to take the plunge and add an extra layer of security to their existing systems by using LUA for daily tasks.

Future articles about LUA will focus on the experience in the “Longhorn” release of Windows and beyond. They will touch on topics like the following:

  • Improvements to the LUA experience.

  • How these improvements function.

  • Future plans for the LUA experience beyond the “Longhorn” release of Windows.