Dealing with the Least Privilege Security Principle
June 25, 2006
Q. One of the main security themes of Windows Vista, the next version of the Windows client OS, is better least privilege support. Least privilege is a fundamental security principle that states that you should give a user or process only the permissions it needs to do the job, nothing less and certainly nothing more. I know about the RunAs utility and the Fast User Switching (FUS) that can help with better honoring least privilege on Windows XP. Are there any other tools I can use with XP to better comply with this important security principle?
A: Michael Howard created a program called DropMyRights that you can use to launch a new process in the context of a non-administrator account with reduced privileges. It takes the user’s current security token, removes various privileges and SIDs from the token, then uses the token to start a new process. This tool is meant for scenarios in which the user must be logged on with a highly privileged account (for example as an administrator on a server) and needs to run an application that's potentially dangerous (e.g., Microsoft Internet Explorer--IE). In this scenario, to run IE in the context of a non-administrator account, you would type the following dropmyrights command at the command line:
DropMyRights iexplore.exe
DropMyRights supports three different non-administrator accounts: Normal user (which is the default), Constrained user, and Untrusted user. You specify which account you want to use by appending an N, C, or U to the DropMyRights command. The privileges DropMyRights gives to the Normal, Constrained, and Untrusted user accounts are described in detail at http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp. You can also download the DropMyRights executable from the same URL.
Another useful tool is the Privilege Bar, which Figure 1 shows. The Privilege Bar is a Windows Explorer and IE add-on toolbar that was developed by Aaron Margosis, a well-known Windows least privilege guru. It shows the privilege level of the current Windows or IE window. The circle on the Privilege Bar will be red if you're a member of the Administrators group, yellow if you're a Power User, and green otherwise. If you click the circle, the Privilege Bar will pop up a window that displays detailed group and privilege information of your current logon account (this information shows basically the content of your Windows access token).
Even though this tool doesn’t offer functionality to switch to the security context of a least privilege account, it's a great awareness tool that underlines the dangers of using highly-privileged accounts to surf the Web and browse local and network resources. You can download the Privilege Bar code from http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx.
About the Author
You May Also Like