Chapter 1. An Overview of Least Privilege Security in Microsoft Windows

If you've ever been responsible for implementing IT system security in an organization, whether for servers or any other networked devices, you'll know what a tough job it can be. While upper management expects the IT department to keep the company's data safe from hackers and unauthorized access, users and middle management often have other ideas about what constitutes good security, preferring to circumvent security policy or have themselves exempted, without a valid business reason. Sometimes complaints about security are justified, due to poor design or execution.

Security is often bolted on to projects as an afterthought, rather than being an integral part of a design from the outset. Poorly implemented security makes you, the IT guy, unpopular. So, where security isn't an absolute necessity, it's regularly omitted for the sake of an easy life. To make matters worse, many IT professionals have a limited understanding of security, not knowing their ACLs (Access Control Lists) from their integrity levels, making it difficult for uninitiated staff to support a properly secured environment.

To minimize problems, personal firewalls are often disabled and users' rights are elevated. While such actions may be acceptable as part of the troubleshooting process, such configuration changes frequently remain permanent. If effectively managing security on servers and network devices causes enough problems with uncooperative coworkers who demand unrestricted access 24/7, then security on the desktop is not only likely to start a mutiny (if not well implemented), but it also comes with a unique set of technical challenges that are difficult to surmount, even for seasoned system administrators.

Least Privilege Security may sound like a complicated principle that only those with a degree in computer science can comprehend. But the reality is that anyone who has configured a basic firewall or router is likely to have encountered this most basic security principle, consciously or not, and that it has a natural place in desktop computing, just as in any other IT sphere.

In this chapter we will cover the following topics:

• Exploring the principle of Least Privilege Security, and how it is implemented in different versions of Microsoft Windows.
• Understanding how system privileges are used to control the aspects of an operating system's configuration that users can change.
• Looking at the benefits of implementing Least Privilege Security on the desktop.
• Examining how to overcome the most common technical and political problems and challenges while implementing Least Privilege Security.