"Least privilege" is the No. 1 IT security mantra
. It means, "Don't grant users permissions or privileges beyond the bare minimum they need to perform their assigned duties." Unfortunately, adhering to this mantra always has been easier said than done. Both Microsoft and third-party software vendors have attempted to ease the task, with some (but not complete) success.
For two decades in the Windows world, application developers were accustomed to users always being logged on as full-time administrators. Removing regular users from the built-in Administrators group proves among the most difficult tasks a security administrator can perform. Well, it's easy to do -- just remove the user from the Administrators group -- but the fallout from the operational aftermath has often forced well-meaning administrators to reverse course or to delay least-privilege implementations.
Microsoft upped the ante starting with Vista by implementing a least-privilege default process called User Account Control (UAC
). When UAC is enabled and a user from one of 17 pre-defined elevated groups (such as Administrators, Domain Admins, Enterprise Admins), or one who has been assigned an elevated privilege (act as the operating system) logs on, Windows splits his or her single logon access token into two tokens: one standard and one elevated. By the default, the elevated user runs with the standard token most of the time, such as answering email and surfing the Web, and must be prompted to approve actions requiring the use of the elevated token. Although Microsoft (my full-time employer) would prefer that standard users never log on as elevated users while performing non-elevated tasks, UAC is seen as necessary evil.