Applying Least Privilege Security throughout the enterprise
While it would be great if it were possible to apply Least Privilege Security to all PCs in the enterprise, it's unlikely to be a realistic goal; there will always be employees who need to be excluded for solid business reasons. For example, consider an engineer who visits customer sites to repair telecom systems. The engineer's notebook is not only a tool for checking e-mail and writing customer reports, but is also used as part of their onsite toolkit. When faced with problems at a customer's site, it may be that engineers are required to install software that's not part of the IT department's approved list—for example, to connect a notebook to a telecom system or some other device.
Least Privilege Security doesn't accommodate such job roles easily. Though the engineer could run with Least Privilege Security most of the time, some tasks will require elevated rights. This may not be an issue if running Vista or Windows 7, as User Account Control accommodates such situations by allowing users to run with restricted privileges and elevate only when required. However, in Windows XP, the business will have to decide whether a particular group of users should run with Least Privilege Security or upgrade to Vista or Windows 7.
Deciding whom to exempt from running with a standard user account
In Windows Vista and later, users can reap the benefits of Least Privilege most of the time as a Protected Administrator. However, there are benefits in running as a standard user over a Protected Administrator, and you should aim to use standard user accounts whenever possible.
The following table summarizes the key differences in functionality when running with different types of user account in XP, Vista, and Windows 7. Use this table to help you decide what kind of user account to assign users in your organization.
What not to do
Don't ask users what access they need to their systems. The inevitable answer will be full access. Start by making a list of job roles in your organization that are likely to require administrator privileges to complete some business-related process. The list is likely to be quite small, for instance just engineers. All other employees should be able to run with a standard user account.
The main tasks that require administrator privileges are:
- Installing per-machine software
- Changing domain or workgroup membership
- Installing device drivers
- Changing Windows Firewall properties
- Changing some network settings
- Manually installing Windows or third-party updates
- Changing power management settings (Windows XP only)
While the last point may seem relatively trivial, a bug in Windows XP sometimes resets power settings when a Windows update is applied. This can be frustrating for notebook users who don't have administrative privileges—when they find the notebook automatically entering sleep mode or closing the lid exhibits different behavior—as they cannot change these settings without calling the help desk.
Other tasks such as burning data to a CD or changing the system time have been omitted from the list as, under normal circumstances, these activities do require administrative privileges (Windows XP only). There are workarounds that can be used to avoid granting such high privileges to perform a single task.
If any of your users need to perform any of the listed tasks on a regular basis without intervention from IT, then you should consider allowing them to run with administrative privileges in Windows XP or as a Protected Administrator in Vista and Windows 7, and rely on other defense-in-depth security mechanisms to provide protection.