Reducing your local privileges to reduce vulnerability

I have long been a proponent of using the least privileges needed in order to accomplish a task. It's just the right thing to do. Doing this greatly reduces your attack surface because most malware needs certain privileges on the local system in order for it to work as designed. Take away those rights and the malware may download but it will just sit there causing no harm to the system or data.

You would think that simply creating yourself a local account with fewer privileges would take care of this. Unfortunately, many application on the Windows platform were not developed with this in mind, many assume and require that you have Administrator privileges for them to run. You will quickly tire or trying to run certain apps using RunAs, since this solution doesn't share your lower-privileged user profile. Whatever you do after you have initiated something using RunAs will be stored within that privileged accounts' profile, not the one you initially logged in as.

Fortunately, there are a number of tools to help you deal with this. These tools take one of two approaches:

A. Log in with lower privileges and use a utility to increase privileges when necessary or increase privileges for specific apps.

B. Log in with higher privileges and use a utility to decrease privileges when necessary or decrease privileges for specific apps.

It takes a little time to get one of these solutions working in a way that you can live with every day. Depending on the type of user you are, you may quickly tire of all the tweaking needed and simply give up. I have tested many of the "type A" tools including sudown, sudowin, and Makemeadmin. These tools try to mimic the sudo functionality provided by most UNIX and Linux systems. I have also tested many "type B" tools such as PSExec or Drop My Rights. What did I find? None of them are perfect. And some of them can be dangerous if you are not careful!

For now, on Windows XP systems, I have found that the most realistic thing to do is to log in with the least-privileges needed to do your work (that doesn't break the apps that you use) and reduce the privileges of the processes that access the Internet. For many that might mean continuing to log in locally with administrative privileges. But by running certain applications with reduced privileges, you are making your system less vulnerable to successful malware exploitation. After all of my testing, my opinion is that using something like PSExec or DropMyRights is a good choice.

For many IT folks I feel that the best solution (for now) on Windows XP is going with the type B approach - logging in with higher privileges and using a utility to decrease the privileges of Internet applications (such as Web Browsers, Twitter clients, etc.) and others that you know will work without Administrative privileges. Two that work similarly are PSExec and DropMyRights.

For non-IT and home users, I suggest trying a type A solution to increase privileges when needed. Home users may find it especially challenging to get some games to work (for your kids of course ;-) when using a less-privileged account. The vendors will tell you that you must have Administrative rights, but I have been successful in getting all such apps to run as a Power User account and an understanding of the file system and registry permissions that the application is expecting. I'll tell you more about that in another blog update.

There are some slick commercial tools also available to address this issue, I will write up something on that soon. Whatever you choose, be sure to make a system backup before you start playing with any of these tools. You have backed up your system recently, haven't you?