The security principle of “least privilege” is well understood: Software should run with the smallest set of privileges needed to perform its tasks. Low-privileged processes can do a lot less damage when they are compromised (or just buggy) than processes running at high privilege levels. Windows has made great strides to run services with lower privilege than in the past. However, Windows users who are allowed to administer their own machines (including most Microsoft employees) usually run with Administrator privileges all the time. That is, the account with which they normally log on is a member of the local Administrators group (or worse, Domain Administrators). Everything they do, from reading email, browsing the internet, instant messaging, writing documents, and writing software, is performed with full (and unnecessary) administrative control over the entire computer. Email, web browsing, and instant messaging do not require administrative privileges, and are common avenues for malicious code to attack end users’ systems. To be more secure, users should log on with a Limited (or “Least-privileged”) User account (LUA), and use elevated privileges only for specific tasks that require them. Linux/Unix users have understood this for a long time, so this remains an area where Microsoft is perceived to lag in thought leadership. Unfortunately, Windows does not yet make running as non-admin as straightforward as it needs to be. Hopefully Longhorn will address these shortcomings. In the meantime, though, there are some neat workarounds that greatly mitigate the inconveniences.
In subsequent posts, my plan is first to try to convince you that running as non-admin is the right thing to do, to get you to want to run as a normal User instead of admin. Next, I’ll offer up a collection of valuable tips, tricks and tools to make living as a Limited User as easy as possible.
In the meantime, let me know what your pain points are. Have you tried running as User? What were the biggest problems?