Archived Information. Week Radio. Join us for a roundup of the top stories on Information. Week. com for the week of November 6, 2. We'll be talking with the Information.

Week. com editors and correspondents who brought you the top stories of the week to get the.

Applying the Principle of Least Privilege to User Accounts on Windows XPPublished: January 1. Please direct questions and comments about this guide to secwish@microsoft. To view comments or discussion of this guide, see http: //blogs. On This Page. Introduction. Risks Associated with Administrative Privileges.

Definition of the Principle of Least Privilege. Definition of the LUA Approach.

Download Our 25-Page Guide: How to Overcome Windows 10 Hurdles. After upgrading to Windows 10, many IT departments run into challenges with the new OS. Internet is defined as a connected group of computer networks allowing for electronic communication. The networks: Are comprised of educational, commercial and. InformationWeek.com: News, analysis and research for business technology professionals, plus peer-to-peer knowledge sharing. Engage with our community.

This definition of proxy server explains types of proxies and how they work and also discusses their implementation and security.

Benefits of the LUA Approach. Risk, Security, Usability, and Cost Tradeoffs. Implementing the LUA Approach. Future Developments. Summary. Resources. Acknowledgments. Introduction. Recent advances in networking technology such as permanent connectivity to the Internet have brought enormous opportunities to organizations of all sizes.

Unfortunately, a connection between a computer and any network, especially the Internet, increases the level of risk from malicious software and external attackers, and as old risks are managed, new ones are discovered or created. Sophos, an Internet security company, found that the number of malicious programs detected rose from 4. November of 1. 99. November of 2. 00.

In November of 2. Sophos discovered more than 1,9. Trojan horses, and spyware programs. Other antivirus vendors report similar increases in the numbers and types of malicious software. A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers.

When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e- mail clients, and instant messaging programs, also have administrative rights. Hp Scanjet 5590 Silent Install Command. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system.

Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e- mail message. Malicious software poses numerous threats to organizations, from intercepting a user's logon credentials with a keystroke logger to achieving complete control over a computer or an entire network by using a rootkit. Malicious software can cause Web sites to become inaccessible, destroy or corrupt data, and reformat hard disks. Effects can include additional costs such as to disinfect computers, restore files, re- enter or re- create lost data.

Virus attacks can also cause project teams to miss deadlines, leading to breach of contract or loss of customer confidence. Organizations that are subject to regulatory compliance can be prosecuted and fined. Note   For more information about rootkits, see the rootkit definition on Wikipedia at http: //en. Rootkit. The Least- Privileged User Account Approach. A defense- in- depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least- privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.

The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools. Important   It is difficult to find utilities and guidance on using limited user accounts, so this white paper refers to third- party tools and guidance from Web logs and other unofficial sources. Microsoft makes no warranty about the suitability of the tools or guidance for your environment. You should test any of these instructions or programs before you deploy them.

As with all security issues, there is no perfect answer, and this software and guidance is no exception. Audience. This white paper targets two audiences: Business decision makers who need to understand the concepts of the LUA approach and the organizational issues that the LUA approach generates. IT professionals who need to understand the options for implementing the LUA approach within their organization. Topics. This document discusses the issues and concerns that organizations may face when they apply the LUA approach to computers that run Microsoft. The discussion covers the following topics: Risks associated with administrative privileges. Definition of the principle of least privilege Definition of the LUA approach Benefits of the LUA approach Risk, security, usability, and cost tradeoffs. Get Primary Group Active Directory Cheat on this page. Implementing the LUA approach.

Future Developments. This paper also describes the high- level issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.

Note   This paper does not address issues with running system services with least- privileged accounts. For more information on this topic, see The Services and Service Accounts Security Planning Guide, at www. Risks Associated with Administrative Privileges. Many organizations routinely give users administrative privileges to their computers. This arrangement is particularly common with portable computers, and usually happens for the following reasons: To enable some programs to run properly. Some programs can only run when a user has administrative rights. Typically, this might occur if the program stores user data in registry or file system locations that a non- administrative account cannot access.

To permit the user to carry out administrative actions, such as changing the computer's time zone. To enable mobile users to install work- related hardware or software, such as print devices or DVD writers and associated programs. Although there may be other valid reasons to provide users with administrative rights, such an arrangement significantly increases the risk of computer compromise and of improper configuration. These risks can affect many areas of an organization's operations. Consider the situation in which a senior executive regularly visits client offices to give presentations from his portable computer. Because he is a senior executive, he insists on having local administrative rights on his computer. He is just about to deliver a key sales presentation to an important customer, when an offensive message appears on the screen of his portable computer, which then locks up.

When he hastily restarts the computer, the executive finds that the hard drive has been reformatted. Consequently, the sales presentation fails to impress the customer, and the order goes to a competitor. In this case, the offensive message and subsequent destruction of data resulted from malicious software that infected the computer when the executive browsed a compromised Web site. When he visited that Web site, the executive was logged on to his portable computer as a member of the local Administrators group.

The rights and privileges from this group membership enabled the malicious software to disable the antivirus software, install itself, manipulate the registry, and place files in the Windows system directory. The executive's computer was now compromised, and ready to carry out the malicious software's commands. Other scenarios that can exploit the greater privileges from administrative accounts include situations in which users click links in e- mail messages or play music CDs that include digital rights management software. The common factor is that users who have administrative rights are significantly more likely to compromise their computers than those who use limited user accounts.

Definition of the Principle of Least Privilege. The Department of Defense Trusted Computer System Evaluation Criteria, (DOD- 5.