Devoted to hardware, software, IT issues, and information technology management

Two weeks ago I posted Threat Thursday: The Enemy Within and discussed an incident where a disgruntled employee had deleted files from their employer's server with an estimated worth of $2.5 million.  One of the more disturbing aspects of the story is that the employee appeared to have unrestricted access to the data and it got me thinking about the security controls that should be in place to guard not only against this type of incident, but also the privileges that are essential to protecting your environment from internal, as well as, external threats.

I came across a very good article on InfoWorld's Security Adviser column called; Computer security: Why have least privilege?, by Roger A. Grimes.  He wrote that computer security is analogous to securing a castle from attack:

"...suppose you have a castle with four entry points over the surrounding moat.  When you have that many entry points, you have to provide equal protection (from soldiers, hot tar, flaming arrows, and more) to all four of them; otherwise, the attacker will learn the weakest point and attack it first.  By reducing the number of entry points, the defensive force can spend less money overall and better protect what remains."

A key component of reducing the surface area on a computer system to attack is through the privileges that are granted to the users of that system.  Mr. Grimes listed four reasons why least privilege should be an IT security best practice and I've paraphrased them here:

1. Can prevent 90 percent or more of today's malware.  Malware writers may easily code around least privilege when they need to, but it does significantly cut down on software that can cause harm today.
2. Makes it harder for malware to modify key system components.  While malware may be able to still do harm -- much harm -- with user-mode programming alone, not being able to semi-permanently modify the operating system does provide protection you would not have otherwise.
3. If end-users don't have administrative access to their machines, you can prevent them from installing unapproved software.  Since the vast majority of today's malware relies upon the end-user installing or clicking on something they shouldn't, as well as having admin or root access, not having it will prevent attacks.
4. This allows defenders to concentrate their efforts on better protecting fewer ingress points.

While most of this may be commonsense; it makes a nice list to present to management or the end-users the next time someone complains that their assigned privileges are too restrictive.  If personnel can still do their work and only require occasional assistance from the help desk when installing approved hardware and software; I'm willing to keep least privilege.  How do your users and more importantly management feel about least privilege?  Do they chafe at these security controls?