Feb 03
Principle of Least Privilege – More than a Guideline
Eric Inch
I enjoy learning, using and helping others through technology. This is my fourth year with C/D/H after many years of consulting for numerous small and mid-sized companies. I enjoy challenging projects and continual improvement in all areas. Most recently, I have been working to help grow the unified communications and virtualization practices at C/D/H.
When I’m not working, I enjoy spending time with my family. My girls keep me extremely busy but are always the highlight of my day.
For a more in-depth bio and a list of my areas of expertise, please visit http://www.cdh.com.
More about Eric
Articles by Eric Inch
Most technology professionals have probably heard a security expert say the phrase “principle of least privilege” when trying to come to an agreement on levels of security within an organization. I know this was true for me on numerous occasions. I frequently find myself trying to find the delicate balance of functionality versus security. The networking and server side of the argument wants to use as many of the features as possible while making it easiest on the users. This argument often touches on the perceived productivity gains that can be seen by the business by not restricting users.
The security side of the argument is to eliminate all that is not necessary to ensure the environment adheres to the “principle of least privilege.” To quickly summarize the premise behind this principle, the “principle of least privilege” can be thought of as the practice of eliminating all that is not necessary to perform one’s work, assigning what privileges are needed to successfully perform the required duties and nothing more. The practice of least privilege touches on all three pillars of information security but is really important for companies looking to meet integrity objectives.
Eliminating privileges that are unnecessary can greatly increase the overall security of a network. There
are many practices that can be put in place to meet this principle. You can spend the necessary time to determine which files a user, or group of users, needs access to and configure the permissions to these files and directories accordingly. If users do not need the ability to modify certain data, do not let them. You should find comfort in the fact you are protecting the integrity of your company’s data.
One practice that I see all too often is placing users into the local Administrators group on his or her workstation. Even worse, adding the entire Domain Users group to this highly privileged group. You are opening the door to users having the elevated rights needed to run malicious scripts and software, disable services, edit registry settings, or any other task that an Administrator level account can perform. Remove users from the local Administrators group. You can rarely justify users having this level of access to workstations. Open specific permissions on the file system or registry if applications need to access certain areas. There are, of course, exceptions to this, but almost always, due diligence in determining least privilege will show local Administrator rights are not required.
You should also delegate access to the domain according to this principle. Too often companies add users to the Domain Admins group. This group has more privileges than most Network Administrators need. You can look to other lesser privileged groups, such as Server Operator, Backup Operator or DNS Administrator, depending on the role of the employee. Also, access should be first addressed through the delegation of administration. Active Directory delegation of administration provides granular control over objects within the directory.
Security is a growing concern for many companies and will continue to be as more and more corporate regulations are put in place. By following the “principle of least privilege” you are practicing due diligence in protecting your company’s most important asset, the data.