jump to navigation

How to run Xp with the least privilege January 28, 2006

Posted by peewitsol in Technical.


Browse here to view the paper titled “Applying the Principle of Least Privilege to User Accounts on Windows XP” – it gives a good explaination of how to reduce the amount of time both you and your users need to be logged in with Administrative privileges. We at Peewitsol, think it’s pretty well accepted that running as admin is generally a bad idea from a security perspective, as any code you run (either deliberately or accidentally) will also run with privilege – this is often the route that malicious software uses to exploit machines.

Think about Browser Helper Objects (BHO) for a moment. These are effectively ActiveX style extensions that can be installed into Internet Explorer to provide additional browsing features and interface richness. IF YOU’RE running with admin privileges BHOs can be silently installed on your system – there are plenty of malicious BHOs out there. If you visit a site that has malicious (or safe) BHOs then they’ll fail to install if you’re running as a regular user.

This approach of running with less privilege will get much easier with Windows Vista but in the meantime it’s important to learn how to adopt the principle of least privilege for Windows XP.

Work with your businesses house developers to encourage them to develop with least privilege too as that way the code they write is more likely to be able to operate with least privilege too.

If you are a home user or SME ( Small to Mediun Enterprise ) it would be advisable for you to run your system/computer’s this way too.



No comments yet — be the first.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: