Goofy
Moderator
Le opinioni personali non contano niente
leggere, prego, articoli ufficiali della Microsoft (purtroppo sono in Inglese)
Applying the Principle of Least Privilege to User Accounts on Windows XP
Applying the Principle of Least Privilege to User Accounts on Windows XP
leggere, prego, articoli ufficiali della Microsoft (purtroppo sono in Inglese)
Applying the Principle of Least Privilege to User Accounts on Windows XP
Applying the Principle of Least Privilege to User Accounts on Windows XP
Implementation Considerations
Implementing the LUA approach also creates technical, administrative, and political issues within the organization. These issues include:
Control over the computer
Installing hardware
Installing programs
Running programs
Updating the operating system
Configuring the operating system
Costs
Control Over the Computer
Possibly the most difficult political issue to cope with is that of control of the client computers. Many senior executives and business decision makers expect full control over their computers, and are unaware or dismissive of the risks from this configuration. People who hold executive positions are often intolerant of situations that frustrate them or messages that tell them what they cannot do. A typical response to any warning messages about restricted rights is to insist that the network administrator give them full administrative control.
To manage this situation, it is essential to have a suitably high-ranking and technically educated executive sponsor for the project. For many companies, this executive sponsor should be at least the Chief Information Officer (CIO) or equivalent, and willing to educate fellow management about the growing threat from malicious software and how such software can install from malicious or compromised Web sites. If education does not provide a forceful enough argument, highlight the issues of legal liability that could result from unintentional installation of malicious software on their computers, and explain how the tools in this paper can address any concerns.
User education is another important area to address. Most users will feel threatened by any attempt to remove control over what they see as "their" computer, and may take steps to disrupt implementation of the LUA approach. It is common to receive an increased number of complaints together with exaggeration of the issues that users now face because they no longer have administrative rights. As long as the organization has carried out a thorough testing program, these complaints are likely to be easily addressed.
Installing Hardware
Users with desktop computers in office environments should never require administrative rights. However, mobile computer users may legitimately need to install hardware such as printers and DVD writers to carry out their jobs when they are not connected to the organizational network.
The hardware installation issue for mobile users is one for which organizations need to consider a range of options, possibly including options that do not conform to the LUA approach. The tools that this paper describes in the next section can also assist with hardware management in this situation.
Installing Programs
Many programs require administrative privileges to install. This behavior helps inhibit unauthorized programs from installing, but may also prevent the installation of authorized programs and upgrades. Program installation may be particularly problematic when the user does not have a domain-joined computer or only occasionally connects to the organization's network. Resolving the issue of how to install authorized programs and security updates may require both changes in operational procedures and the use of tools such as application publishing in Active Directory®, the Elevated Rights Deployment Tool in Microsoft Systems Management Server (SMS) 2003 with Service Pack 1, or Remote Desktop.
Some Internet sites only work correctly with additional software and ActiveX controls that download to the client computer. Management tools such as the Internet Explorer Administration Kit and Group Policy can allow this behavior with sites where the business need is greater than the perceived risk of allowing software downloads from that location.
Running Programs
Some programs require administrative privileges to run. Typically, this restriction comes from coding errors or poor implementation of programming and security guidelines. For example, a program might install a mandatory product key in a location in the registry where a limited user account cannot read the key's value.
Note Programs that follow Microsoft programming recommendations should not experience issues with security restrictions.
In many cases, it may be possible to address the issue by granting the Users group access to the restricted location that causes the application to fail. The Microsoft Windows Application Compatibility Toolkit (ACT) that this document describes in the next section can also address many of these incompatibility issues. Network administrators should not simply accept the argument that because one program only works with administrative permissions, everyone should be an administrator.
Updating the Operating System
The manual installation of operating system updates from the Microsoft Update Web site requires the operating system desktop to run with administrative rights, so, to use Microsoft Update, the user must log on with administrative credentials. However, the Automatic Updates service runs under system account credentials and does not experience this restriction. If you configure Automatic Updates to check for and install operating system and program updates automatically, there should rarely be any requirement to update manually. For more information, see How to schedule automatic updates in Windows Server 2003, in Windows XP, and in Windows 2000, at How to schedule automatic updates in Windows Server 2003, in Windows XP, and in Windows 2000.
SMS 2003 with Service Pack 1 includes features to identify and install operating system and application updates without the user having administrative rights. Windows Software Update Services (WSUS) provides simplified security update management for organizations that do not have SMS installed.
Configuring the Operating System
Organizational IT policy should define what configuration actions limited users can carry out on their computers. Changes to security policies and registry settings, either locally or through Group Policy, can enable limited users to make these approved changes to their computer, such as when mobile users need to change the computer's time or time zone. The following section in this paper list several tools that address the issue of operating system configuration with a limited user account.
