Least privilege won't solve every security problem, but it's a significant step in the right direction
My previous column on the questionable long-term effects of least privilege created a firestorm of controversy and discussion. Personally, I think controversy is good if it gives people on both sides of the argument a chance to reconsider their previous conclusions. If the argument changes your mind, then maybe your original conclusions needed more consideration. And if it strengthens your support, one way or the other, then at least you had an opportunity to reexamine your beliefs and provide yourself even stronger arguments.
What I wasn't prepared for was how many people thought I hated Microsoft's User Account Control (UAC), or thought I disagreed with the concept of least privilege. Both these arguments couldn't be further from the truth. There are lots of reasons to use least privilege mechanisms, UAC or otherwise. Off the top of my head, here are four:
First and foremost, least privilege models prevent 90 percent or more of today's malware. You can't ignore that statistic. Malware writers may easily code around least privilege when they need to, but it does significantly cut down on software that can cause harm today.
Second, least privilege mechanisms make it harder for malware to modify key system components. While malware may be able to still do harm -- much harm -- with user-mode programming alone, not being able to semi-permanently modify the operating system does provide protection you would not have otherwise.
This makes it more difficult for malware to hide from anti-malware software and forensic investigators. Malware with system access can install itself as a rootkit, more easily hide in memory, or perform myriad other obfuscation techniques that make it more difficult for the good guys.
Third, if your end-users don't have administrative access to their machines, you can prevent them from installing unapproved software. Since the vast majority of today's malware relies upon the end-user installing or clicking on something they shouldn't, as well as having admin or root access, not having it will prevent attacks.
Limits are good
Least privilege (such as UAC, su, and so on) is a good thing. Using it can only improve security measurably. The key takeaway point of the previous related column is that least privilege mechanisms are part of a defense-in-depth puzzle, but surely not the endgame.
Not to start up another firestorm of controversy, but it's the same issue with firewalls. Sure, a properly configured firewall can prevent all sorts of network-connecting, dial-home, blast-the-Internet-and-attack-other-people malware -- well, all the malware that doesn't use ports 80 and 443.