Applying the Principle of Least Privilege to Windows Vista
By Alex Heaton
Senior Product Manager, Windows Vista™ Security, Microsoft Corporation
See other Viewpoint articles.
“Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” This is the principle of least privilege as stated by Saltzer and Schroeder in their seminal paper The Protection of Information in Computer Systems published in 1974. The advice still holds true today. By restricting what privileges users and software have, you can help make the system more secure.
This was one of the guiding security principles behind the development of Windows Vista. Why is it important to run with fewer privileges? Let’s look at the privilege of user accounts as an example. If you are running your PC with a full administrator account, any program you run and any malware that is able to exploit that program are also running with full administrator privileges. Those privileges are sufficient to open firewall ports, create additional administrator accounts, and even install a rootkit to hide the malware’s presence. However, if the code is trying to exploit software running with limited privileges, the malware may find itself unable to execute its planned attack and can be easily removed because it wasn’t able to create deep hooks into the system.
Let’s examine four areas where this principle was applied to Windows Vista: user accounts, Web browsing, services, and drivers.
As mentioned above, most people use Windows® today with administrator accounts. This puts them at greater risk from serious malware and makes it difficult to have a managed desktop environment, because users can change sensitive configuration settings or install unapproved, possibly malicious software. The solution is to run Windows using a standard, non-administrator account. Though, it can be difficult to do because standard users cannot run many programs and restricts them from performing many common tasks on their own—tasks as common as changing their power settings or time zone.
In Windows Vista, we’ve made it much easier to run Windows using a least privilege user account. Standard users can now do more tasks on their own, including changing the time zone and power settings, connecting to secure wireless networks, and installing approved devices and ActiveX controls. We’ve also improved application compatibility for standard user accounts. Today, many applications break when they attempt to write to protected areas of the file system and registry that the standard user does not have access to. To enable many applications to work for standard users, Windows Vista includes files and registry virtualization technology that redirects writes (and subsequent reads) to a per-user location within the user’s profile. By removing the barriers to running with fewer privileges, we expect the majority of user accounts to be deployed with Standard User permissions on Windows Vista.
Internet Explorer® is the most used program on many PCs, but what it does most of the time requires very few system privileges. It downloads content from the Web, displays it, and when the user clicks the next link, it does it again. The browser doesn’t need to have access to many system resources to do that, although today’s Web browsers run with all of the privileges of the logged-on user. Which means that malware that exploits vulnerabilities in the browser or a control running in the browser can do anything the user can do, programmatically, without the user’s knowledge or interaction.
Instead of giving the Web browser more privileges than it needs, we’ve applied the principle of least privilege to the task of Web browsing. By default, Internet sites will run in Protected Mode, which limits a browser's access to the locations needed to the tasks above—the temporary Internet files directory, the favorites folder, and a few other directories or registry settings. Therefore, it helps prevent user or system files or settings from being changed without the user’s explicit permission. If users want to perform a task that requires higher privilege than Internet Explorer has by default, there is a broker process that enables them to approve an action that requires additional privileges. But the least privilege mode is the default.
Windows services commonly run in the LocalSystem account, the most powerful account on the system. This makes such services attractive targets for virus writers. Some of the most severe Windows worms—Slammer, Blaster, and Sasser—all targeted services. Ideally, services should limit their damage potential by running in a lower-privilege account such as LocalService or NetworkService. However, many services require at least some privileges that only LocalSystem supports. The all-or-nothing model that was used before Windows Vista meant that a service that required any LocalSystem privileges had to also include all other LocalSystem privileges. This often meant including privileges that the service did not require.
In Windows Vista, we’ve applied the principle of least privilege to services with a new concept called Windows Service Hardening. Services are profiled to have just the privileges that they need. Fewer processes on Windows Vista use the SYSTEM account. Compared to Windows XP, eight services that used to run with SYSTEM privileges now run as LOCAL SERVICE, and four now run as NETWORK SERVICE. Plus, services that do require the SYSTEM account can be profiled to restrict them from writing to the file system or registry, or sending outbound traffic—if the service does not need those privileges to do its intended function. For example, the Remote Procedure Call service in Windows Vista is restricted from replacing system files, modifying the registry, or tampering with another service configuration in the system (such as the antivirus software configuration and signature definition files). Third parties can also take advantage of these capabilities to make their own services more secure.
Drivers typically run in the kernel, which gives them the greatest privilege of all. With kernel access, it’s possible to create a rootkit that can hide all types of malicious activity in the system. Windows Vista applies the least privilege principle to drivers by running many drivers that used to run in kernel mode in the more restrictive user mode instead. This also improves system stability, because a crash in the kernel could often result in a blue screen crash of the entire operating system, but a crash in user mode can often be recovered from.
Sometimes less is more. By restricting what privileges users and software have, you can help make the system more secure. Some of these protections are invisible, like service hardening. Some may take some getting used to, like User Account Control. And some may even require that software be updated to work well for Standard User accounts before everyone can take advantage of the benefits. But at the end of the day, when Windows Vista is deployed, you should have extra confidence that your infrastructure is less vulnerable to attack because more things are running with least privilege.