Skip to content

Computer Security 101 - Part 6 - User Permissions

I skipped ahead in Part 2 of my Computer Security 101 entries to cover passwords, or rather passphrases, despite it falling out of line with an outside-in approach to security. Entering into the actual desktop arena, I am going to skip ahead of a few items to cover the important field of User Permissions.

Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.

I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.

User permissions are probably the most under managed and over looked area of computer security, both at the home computing level and within enterprise organizations. Users break things. Users also bring in spyware, adware and viruses. The sad thing is that with proper user permissions most problems can be averted.

I will give an example of just how effective proper user permissions can be:

A while back my daughter had started to use my laptop to work on school projects. Being a person in general and a teenager in particular, she used the laptop for other things as well, such as going to her MySpace page. One thing lead to another and I was removing all sorts of spyware and trojan viruses from that laptop by the time she left that weekend. Yes, one weekend and the laptop was a cesspool.

Now, to put things in perspective this laptop was running the latest in enterprise level virus scanning software, as well as several anti-malware programs. All software and definitions were up to date. Yet, in a short 48 hours it was covered with all sorts of nasty little buggers. The reason? The account she was using had administrator level permissions. That was it; that was the security breach.

Mind you, the rest of my home network kept that laptop from "spreading the disease" or becoming a bot for malicious users, but it was a reminder to myself as to just how important user permissions can be. Since that time she has been setup with a user level account and there has not been a single instance of reinfection. If that is not enough convincing, let me point out that because she has effectively commandeered this laptop, the only account to logon for weeks at a time is hers. She is also not one to update the virus definitions, nor can she with her user permission level (as I said, enterprise antivirus software). But the laptop remains clean as a whistle, all thanks to reduced user permissions.

The lesson to be had here is that everyone should be performing their day to day computer activities with a computer account granted as minimal of permissions as possible. In the Windows environment this means being part of the "User Group", as opposed to the default in a home computer that dumps accounts automatically into the "Administrators Group."

To be completely clear, when I say "everyone," I mean everyone. At the home level a simple user account should be used for 99.999% of your activities. At the corporate level, every employee should be performing their work using a simple user account. This includes department heads, vice presidents, and even IT personnel. Especially IT personnel and most especially developers. 99.999% of all your activities at your desktop can be accomplished using a standard user account.

In order to cover the 0.001% of the time where less restrictive permissions are required, companies have an IT staff to handle things. And those IT personnel should have a second account with appropriate permissions to be used strictly for performing these 0.001% tasks. Home computers should be setup in the same manner as IT personnel: one User level account for everything and one Administrator level account for stuff not covered by everything.

I have heard all sorts of complaints and excuses in the past as to why "so-and-so" is a local administrator on their desktop, or why a developer needs to be an administrator, or why it is inconvenient to have to switch user accounts. To these excuses I say a nice resounding "Bull Shit."

Inconvenient is a home user having to spend $65 an hour to clean all the malware off their computer. Inconvenient is trying to fix your credit after your identity has been stolen. Inconvenient is having your company blacklisted on Spamhaus because a developer's computer is sending out spam thanks to a virus. Inconvenient is having to explain to your customers how their personally identifiable information might have been lost as part of a recent security breach. Inconvenient is going before a judge to explain your company's negligence. These things are inconvenient; having to log off your computer and back on with a different account to install new software is not.

There are other areas of user permissions aside from the simple User versus Administrator, but that really becomes a case by case kind of thing. The best rule to follow is to start off with the most restrictive level of permissions for each person possible and then tweak things as needed. You might get yelled at for a person's lack of access to something, but you are not going to get subpoenaed; and any yelling stops when you fix the problem.


No Trackbacks


Display comments as Linear | Threaded

Harold Bright on :

Its been awhile since I have had the time to check into the site..
I just wanted to say BRAVO my friend.. This is why I miss working with/for you

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options