Computer security: Why have least privilege?

Least privilege won’t solve every security problem, but it’s a significant step in the right direction

My previous column on the questionable long-term effects of least privilege created a firestorm of controversy and discussion. Personally, I think controversy is good if it gives people on both sides of the argument a chance to reconsider their previous conclusions. If the argument changes your mind, then maybe your original conclusions needed more consideration. And if it strengthens your support, one way or the other, then at least you had an opportunity to reexamine your beliefs and provide yourself even stronger arguments.

What I wasn’t prepared for was how many people thought I hated Microsoft’s User Account Control (UAC), or thought I disagreed with the concept of least privilege. Both these arguments couldn’t be further from the truth. There are lots of reasons to use least privilege mechanisms, UAC or otherwise. Off the top of my head, here are four:

First and foremost, least privilege models prevent 90 percent or more of today’s malware. You can’t ignore that statistic. Malware writers may easily code around least privilege when they need to, but it does significantly cut down on software that can cause harm today.

Second, least privilege mechanisms make it harder for malware to modify key system components. While malware may be able to still do harm — much harm — with user-mode programming alone, not being able to semi-permanently modify the operating system does provide protection you would not have otherwise.

This makes it more difficult for malware to hide from anti-malware software and forensic investigators. Malware with system access can install itself as a rootkit, more easily hide in memory, or perform myriad other obfuscation techniques that make it more difficult for the good guys.

Third, if your end-users don’t have administrative access to their machines, you can prevent them from installing unapproved software. Since the vast majority of today’s malware relies upon the end-user installing or clicking on something they shouldn’t, as well as having admin or root access, not having it will prevent attacks.

Limits are good

Least privilege (such as UAC, su, and so on) is a good thing. Using it can only improve security measurably. The key takeaway point of the previous related column is that least privilege mechanisms are part of a defense-in-depth puzzle, but surely not the endgame.

Not to start up another firestorm of controversy, but it’s the same issue with firewalls. Sure, a properly configured firewall can prevent all sorts of network-connecting, dial-home, blast-the-Internet-and-attack-other-people malware — well, all the malware that doesn’t use ports 80 and 443.

Nearly all computers and networks allow port 80 and 443 communication to flow from trusted computers onto the Internet, and the related response traffic to come back in. If malware wants to be more successful, aside from other port-specific buffer overflows (for example, the MS-Blaster worm on RPC port 135), it should always use port 443. Why? First, it’s always open and allowed out onto the Internet, and 99 percent of companies have no way to monitor SSL/TLS encrypted traffic over port 443. The malware can use Internet encryption standards to bypass detection. I’ll go further: Any network-connecting malware not using port 443 to dial home and spread is unintelligent software.

When every network and computer in the world closes down every unauthorized port, it won’t stop malware. Malware writers require only one guaranteed-to-be-open port to do everything they need.

Least privilege log-on models are great and necessary, but they aren’t fail-safe security defenses. Ultimately, the malware writers will easily write around them and continue doing all the mischief they want.

The fourth reason for least privilege

But the fourth reason why least privilege mechanisms are desirable and necessary is that they allow defenders to concentrate their efforts on better protecting fewer ingress points. For example, suppose you have a castle with four entry points over the surrounding moat. When you have that many entry points, you have to provide equal protection (from soldiers, hot tar, flaming arrows, and more) to all four of them; otherwise, the attacker will learn the weakest point and attack it first. By reducing the number of entry points, the defensive force can spend less money overall and better protect what remains. The same goes for least privilege computer defenses.