• Home
  • Report an Incident
  • Read Bulletins
  • Discuss Viruses
• Articles & Guides
  • For Everyone
  • For Sysadmins
  • For IT Managers
  • Recent Articles
• Resources
  • External Advisories
  • Vendor Information
  • Further Reading
• Tools
  • Network Scanner
  • Web Scanner
  • Certificate Authority
• Training
  • LSP Services
  • Unix Systems Support Group
  • Windows: End-User Security
  • Awareness and Education
  • SANS Partnership Series
• About
  • Contact Information
  • ITSO Staff
  • Mission Statement
  • Recent Changes
  • Site Index
  • Colophon
• Search

Running with Scissors

Do you hold really sharp scissors in your hand all day so that they’re always convenient to use? Of course not. The risk of injury to yourself and others outweighs the convenience. Similarly, when using your computer you usually don’t need to be a user with full privileges. The IT Security Office suggests following the Principle of Least Privilege. This principle teaches that you should normally operate without administrative privileges, logging in as a restricted user instead of administrator (Windows), or root (UNIX) access.

Giving yourself too much power can be dangerous – allowing viruses and other attacks to more easily compromise your computer. The IT Policy Office drafted policy IT-12, Security of IT Resources in 2002. It states that you should "perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities."

The ITSO suggests that you use a tool such as Run As in Windows, sudo in Unix/Linux, or Fast User Switching when you need to perform tasks that require administrator privileges. These tools allow you to perform tasks that require elevated privileges as needed while still logged in as a user with limited privileges.

In Windows, Run As... is usually an option when you right-click on a shortcut or program. In some cases (in the Control Panel), you will have to hold down Shift while you right-click to see the Run As... option. You can instruct a shortcut to always run with different credentials by right-clicking on it, choosing Properties, clicking Advanced, and checking Run with different credentials. A convenient way to open an Explorer window with administrator privileges is to create a shortcut to Internet Explorer, and setting it to run with different credentials. Then after it is open, you can type c:\ or Control Panel in the address bar.

Most of your day-to-day activities - checking email, surfing the web, listening to music, and typing papers – can (and should) be performed by accounts that are restricted. So, remember not to hold your scissors all the time. You’ll hurt yourself.

Additional Resources:

• What is the Principle of Least Privilege?
• MakeMeAdmin -- temporary admin for your Windows user account
• POLICY NO: IT-12, Security of University IT Resources
• Fast User Switching in Windows XP