Home > Articles > Programming > Windows Programming

  • Print
  • + Share This
Like this article? We recommend

Least Privilege for Mere Mortals

There is a good chance that every single reader of this article and series works a help desk. Even if you don't do it as a full-time job, you probably provide various levels of support for friends, relatives, and new acquaintances at cocktail parties who learn you're a geek. If I've done a good job in this series so far, you've thought about moving all your help desk "clients" to LUA accounts. I certainly did, when I first got the least privilege religion.

Alas, the current state of LUA in Windows is not such that you can impose it on non-technical users. Run As, as just one example, is likely too difficult a concept for such a user to understand and cope with. I certainly don't want to be responsible for any breakdowns in your cherished relationships, so I just can't recommend moving these non-technical users to LUA. But perhaps imposing least privilege would be a good way to get a pesky neighbor to stop pestering you with questions.

One option you can consider is to use blank passwords and Fast User Switching in Windows XP Home and Professional. Gasp! A blank password? Yes, indeed. This is actually a fairly secure environment. Microsoft set it up so that such users have no network access to domains and have other limitations that make it a decent if not bulletproof option for non-technical users. It's obviously not appropriate for corporate environments, but is great for home workgroups. As compromises go, it works acceptably. For a good description of this option, see Aaron Margosis' blog entry about it.

I hope that the techniques and tools I've covered in this article will get you on the path to the least privilege lifestyle and safer computing. Next time, I'll switch gears and talk about running as a non-admin when you're developing software.

  • + Share This
  • 🔖 Save To Your Account