Company Cuts Privileges to Cut Malware

One way to minimize your exposure to malware is to reset your Windows client machines to run without system administrator rights, a.k.a. least-privilege user. But is a least-privilege user underprivileged? "Ideally when they come in and use their machine, they shouldn't see any difference," says Keith Brown, network administrator at Gwinnett Health Systems, which has eliminated systems admin rights on over 2,700 of its Windows XP clients. Gwinnett is an Atlanta-area nonprofit healthcare system with over 4,000 employees and 750 physicians.

Administrative rights leave the door open for sophisticated malware to gain control of a client machine, as well as for naughty users to load unauthorized apps. The least-privilege user concept is getting more attention these days -- Microsoft, for example, is making it a standard feature in Windows Vista, and letting these "nonprivileged" users do some mundane tasks that once required admin privileges, such as connecting to an ad-hoc WiFi network.

The only tradeoff Gwinnett has experienced with the least-privilege approach is that some users may have limitations in which wireless networks they can access -- XP requires a user to have admin rights to connect to an ad-hoc WiFi network -- but Brown says they then use LEAP (Lightweight Extensible Authentication Protocol) wireless authentication. "They shouldn't have any problems jumping on their home wireless LANs as long as they know the authentication mechanism."