To: Ed Skoudis and Lenny Zeltser
From: Rick Graves
cc: Roger Grimes, Jenni Merrifield, PC Magazine, Stephen Northcutt
Re: least privilege and Windows XP
13 March 2005

Hello Ed and Lenny,

I am reading your recent book, "Malware, Fighting Malicious Code".  I am writing because you give good advice concerning least privilege, but I think you should adopt some additional explanation if you want the advice to be understandable to most Windows XP users, such as those using stand-alone systems.

In addition to introducing "the principle of least privilege" on page 59, your book says this:

begin quote

Never, ever, ever surf the Web or read e-mail while logged in as a root user on UNIX or any user in the Administrator's group on Windows.  You're asking for trouble if you surf or read e-mail in this way, because all malware inside your browser or mail reader will run with superuser privileges.

end quote

I agree 100% that the advice is good.  The problem is the advice is expressed using words that Microsoft did not teach to rank and file Win XP users.  As a result, I believe the words in the book would NOT result in most Win XP users understanding the advice or knowing how to apply it.  

In PC Magazine's web version, from November of 2004, there is an example of an explanation that would be easy for a Windows XP user to understand and follow, here:

PC Magazine: Limited User Accounts, Nov 2004

The article does a good job of explaining how to set up and use a "Limited" account -- the (non-standard) Win XP term for an account without administrator/superuser/root privileges.  However, note that the article does not mention the term "least privilege".  

The passage from your book above would be incomprehensible to most Win XP users in part because they already "know" that each person can have one and ONLY ONE account (more on this later).  Since they "know" that a person can only have one account, your advice to "Never, ever, ever surf the Web or read e-mail while logged in as ... any user in the Administrator's group on Windows" does not compute!  Also, the term "Administrator's group on Windows" is a Windows server concept that most users of stand-alone Win XP systems have never seen.  

I have been using Win XP since it was released in 2002, and for the almost whole time I have been applying principle of least privilege without knowing the term.  I ran across the term "least privilege" for the first time in January of this year, when Roger Grimes brought the following Microsoft TechNet article, "Using a Least-Privileged User Account", to my attention:

MS Technet: Using a Least-Privileged User Account

Here is a quotation from the article:

"Today, due to awkward complications that arise when it is employed, least privilege is not in active use on most Microsoft Windows–based systems."

This statement says that 1) least privilege is not in active use on MOST Microsoft Windows–based systems, and 2) this is BECAUSE of "awkward complications".  (Here, "due to" means there is cause and effect relation.)   The TechNet article mentions one reason how this state of affairs came into being:

"One reason for so many Windows users running with an administrator account is that 'Administrator' is the default type for new accounts on Windows XP, Windows 2000, and Windows Server 2003."

Obviously, this is not the result of a freak accident.  Rather, Microsoft made a deliberate choice that least privilege should not be used on most Microsoft Windows–based systems, Microsoft took steps to implement that choice, and the steps succeeded in bringing about the end result that Microsoft wanted -- least privilege is in fact NOT used on most Microsoft Windows–based systems today.  As a short hand, I refer to Microsoft's choice, steps and end result as "sweeping least privilege under the rug" in Win XP.  

Here are some of the other steps not mentioned in the article that I have identified:

  1. Push the idea that a person can have one and only one account (more on this below), hence everyone wants to be an administrator,

  2. Apply the pejorative label "Limited" to the regular user account, hence no one wants to be "Limited",

  3. Make sure there is no recommendation to apply the principle of least privilege anywhere rank and file Win XP users are likely to find it, and

  4. Adopt non-standard terminology for the least-privilege-compatible features in Win XP (such as "Limited" account), so that third-party advice, such as that presented in your book, is incomprehensible to rank and file Win XP users.
The last two, 3 and 4, are related but different.  Item 3 is about withholding the recommendation to take advantage of the protection afforded by least privilege.  Item 4 is about adopting non-standard terminology to describe features that relate to least privilege.  Item 4 helps implement item 3 by tending to render third-party recommendations to use least privilege incomprehensible.  

I have referred to the numbered steps above as a "misinformation campaign" in an email to Jenni Merrifield, the author of the TechNet article.  A friend who is a computer professional advised me that the "misinformation campaign" term is inflammatory.  In these circumstances, as a short-hand label for the four steps, would you think the term is a fair or unfair?  

Before it launched Win XP, Microsoft had the idea of using multiple accounts in Win XP.  For programs that do not work in a "Limited" account, Microsoft knew that running such programs under an administrator account would effectively work around the problem -- this solution is set forth on the last paragraph on this screen from Win XP:

Win XP "Limited" account dialog

The text for this screen shows a plan that programs bearing the "Designed for Windows XP" logo would work properly under a "Limited" account, but legacy applications might need to be run under an administrator account.   "For best results, choose programs bearing the Designed for Windows XP logo ...."  Microsoft abandoned the plan but forgot to change the wording on this dialog. 

Following the "awkward complications" sentence, the TechNet article's next sentence reads as follows:

"However, with the release of the next Windows operating system, codenamed 'Longhorn' almost every user will be able to make regular, daily use of this important security principle."

But today, every Windows XP user can already make regular, daily use of the principle of least privilege -- there is no need to wait, and there is nothing more to buy.  (The PC Magazine article from November 2004 explains how.) 

To the vast majority of Windows XP users, who do NOT know that their current operating system already has least privilege capabilities, the quoted sentence would obviously cause them to understand that least privilege is a new feature in Longhorn -- for which they will have to pay to upgrade.  The TechNet article is not advertising, and there can be no false advertising without advertising.  However, if Microsoft were to make a similar claim in connection with the Longhorn advertising campaign that will surely come, I believe the claim would be illegal false advertising.  That sentence could only be only OK if the sentences immediately following explained that least privilege capabilities are already available in Win XP.  (In the TechNet article, the sentences immediately following do NOT explain this.) 

According to Microsoft, rank and file Win XP users should not use the principle of least privilege until after they buy Longhorn.  Note that the intended audience of the TechNet article is NOT the rank and file.  Rather, for now, Microsoft is introducing the principle of least privilege only to the consultant crowd and other disciples of the word from Microsoft.  (Microsoft does suggest in the article that the TechNet crowd can try least privilege for now, but does not recommend spreading the word on least privilege to the rank and file.)  

Another quotation, that illustrates the effectiveness of Microsoft's efforts to sweep least privilege under the rug:

"Unfortunately, almost all Windows users today continue to use an administrator account for their daily tasks."

To understand the status of least privilege in the Windows world today, I think the article merits careful reading.  Also bear in mind that for the message in passage from your book to be implemented by Win XP users, you must explain the content clearly and with enough emphasis to get least privilege out from under the rug and into the open.  

The message from popular personal computer press has been consistent with Microsoft's choice to sweep least privilege under the rug.  Here is an example -- until November 2004, this is what PC Magazine had to say about "Limited" accounts (again, using the non-standard Win XP term "Limited" for reduced privilege accounts):

"The standard recommendation for home users of Windows XP is to give Administrator accounts to adult users and Limited accounts to children."

PC Magazine: Limited Accounts in Win XP, May 2003

Note that the prior line in PC Magazine from May 2003 was based on "one person, one account" thinking -- adults get administrator accounts, children get "Limited" accounts.  But the whole point of that particular article was than since many games do not work under "Limited" accounts, you have to upgrade the kids to administrator accounts as well!  Every computer user gets one administrator account!!!

Although the more recent, November 2004, PC Magazine article does a good job of explaining how to apply the principle of least privilege (without using the term), the bottom line recommendation is that it is not worth the bother!  This is the last paragraph:

begin quote

The bottom line is that the limited-user option, while attractive from a security perspective, creates difficulties for users. The impediments to running Windows smoothly from it are significant unless the machine configuration rarely changes. Until Microsoft and application developers address the problem, users are left to choose between security and smooth function, and that's not a choice anyone should have to make.

end quote

PC Magazine: Limited User Accounts

To me, the contrast between your recommendation and that of PC Magazine is striking.  Given the same least privilege option, you and PC Magazine end up at different extremes.  How could this be?  One obvious difference -- Microsoft advertising revenue (PC Magazine) and lack thereof (the two of you).  This was driven home to me when I read the TechNet article for the first time, in January, and this sentence in particular:

"However, with the release of the next Windows operating system, codenamed 'Longhorn' almost every user will be able to make regular, daily use of this important security principle."

After I read the TechNet article in January, the November 2004 PC Magazine article made perfect sense by adding a new sentence to the last paragraph quoted above, on the end:  "Wait and buy Longhorn."  I urge you to try it yourself -- re-read the last paragraph from the PC Magazine article, quoted just above, and add to the end, "Wait and buy Longhorn."   

It seems to me that PC Magazine adopted a bottom line recommendation to save the market for Longhorn, and this explains why PC Magazine's bottom line is the opposite of yours.  The wording of the TechNet sentence and where PC Magazine came out on least privilege suggest to me that in the upcoming Longhorn advertising campaign, Microsoft plans to tout least privilege as a new feature in Longhorn that computer users will want to get and for which computer users will want to pay.  

I have informed Microsoft that if the upcoming advertising campaign gives the impression to Win XP users that least privilege is a new feature in Longhorn, I would object to the States's Attorneys General and to the FTC in Washington, DC.  The exchange of emails is here:

email to MS 2005-01-26
email from MS 2005-02-01
email to MS 2005-02-23

One person, one account

Before any Win XP user can be receptive to your recommendation to use least privilege, the Win XP user must unlearn what they already know: that each person can have one and only one account.  

Win XP users who install their own operating system get their first dose of "one person, one account" from the setup screens.  Here is the text from the screen that sets up accounts:

begin quote

Who will user this computer?

Type the name of each person who will use this computer.  Windows will create a separate user account for each person so you can personalize the way you want Windows to organize and display information, protect your files and computer settings, and customize the desktop.

Your name:

2nd User:


These names will appear on the Welcome screen in alphabetical order. When you start Windows, simply click you name on the Welcome screen to begin.  If you want to set passwords and limit permissions for each user, or add more user accounts after you finish setting up Windows, just click Control Panel on the Start menu, then click on User Accounts.

end quote

Here is a big photo of the screen:

Win XP Install 5 (big)

I did a Win XP install in January and took pictures of all the screens in the process.  In case you think that Microsoft must have put in a recommendation to use least privilege somewhere, all the screen shots are here:

Win XP Install 0
Win XP Install 1
Win XP Install 2
Win XP Install 3
Win XP Install 4
Win XP Install 5
Win XP Install 6
Win XP Install 7

These are smaller versions, more suitable for downloading.  I have the originals which are bigger, and the link to the original account set up screen is above.

The other "smoking gun" example of one person, one account is the PC Magazine article from May, 2003.

PC Magazine: Limited Accounts in Win XP, May 2003

Quoting again from the TechNet article,

begin quote

The Security Principle of Least Privilege

If low-privileged processes are compromised, they will do a lot less damage to a system than high-privileged processes are capable of doing. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents.

end quote

As you know, all of the above benefits are available in Win XP today -- there is no need to wait, and there is nothing more to buy.  It is however true that there are many applications that do not work properly or at all under a "Limited" account.  However, Microsoft's Internet Explorer and all versions of Outlook that I have tested DO work properly under a "Limited" account.  One way to work around the problems is to use a "Limited" account for surfing and for email, and to use the administrator account for everything else.  This step applies the least privilege protection where it is most needed.  

I put out exactly this recommendation in a shotgun "to whom it may concern" email in September, with the subject "more bulletproof Win XP", the text of which I have put here:

more bulletproof Win XP

The editor in chief of PC Magazine, Michael Miller, gets big credit in my book for being sharp enough to pick up on this, leading to the November article from which I quoted above.

Using Win XP in this way both works around many (maybe all) of the "awkward complications" and is fully consistent with the recommendation in the passage from your book.  

I mentioned above that I have informed Microsoft that if the upcoming advertising campaign gives the impression to Win XP users that least privilege is a new feature in Longhorn, I would object to the States's Attorneys General and to the FTC in Washington, DC.  One element of the circumstances is that the majority of Microsoft's Win XP user base are not likely to get the message that a computer owner can have both an administrator account and a least privilege account.  In my last email to Microsoft, I used the term "one person, one account brainwashed" to refer to persons who are not receptive to using least privilege today because they "know" that a person can have one and only one account.  The friend who is a computer professional also advised me that "one person, one account brainwashed" is inflammatory.  On one level, I agree with him.  However, the purpose of the communication to put Microsoft on actual notice of what I would be sharing with the States's Attorneys General and FTC in the event that Microsoft's communications tend to mislead current Win XP users.  This would come about only if the upcoming Longhorn advertising campaign gives the impression to Win XP users that least privilege is a new feature in Longhorn.  The subjective understanding is key here, as most Win XP users do not have full knowledge because Microsoft chose to misinform them about the least privilege features in Win XP. 

So if you want most Windows XP users to understand your recommendation on least privilege, I suggest you should consider some additional explanation.  

I hope this is helpful.


Rick Graves