I've been thinking a lot about any 'write up' I could do about least privilege (I started it a few times even added screenshots to one of my attempts) but I kept coming to the realisation no matter how I approached things while the concept of least privilege can be applied to any OS and/or hardware configuration, the ways in which one might do this are so numerous and varied as to make any one 'guide' not a realistic approach.

There are of course a few very general 'least privilege' principles one can use to shape / change the way most of us may have been (or may still be) thinking with regard to our computer system use.

1.  As has been exhaustively pointed out on the internet for years; use of limited user accounts for day to day activities.

2.  Using file permissions to grant/deny access to files for different user accounts.  Of course keeping in mind that the default behaviour is often for child objects to inherit parent object permissions and that DENY permissions over-ride ALLOW.  Delving deeper into file-permissions etc. often has the happy side effect of helping to create a more streamlined digital filing system as well.

3.  Using the local security policies to enforce additional privilege requirements such as privileges for things like driver installation, access to external or network devices, denying local console and/or remote logon to certain accounts/groups etc. etc.  This is obviously not for anyone who doesn't have a grasp on it, however the internet does have significant resources with regard to (and examples of) using/configuring 'local system security policies'.

'Least Privilege' is when it comes down to it, a completely flexible and therefore never truly enforceable (through standards) approach to computing.  Even when setting up a home wireless network.  Instead of just using the 'quick setup' offered by most new routers, one should use the 'manual' approach and apply some 'least privilege' thinking.  For example.  Most new home routers allow for 'segregation' of the wireless network from internal LAN clients.  Why might this be important to someone?  You may have a 'home server' with personal media or other data on it, by simply segregating the wireless network from your internal LAN (you still share the same internet connection) you have applied 'least privilege' and maybe prevented someone getting access to personal data.

Another security point might be Disk encryption...

But the router point is well taken. Will try and get some better understanding of least privilege.

Just noticed that local group policies can't be edited in W7 Home Premium. 

DrJBHL

reply 17

Just noticed that local group policies can't be edited in W7 Home Premium.   

That is correct.  Only the PRO versions of MS Windows 7 allow for editing of the policies.

The University of South Carolina has come up with a unique fix for IE.

Today they removed IE from ALL employee computers. They have told the employees they may use Firefox or Chrome instead.

At first I thought it was just one department's IT that was doing this but apparently ALL the IT departments were told by the main USC IT to remove IE from all computers.

Probably a good local policy.

Arm-waving tinhat paranoia. More reading, if y'all have time for that.

"The bottom line is a combination of bias, lack of education, sheep mentality and the want to rush a story out, especially if it affects a lot of people along with words you can scare them with."

http://www.majorgeeks.com/news/story/stop_telling_people_that_removing_internet_explorer_will_make_them_safe(r).html

I'm from the mindset that unfortunately folks tend to forget applying common sense to the use of computers and usually wind up reacting instead of acting.  We will all come up with our own opinions on IT Threats, the key is not losing our wits over them.  I think of it as much like taking a walk around the block you in live on, each time you go out you can and more than likely come across different things you should avoid, the occasional unleashed dog, the person at the corner with their hands in their pocket, etc.  You don't stop taking your walk, you just apply common sense.     

Yeah well 'least privilege' goes more to one's overall 'approach' to computing rather than just being an opinion regarding threats etc.   Unfortunately that approach / stance towards computing hasn't yet become common sense for many!  

Ummm.........where are you going for walks Philly?   I can't remember the last time I came home from a nice little neighborhood walk having noted something else to avoid.       Well ok maybe if you count the odd pile of doggy-doo some careless owner failed to pick up, but then if I spot such an infraction (I usually have more than one bag with me anyway) I'll pick it up and dispose of it properly anyway. 

I'm confused. Windows Update is in the control panel. How does it rely on IE?

Hint. Open WU in XP. You will see that IE is being used.

Update:

MS has confirmed security defect and workarounds. Read more here:

http://www.neowin.net/news/microsoft-confirms-workarounds-for-internet-explorers-major-vulnerability

Doc, any thoughts on the first comment on the link you show, what about Firefox and Chrome? 

Despite trying to disguise yourself as Jafo, the sheep standing next to you is a dead give away, Jim.

As has been stated in multiple places, multiple times Philly, those browsers are not vulnerable to the malware currently allowing remote code execution through Internet Explorer. Chrome, FF and all the browsers based on them (WhiteHat Aviator, Comodo Chrome, IceDragon...)

Also, you might be interested in the article I just put up about WhiteHat Aviator.