The Importance of the Principle of Least Privilege

My two favorite people to read on the subject of security are Michael Howard and Keith Brown. In a recent posting, Keith explains the Principle of Least Privilege, and why it’s important. The most important reason for limiting the security privileges your code requires to run is to reduce the damage that can occur should your code be exploited by a malicious user. If your code only runs with basic user privileges, it’s difficult for malicious users to do much damage with it. If you require users to run your code using administrator privileges, then any security weakness in your code could potentially hand control of that machine (and potentially other connected machines) to malicious code that exploits that weakness.

But another important reason to follow the Principle of Least Privilege is highlighted by Brown’s post:

When you ship programs that don't follow these guidelines, your program breaks when users attempt to run with least privilege (under normal, non-administrative user accounts).

I had the misfortune of running into this recently when working with a beta product for a writing project I’m working on (since it’s a beta, and since I’ve been assured that the next release corrects the problem, I won’t harp on which product). When attempting to put together a code sample for one of the cool new features, I was unable to get the code to work as expected. I followed the examples I’d been provided to the letter, and I’d been able to get another code sample (that used an earlier version of the product) to work just fine. After a few emails, I was told that the problem was that the beta product required me to log in with a specific, highly-privileged account in order for the feature I was using to work. Now I had already been logging in with an account that had admin privileges (shame on me), but even that wasn’t enough. Suffice it to say, this simply should not have been the case, and the bug likely existed because the developer working on that feature hadn’t tested with a lesser-privileged account, nor had the person from whom I got the examples I was working with. Had either or both of these developers been following the Principle of Least Privilege, I would have saved several hours of tearing my hair out over why a very simple code sample wasn’t working properly.

This is not by way of beating up on those developers (though I hope that they’ll think about the consequences of developing using highly-privileged accounts) but to highlight the reasons that this principle is important. Fortunately, the above case was pre-release software, so they still have time to fix the problem. But I’ve seen far too many cases where programs require admin privileges for no better reason than the fact that the developer did not follow Windows’ coding guidelines (for example, programs that write user-specific settings to the Program Files tree), and did not bother to test with a non-admin account (in which case they would’ve noticed that such writes fail when run by a non-admin). That’s sloppy programming, and it’s something we all need to work to eliminate.