Microsoft is sparing no expense to spread the Least-privileged User Account security gospel ahead of next year's Longhorn launch, but a little-known fact - especially among IT administrators and end users - is that the technology is already available in the Windows operating system.
The LUA principle, also known as non-admin or minimum rights, is accepted within software security circles as a key to reducing damage from malicious hacker attacks, but on Windows systems, although the option is available, experts say end-user adoption remains "frighteningly low."
"To the average user, the notion of non-admin is abstract and obscure," said Michael Howard, a senior security program manager in Microsoft Corp.'s security business and technology unit. "Most users just don't know they can set up least-privilege accounts in Windows today, and that's just a sad reality."
Howard has long argued that Windows users can run as administrators and conduct everyday computer tasks by dropping unnecessary administrative privileges when using Internet-facing Internet tools, but, because the Windows default is for accounts to be set up with full administrative privileges, the damage from nasty malware attacks is worse than it should be.
In an interview with Ziff Davis Internet News, Howard used the example of a recent mutant of the Bagle worm family, a piece of malware able to create files in the system32 directory, disable firewalls and other processes, and delete key registry values. "All those things require admin rights and would fail if the system were set up as non-admin," he argued.
Full story: eWEEK