Applying the Principle of Least Privilege to User Accounts on Windows
Published: January 18, 2006 | Updated: July 5, 2012
Now Available: a second technical white paper that expands our guidance for implementing the principle of least privilege on computers running Windows Vista and later versions of the Windows operating system. The new paper includes guidelines of using technologies introduce in Windows Vista such as Fast User Switching and User Account Control to improve your computer security at work and at home.
Download This Solution Accelerator
About This Solution Accelerator
There are compelling reasons for using standard user accounts in both your home and at work. These white papers explain the reasons, and provide you with links to other articles that explain how to operate Windows XP, Windows Vista, and other versions of the Windows operating system while using standard user accounts to complete most tasks.
Using standard user accounts to perform day-to-day tasks, like managing email, using a web browser, and communicating via an instant messaging program, is a more secure practice than using an account with administrative privileges for these tasks. When users log on with standard user rights rather than administrative user rights, the operating system is more secure because they cannot modify or bypass countermeasures like antivirus protection, intrusion detection, and firewall software. This means that an innocent user who unknowingly opens an email attachment that contains malware is less likely to compromise their entire computer.
Included in the Download
The following two papers are available for download:
- Least_Privilege_to_User_Accounts_on_Windows_XP.doc This paper describes the least-privileged user account approach and provides information on related tools and resources for computers running Windows XP.
- Principle_of_Least_Privilege_Applied_to_Windows.docx This paper describes the least-privileged user account approach and provides information on related tools and resources for computers running Windows Vista and later versions of the Windows operating system.
In More Detail
These articles explain the concepts behind the principle of least privilege, and how you can easily configure User Account Control in Windows 7, Windows Vista, and other versions of Windows to avoid using administrator rights that can open your computer to unnecessary risk. It also explains how to take advantage of Fast User Switching, and other Microsoft technologies to improve you’re the security of both home and office computers.
By implementing the concepts introduced in these papers, even if a user accidentally executes a file that contains a virus or some other form of malware, the antivirus software and other protective technologies installed on the computer will be much more effective at isolating and removing the threat than if the unfortunate user is left to perform the same actions. Moreover, in business environments, users running Windows with standard user rights will not be able to accidentally or deliberately bypass the policies and controls implemented by their organizations information technology team. And for shared family computers, different user accounts are protected from changes made by other accounts
- Aaron Margosis' Blog
- An overview of The Administrator Accounts Security Planning Guide on TechNet
- TechNet Webcast: Limited User Access: The Good, the Bad and the Ugly (Level 300)
Community and Feedback
Want to know what’s coming up next? Check out our Microsoft Security Guidance Blog.
Join in discussions on managing IT security and compliance at the Security and Compliance Management Forum.
Contact the Solution Accelerators security team with your feedback: SecWish@microsoft.com.
About Solution Accelerators
Solution Accelerators are authoritative resources that help IT pros plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free, prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.
Sign up to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as:
- Communication and collaboration
- Security, data protection, and recovery
- Operations and management