Daniel Eran’s series that looks at five examples of core Windows architectural problems that relate to process management, applications and security, has reached Flaw #3.
The first two:
Flaw 1 – Windows’ Interactive Services
Flaw 2 – Windows’ opaque and illogical file system presentation
“Eran’s third flaw is, “Least privilege’ is impractical and broken.” Eran writes:
As computers joined networks, they were exposed to real external threats that demanded more attention to security. UNIX, and later Windows NT, took somewhat similar approaches to providing this, by handing authority to a privileged kernel that preemptively scheduled tasks, restricted access to protected memory and other hardware, set ownership and permissions on files, and defined users with restricted privileges.
The capacity for restricted users allows applications and processes to run with the least amount of privilege necessary, so if they are compromised, anything that takes control is restricted in what damage it can cause.
Limited user privileges act like janitors in a high security building; they have enough security clearance to do their work, but are restricted from areas they don’t need to enter. If someone were to steal their keys, they would still only have limited access within the building.
“Least privilege” is an important security principle that is poorly implemented in Windows. Part of the problem is sloppy programming by application developers, which demand excessive privileges when installing applications and consequently require users to have administrative privileges simply to run them. In Windows, the janitors have keys to everything. Pick a janitor’s pocket, and you have free run of the entire building.
Full article here.
Architectural flaws in Microsoft Windows already solved in Apple’s Mac OS X – October 10, 2005