navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Best practice for least user privilege?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI 2.0 Beta

This thread has been marked as locked.
mzqyl Best practice for least user privilege?
Member 10th Sep, 2010 21:36
Ranking: 0
Posts: 7
User Since: 10th Sep, 2010
System Score: N/A
Location: US
Last edited on 10th Sep, 2010 21:41

If you are concerned about security, you run as a true standard user most of the time in accordance with the principle of least user privilege but PSI won't run under a standard user account. The fact that PSI needs admin privileges isn't surprising and seems legitimate enough given what it does.

The question: If you want to keep your system updated using PSI and you want to adhere to the principle of least user privilege (i.e. run as standard user most of the time), what does Secunia consider best practice for accomplishing this?

The auto updating in PSI 2 is wonderful but if you have to manually start-up the program with admin privileges or switch to an account with admin rights much of the benefit is moot.

Note that there was a tread started by another user on this issue in the PSI forum a couple of weeks ago ("non-admin usage and missing software") but it was closed and the response wasn't helpful.



Anthony Wells RE: Best practice for least user privilege?
Expert Contributor 10th Sep, 2010 23:08
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 10th Sep, 2010 23:09
@mzqyl ,

This is a long standing subject of debate and still without a satisfactory outcome for many :-

http://secunia.com/community/forum/thread/show/307...

I still use XP and browse in a sandbox , as I posted there , which is my way of dealing with the situation .

The question is how often do you need/wish to run/scan with the PSI ?? You need to scan for the "auto-update" to set itself .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
This user no longer exists RE: Best practice for least user privilege?
Member 13th Sep, 2010 10:12
Hi,

There are several reasons the PSI only runs as the Administrative users.
First and forthmost, there would simply be little purpose to running the scan if you are not logged in as a user with the priviliges to actually install the patches in question.
Secondly, since the PSI (in version 1.5.x) by default scans all connected harddrives, administrative priviliges would be required to access certain drives.

If, however, if still want to run the PSI while logged in as a non-priviliged user, you can simply make use of the Runas feature, by right-clicking the PSI executable, selecting "Run as", and entering the credentials of an administrative user (The same procedure should apply to all supported versions of Windows).

hope this helps.
Was this reply relevant?
+0
-0
mzqyl RE: Best practice for least user privilege?
Member 13th Sep, 2010 17:26
Score: 0
Posts: 7
User Since: 10th Sep 2010
System Score: N/A
Location: US
Last edited on 13th Sep, 2010 17:33
@Emil

Thanks for the response but you didn't answer my question: I didn't ask why can't PSI run on a standard user account or how do you run PSI when logged in as a standard user; I asked: what does Secunia consider best practice?

Let me take a stab at answering the question. Given the way PSI works best practice is as follows:
Conduct normal work running as standard user and periodically, say once a week, logout of your standard user account, login to an Admin Approval Mode (AAM) account --the default account type in Vista and W7 (i.e. the one were you OK UAC prompts to elevante privilege)--for the **sole purpose** of running PSI and installing patches, logout out of the AAM account once the process is complete, and log back in as standard user to continue normal work.

(Running as a standrad user using RunAs --aka Over The Shoulder (OTS) Mode where you have to enter the credentials for a separate AAM account--would be next best but doesn't offer the same degree of security.)

Why is this best practice? We know from Secunia that even a fully patched application such as a web browser has plenty of vulnerabilities. What protects users from the vulnerabilities that don't have patches yet? Beyond Trust had a report out earlier this year that 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009 would have been mitigated by running as standard user.

So, the advantages of the automation feature in PSI 2 are moot. Sure, you may very well be better protected against vulnerabilities for which there are patches but because you have to run as admin to be automated you have a much higher risk exposure to unpatched vulnerabilities.

Microsoft clearly sees this as a problem as they changed Windows Update in W7 so automatic updating would work on a standard user account. To be truly effective PSI needs to run the way Windows Update does on W7.
Was this reply relevant?
+0
-0
This user no longer exists RE: Best practice for least user privilege?
Member 15th Sep, 2010 15:26
Hi,

Currently, as mentioned, the PSI must run as the administrative user, or some features are simply unusable unless this demand is fullfilled.
However, we do agree with your observation, and see how this could limit usability and security.

The fact that the PSI requires administrative credentials to run is considered one of the issues we will look into solving with the PSI 2.0 Beta.

We thank you for your feedback.
Was this reply relevant?
+0
-0
mzqyl RE: Best practice for least user privilege?
Member 15th Sep, 2010 19:37
Score: 0
Posts: 7
User Since: 10th Sep 2010
System Score: N/A
Location: US
@Emil.

Thanks. I'm glad Secunia is looking at this issue. It may be that completely automatic application patching along the lines of Windows Update is difficult to accomplish--at least without a lot of cooperation from Microsoft--but I think it is important that this issue gets kicked around so the whole process can be made as painless as possible without sacrificing other layers of security and because Microsoft appears to be moving towards making standard user accounts the Windows default.
Was this reply relevant?
+0
-0
jasmine25 RE: Best practice for least user privilege?
Member 16th Sep, 2010 07:01
Score: -103
Posts: 2
User Since: 16th Sep 2010
System Score: N/A
Location: IN
hello...can you provide me more information about this forum...thanks for providing this information
Was this reply relevant?
+0
-1
mogs RE: Best practice for least user privilege?
Expert Contributor 16th Sep, 2010 07:36
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello.
When and if you have a problem that needs attention, it is best to start your own thread,,,,see Create Thread on the left of the page.
When choosing a section of the forum....choose the one relative to your Secunia version/ number or Programs/Open Discussions....but don't get tangled up with Vulnerabilities..( enough said for the time being ).
The following links/threads are worth bookmarking for future reference :-
http://secunia.com/vulnerability_scanning/personal... FAQ's
http://secunia.com/vulnerability_scanning/personal...
HOW IT WORKS
Hope this helps for now and good luck...........regards,



--
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+