Leave a comment

The Principle of Least Privilege

Written by:  • Edited by: Bill Bunter
Updated May 5, 2010 • Related Guides: Computer Operating Systems | Computer Systems | Operating System

You may hear security experts throw around a lot of terms that don't have the same meanings they have in everyday conversation. Abstract concepts in Information Security theory need to be applied effectively in real world computing environments. Let's examine the principle of least privilege.

Privilege: The Principle

In Information Security theory a process, or more abstractly the user invoking that process, has access to some subset of all the information and the functions available in a computing system. This is considered the privilege level. This is an abstract concept, not something defined such as "privilege levels 1-10". For example, a user may need to read files from directory A and write a log to directory B, but not change or delete files in directory A or any other directory. Another user that can read and write to these files & directories and other directories has a higher level of privilege.

For example, on Unix based systems the root user (user id 0) has full access to everything and therefore full privilege. On Windows NT based systems, the kernel has full privilege. Users that can't install programs, load printer drivers and so forth have far smaller privilege set.

The principle of least privilege states that users and processes should only have access to the least amount of information and functions required to do their job. Why this is preferable will become clear.

Why the Least Privilege?

Multi-user operating systems with diverse and disparate users, availability to large networks such as enterprises, government, and universities, along with exposure to the Internet, drove OS security design forward. Users needed to share some resources but be restricted from others. Complex, versatile systems were rife with opportunities for bugs, errors, and crashes. A malicious user, virus, worm or trojan might usurp computer time, resources, or private information from others if not prevented from doing so. What could be done to prevent this (as much as possible)? If users and applications can't do more than the minimum they need, then it should not be possible for them to do these undesirable things.

The original assertion was made in the paper The Protection of Information in Computer Systems by Saltzer and Schroder in 1974. As you can see, the concept has been around a long time.

Enough Theory!

You may be thinking "Clemmer, all this is great, but how do I use it in practice?" Well, in practice it may not always be clear what privilege level is required. Users often believe they need additional rights & privileges to do a job, when this is not the case. We'll take a look at how things can go wrong in the next article in the series.

Next Article »
The Principle of Least Privilege
This article series explains the Information Security and Computer Science concept of the principle of least privilege. We examine what privileges are, why they are an important concept in multi-user systems, and why this principle is a sound security concept. See examples and means of prevention.
 
blog comments powered by Disqus
Computer Security
FEATURED AUTHORS
Sylvia Cochran Brian Healy Joe Taylor Jr. Anurag Ghosh
R.L. Flowers veikoh zero1 PreciousJohnDoe
Most Popular Articles
Email to a friend