Most of the best ideas in IT security – indeed, security in general – have been around for a long time. One that is all too often forgotten is the concept of “least privilege”, or using the bare minimum level of access to get the job done.
For example, everyday tasks such as reading email or browsing the web don't need the same amount of system access as less common tasks like installing a printer. Although you need to write to the data areas on the disk, there should be no need to install device drivers, modify system settings, and so on. Users running with extra rights are a prime target for malicious software that takes full advantage of the extra rights.
Although sound in principle, the devil is in the details. Often, application developers assume blindly they can do anything and seldom seem to trap for the inevitable “access denied”. Indeed, in many cases, systems are simply set up with a single user that has administrator rights, and the user is none the wiser.
Things have been slowly getting better. Microsoft brought in the “runas” command, so you can run individual programs as another user (the Unix world has had this for many years).
For the more user-friendly approach, Windows Vista has joined OSX and Linux in providing a nice graphical interface. When the user selects an option that needs administrator rights, they are automatically prompted to enter the administrator password and then everything goes to plan.
This seems fine, and takes some of the strain out of day-to-day use, but it shifts the problem around rather than solving it.
The problem is that many users don't know enough about the internals to know when to safely allow administrator access. This isn't solved with the nice interface; users are being blindly conditioned to enter their administrator password arbitrarily.
And it gets progressively worse as the number of prompts increases. The problem of “click blindness” sets in, where the increasingly harassed user will simply react robot-fashion whenever prompted for an “OK” or a password.
Although it's certainly sensible to run as an “ordinary” user whenever possible, there is always a need to delegate authority at some stage. In the old-fashioned world it was safe (almost) to allow the user to choose; these days, the user base is much larger and typically not full of experts. In this environment, we need to look at smarter ways of managing systems than training users to enter their administrator passwords, Pavlovian style, whenever the system rings the bell.