Malware defense – run applications as a limited user

Mark at Sysinternals has an article up on how to run applications as a limited user.  This can come in handy for applications especially susceptible to security problems (I’m looking at all you web browsers, particularly internet explorer).  Most malware depends on getting access to the system through an administrator account.  If you aren’t running your applications as an administrator, you are far less likely to get infected.  Of course, if enough people start doing this, the malware authors will start including privilege escalation code in their malware.  But that’s an extra layer of complexity, and as Bruce Schneier often points out, complexity leads to errors.  For malware protectors, this will increase the signature of malware, making these things easier to detect.

As this eWeek study shows, one of the most effective ways to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users group). The vast majority of Windows users run as members of the Administrators group simply because so many operations, such as installing software and printers, changing power settings, and changing the time zone require administrator rights. Further, many applications fail when run in a limited-user account because they’re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.

[tags]Malware, security, limited privileges[/tags]