Do windows users follow the principle of least privilege?: investigating user account control practices

Abstract

The principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) and user account control (UAC) in Windows Vista and Windows 7 are two practical implementations of this principle. To be successful, however, users must apply due diligence, use appropriate accounts, and respond correctly to UAC prompts. With a user study and contextual interviews, we investigated the motives, understanding, behaviour, and challenges users face when working with user accounts and the UAC. Our results show that 69% of participants did not apply the UAC approach correctly. All 45 participants used an administrator user account, and 91% were not aware of the benefits of low-privilege user accounts or the risks of high-privilege ones. Their knowledge and experience were limited to the restricted rights of low-privilege accounts. Based on our findings, we offer recommendations to improve the UAC and LUA approaches.

DOI: 10.1145/1837110.1837112

Extracted Key Phrases

16 Figures and Tables

Statistics

0102020102011201220132014201520162017
Citations per Year

60 Citations

Semantic Scholar estimates that this publication has 60 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Motiee2010DoWU, title={Do windows users follow the principle of least privilege?: investigating user account control practices}, author={Sara Motiee and Kirstie Hawkey and Konstantin Beznosov}, booktitle={SOUPS}, year={2010} }