Back to Top

Tuesday, February 20, 2007

Limited users - myth or reality

Fellow security blogger, Kurt Wismer, says that there are limited advantages to limited users. He is right in all his arguments:

  • A program running in your account, even if it is a limited user account, still has access to all of your files. It can search in them for e-mail addresses, wipe them or do other nefarious things with them.
  • It will stop only malware which is written with the assumption that they will be run with an Administrator account - very true, however this is currently a very large percentage of the malware. In this context running as limited user is a security by obscurity solution, and there is nothing wrong that. Remember: having security as obscurity as an additional layer of defense is not a bad thing, but having it as the only layer is. Think of it: you don't put a note on your door with what kind of burglar alarm are you using just because security by obscurity is bad thing!

But misses one huge point in my humble opinion:

Running as limited user makes it highly probable that you can contain whatever malware problem you have. What do I mean by that? Imagine the following typical scenario:

  • A malware not recognized by your security product is executed (and make no mistake, it is possible to develop malware which for a period of time is not recognized by any security product)
  • As soon as it executes, it kills your on-access scanner, stops the services associated with the security products and blacklists the update IPs of the security product.
  • Additionally it may install rootkits and other kernel level components

If you were an Administrator (or Power User, which can very easily elevate her/his privileges), after these steps you would have near zero chance to disinfect your system and be sure that you indeed eliminated all the malware from it without doing an offline scan (eg. putting your HDD in an other computer) and scanning it with several AV products. Even then it is best to wipe and reinstall (which of course must be followed by patching, creating and using a limited account and other safe computer usage practices!).

Now consider the same scenario again, but this time from the point of view of a limited user:

  • The malware can't kill the processes associated with your security product - it has not enough privileges.
  • The malware can't stop the services associated with your security product - it has not enough privileges.
  • The malware can't blacklist the DNS entries associated the update service of your security product - it has not enough privileges.
  • It can't install BHO's, rootkits, traffic sniffers, etc. - you guessed it, not enough
  • If you have a firewall which can control outbound connections, you might be able to prevent it from running. I say might because a software firewall must consider many things, like dll injection, to make a reliable judgment call of allowing or denying the communication.

Running as limited user does not protect you from all and every malware, but it can make sure that your system is in a recoverable state when your security software issues an update and starts recognizing the particular piece of malware. Also, if you are running as limited user, when doing a cleanup you don't even have to bother looking in places like the windows directory or for drivers. The limited user accounts can also be used to separate programs (this is not entirely true until Visa, because of the shatter attack)>, but it is a very good starting point. Finally, when talking in the context of a corporate environment, only limited users can be effectively controlled by the IT department, higher privileged users have many ways of circumventing any host based control system.

PS. Some AV products try to do some magic to prevent their process termination (and I don't mean to pick on Kaspersky Labs, they have a very good product, others like Symantec or Zone Labs are also using this approach). This is bad in my humble opinion because any protection can be circumvented by a program running with high privileges (thus resulting in a cat-and-mouse game - for example the Advanced Process Termination from Diamond.cs is able to terminate all these products in their current versions). An other reason for me not liking this approach is that it can lead to system instability.

PS 2. If you would like to run as limited user, check out my blog posting which details various methods of doing that and still being able to elevate your privileges when necessary.

3 comments:

  1. on the matter of containment -

    1) privilege elevating exploits can give unremovable malware admin access even if you're running as a limited user...

    2) the notion of the unremovable malware is a myth - it's a popular myth, i'll grant you that, but a myth all the same... any non-destructive function in invertible, anything software can put on the system can be taken off the system with the right tools...

    3) the same people who promulgate the unremovable malware myth have all decided that the proper way to deal with it is to throw up their hands in defeat and accept the need to wipe and re-install when they encounter any malware - and running as a limited user doesn't change that equation, it doesn't make it more or less necessary, it doesn't make it easier or harder to do... ergo, running as a limited user is of no benefit there...

    ReplyDelete
  2. 1) privilege elevating exploits can give unremovable malware admin access even if you're running as a limited user...

    And how many of those have we seen lately? Very few and their number will just decrease in the future. In fact I would say that we already are at a point where there is no practical way for a low rights user to elevate his privileges to a level where any serious damage could be inflicted to the system.

    2 & 3) I agree, all the malware can be removed, however that wasn't my point. My point was that unless you know that every program was executed under a low rights account, you can not trust any parts of the system. This means that you can not do an on-line investigation which would yield any useful results, because every time some check comes back as negative (for example no ports are open) you have to ask yourself: is this really the case or is some kernel mode code modifying the results I'm seeing? Your only way remains to do an offline investigation (eg. pull the drive and go over its contents one by one on a known clean computer), a procedure which is much more complicated, tedious and time consuming. Using limited users you can retain full control over your system while using high-privileged users you can use this control very fast!

    ReplyDelete
  3. RE: privilege elevation exploits
    "And how many of those have we seen lately? "

    not so many... generally they aren't necessary because most people are already running as admin, but as soon as that changes the bad guys will pay a lot more attention to finding privilege elevation exploits... i believe joanna rutkowska recently detailed something that qualifies as privilege elevation under vista...

    "My point was that unless you know that every program was executed under a low rights account, you can not trust any parts of the system."

    you can't trust any part of the system even if the malware was executed under a limited user account... you should never trust a suspect system, regardless of the circumstances under which you think the malware got on there...

    "Your only way remains to do an offline investigation (eg. pull the drive and go over its contents one by one on a known clean computer), a procedure which is much more complicated, tedious and time consuming."

    and safer... if you think you can avoid the need to do this then you're still placing too much trust in the suspect system... you're trusting that the system's attempt to set up boundaries to prevent the malware from compromising the environment used for cleanup... the only boundary i trust for this is the physical air-gap, the cleanup environment is completely physically separate from the suspect system (not even connected by a network) and nothing from the suspect system gets executed during cleanup at all...

    people want to cut this corner but i don't believe you can...

    ReplyDelete