Don Kiely’s talk was fantastic at Vermont.NET on Monday night. I think he had everyone on the edge of their seats with all of the great tips & tricks for truly working in Least Privilege mode. Not only why you should do it but how to do it. And not only how, but what to expect because it ain’t easy! There are a few areas of focus for developing under least privelege. One is the hardest – making your “daily driver“ account a non-admin account. Your doing yourself a favor anyway – this offers you some good protection from hacking. But it is going to affect your everyday use of your computer – before you even open up your development tools. (or quickbooks!). Then there are the issues of using your development tools as a non-admin. I had a lot of pain enabling myself to debug in visual studio .net, both windows forms apps and web apps. Don’t even get me started about compiling VB6! Another key area is to think about what actions your code is taking. For example if you are persisting files, WHERE are you doing that? The trickiest part is that end-users of your application will very likely be running as non-admins. If we write our apps with an admin account and then deploy it to a non-admin user, you just don’t know what glitches they might encounter related to their lower priveleges. So by writing your app in the same mode, you can have a lot more confidence in the future of your application.
I was a little startled (and slightly embarrassed) when Don pointed out that running as a Power User is NOT a non-admin setup . It is not much less vulnerable than running as an admin. Ifyou really want to run as a non-admin, you need to be a plain old User. I just went through much pain going from admin to power user and now I realize I’ve barely done the deed. When I come back, I will be squeezing myself into a real non-admin role as a User.
Don left me with his power point deck and a slew of fabulous links to read more. They come from people’s blogs (eg Anil John, Andrew Duthie and others) as well as book chapters from Keith Brown and many other articles from these and other experts on the topic. I put them on the “past meetings“ page of the Vermont.NET website.
I can already see that the powerpoint slides are going to be a well-used resource in my office!
If Don didn’t have so much work to do, I would just have forced him to fix my computer and my applications that I am writing so that I’m running as non-admin. I would definitely consider calling in the big guns (experts like Don and others) to get the job done with this stuff on projects.
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!