The solution is to find the best balance between providing necessary access for authorized subjects (users and applications), and deny any unnecessary access. This principle of providing just the necessary access required to carry out a task is called the principle of least privilege.

The United States Department of Defense Trusted Computer System Evaluation Criteria, DOD-5200.28-STD, also known as the Orange Book because of its orange colored cover, was one of the first generally accepted standards for computer security. The Orange Book has since been replaced by the Common Criteria for Information Technology Security Evaluation—an international standard. The Common Criteria extend the concepts stated in the Orange Book. The Orange Book defines least privilege to be a principle that “requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.”

In a Windows environment, the principle of least privilege is implemented at the user account level. In fact, Microsoft refers to user accounts defined using this principle as least privilege user accounts (LUAs). All Windows users are associated with one or more groups. The majority of permissions in a Windows environment are controlled at the user group level. A common and manageable way to implement least privilege is to create user groups that represent roles in your organization. Every organization is different and there are many options for creating roles. Groups are effective administration tools because a group can contain a large number of users that can then be managed as a unit. By using groups, you can assign access to a resource, such as a shared folder, to a group instead of each user individually, saving substantial time and effort. You can configure your own groups as you see fit on your network and systems, but most operating systems include a number of predefined groups that you can use as well or modify as needed. Although there are some local default groups, you will most likely encounter Active Directory groups when working with networked Windows computers. TABLE 3-1 shows a partial list of default Active Directory security groups (https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups). These groups represent common roles within an organization and provide a starting point for implementing least privilege.

Each group in Windows has the ability to apply rights and permissions to sets of users.

Associating users with one or more groups allows the implementation of least privilege in a group setting, as opposed to configuring each individual user account. Securing groups instead of individual users makes the goal of least privilege far more feasible, especially in environments with many users.

User rights are defined and maintained through group security policy objects. Permissions apply to specific objects and are maintained through each object’s security settings. By defining a list of access control rules for each object, access permissions are defined for specific users or groups. The list of access permissions is called the access control list (ACL) for the object. Since the ACLs that Windows uses are implemented as discretionary access control, the more accurate, but less common, term used for the list of access control rules is a discretionary access control list (DACL). Each entry in the DACL is called an access control entry (ACE). The process of securing resources in Windows starts with creating object DACLs that satisfy your security goals. FIGURE 3-1 shows a Windows object DACL.