论文信息 - Do windows users follow the principle of least privilege?: investigating user account control practices

Do windows users follow the principle of least privilege?: investigating user account control practices

The principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) and user account control (UAC) in Windows Vista and Windows 7 are two practical implementations of this principle. To be successful, however, users must apply due diligence, use appropriate accounts, and respond correctly to UAC prompts. With a user study and contextual interviews, we investigated the motives, understanding, behaviour, and challenges users face when working with user accounts and the UAC. Our results show that 69% of participants did not apply the UAC approach correctly. All 45 participants used an administrator user account, and 91% were not aware of the benefits of low-privilege user accounts or the risks of high-privilege ones. Their knowledge and experience were limited to the restricted rights of low-privilege accounts. Based on our findings, we offer recommendations to improve the UAC and LUA approaches.

Kirstie Hawkey | Konstantin Beznosov | Sara Motiee

[1] Lorrie Faith Cranor,et al. Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[2] Gary McGraw,et al. Securing Java: getting down to business with mobile code , 1999 .

[3] J. McGrath. Methodology matters: doing research in the behavioral and social sciences , 1995 .

[4] Ingrid M. Martin,et al. Intended and Unintended Consequences of Warning Messages: A Review and Synthesis of Empirical Research , 1994 .

[5] Lorrie Faith Cranor,et al. You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[6] Kori Inkpen Quinn,et al. Family accounts: a new paradigm for user accounts within the home environment , 2008, CSCW.

[7] Lorrie Faith Cranor,et al. A Framework for Reasoning About the Human in the Loop , 2008, UPSEC.

[8] Rob Miller,et al. Security user studies: methodologies and best practices , 2007, CHI Extended Abstracts.

[9] Alan H. Karp,et al. Polaris: virus-safe computing for Windows XP , 2006, CACM.

[10] Jerome H. Saltzer,et al. The protection of information in computer systems , 1975, Proc. IEEE.

[11] Mary Ellen Zurko,et al. Did you ever have to make up your mind? What Notes users do when faced with a security decision , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..