ABSTRACT
Non-administrator user accounts and the user account control (UAC) approach of Windows Vista are two practical solutions to limit the damage of malware infection. UAC in Windows Vista supports usage of lower privilege accounts; a UAC prompt allows users to raise their privileges when required. We conducted a user study and contextual interviews to understand the motives and challenges participants face when using different user accounts and the UAC approach. Most participants were not aware of or motivated to employ low-privileged accounts. Moreover, most did not understand or carefully consider the prompts.
- Cranor, F. L. A framework for reasoning about the human in the loop. In UPSEC '08 (2008). Google ScholarDigital Library
- Poole, W. Financial Analyst Meeting, Senior Vice President, Windows Client, July 2005. http://www.microsoft.com/msft/speech/FY05/PooleFAM2005.mspx.Google Scholar
- Russinovich, M. Inside Windows 7 User Account Control, TechNet Magazine, 2009.Google Scholar
- Saltzer, J. and Schroeder, M. The protection of information in computer systems. Proc. of the IEEE, 63(9), 1278--1308, Sept. 1975.Google ScholarCross Ref
- Steven A., Applying the Principle of Least Privilege to User Accounts on Windows XP, Microsoft TechNet Library, January 18, 2006.Google Scholar
- Some guidelines for securing your windows vista pc, 2007. http://download.microsoft.com/download/0/ e/9/0e922c03-8537-482f-b57c-aa385b3dee20/Security _Best_Practice_Guidance_for_Consumers.docGoogle Scholar
- Understanding and Configuring User Account Control in Windows Vista http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspxGoogle Scholar
- Wu, M., Miller, R., and Garfinkel, S. Do Security Toolbars Actually Prevent Phishing Attacks? Proc. of CHI 2006, 601--610, April 2006. Google ScholarDigital Library
Index Terms
- Investigating user account control practices
Recommendations
User Account Access Graphs
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityThe primary authentication method for a user account is rarely the only way to access that account. Accounts can often be accessed through other accounts, using recovery methods, password managers, or single sign-on. This increases each account's attack ...
Do windows users follow the principle of least privilege?: investigating user account control practices
SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and SecurityThe principle of least privilege requires that users and their programs be granted the most restrictive set of privileges possible to perform required tasks in order to limit the damages caused by security incidents. Low-privileged user accounts (LUA) ...
The role-based access control system of a European bank: a case study and discussion
SACMAT '01: Proceedings of the sixth ACM symposium on Access control models and technologiesResearch in the area of role-based access control has made fast progress over the last few years. However, little has been done to identify and describe existing role-based access control systems within large organisations. This paper describes the ...
Comments