Do Windows users follow the principle of least privilege? Investigating user account control practices

ACM International Conference Proceeding Series

Volumn , Issue , 2010, Pages

  Motiee, Sara ^a   Hawkey, Kirstie ^a   Beznosov, Konstantin ^a  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

Author keywords

Least privilege principle; Least privilege user account; Usable security; User account control

Indexed keywords

DUE DILIGENCE; KNOWLEDGE AND EXPERIENCE; LEAST PRIVILEGE; PRACTICAL IMPLEMENTATION; SECURITY INCIDENT; USABLE SECURITY; USER ACCOUNT CONTROL; USER STUDY; WINDOWS VISTA;

RISK ASSESSMENT;

COMPUTER OPERATING SYSTEMS;

EID: 77956256786     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1837110.1837112     Document Type: Conference Paper

References (28)

1. L. F. Cranor. A framework for reasoning about the human in the loop. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1-15, Berkeley, CA, USA, 2008. USENIX Association.
2. S. Egelman, A. B. Brush, and K. M. Inkpen. Family accounts: a new paradigm for user accounts within the home environment. In CSCW '08: Proceedings of the 2008 ACM Conference on Computer Supported Cooperative Work, pages 669-678, New York, NY, USA, 2008. ACM.
3. S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In CHI '08: Proc. of the SIGCHI conf. on Human factors in Computing Systems, pages 1065-1074, New York, NY, USA, 2008. ACM.
4. S. Egelman, J. King, R. C. Miller, N. Ragouzis, and E. Shehan. Security user studies: methodologies and best practices. In CHI Extended Abstracts, pages 2833-2836. ACM, 2007.
5. Gnu/linux post-installation checklist. http://www.linux.org/docs/ldp/ howto/Post-Installation-Checklist/steps.html.
6. S. Kim. Java web start: Developing and distributing Java applications for the client side. White paper, IBM Corp. Armonk, NY, September 2001. http://www.ibm.com/developerworks/java/library/j-webstart.
7. An introduction to Mac OS X security. http://developer.apple.com/ internet/security/securityintro.html, August 2004.
8. J. E. McGrath. Methodology matters: doing research in the behavioral and social sciences. Human-computer interaction: toward the year 2000, pages 152-169, 1995. Morgan Kaufmann Publishers Inc.
9. G. McGraw and E. W. Felten. Securing Java: Getting down to business with mobile code. John Wiley & Sons, 2 edition, 1999.
10. J. Nielsen. Card sorting to discover the users' model of the information space. http://www.useit.com/papers/sun/cardsort.html, 1995.
11. W. Poole. Financial Analyst Meeting. http://www.microsoft.com/msft/ speech/FY05/PooleFAM2005.mspx, July 2005.
12. Root definition. The Linux Information Project, http://www.linfo.org/ root.html, October 2007.
13. Rootsudo. Ubuntu Documentation, https://help.ubuntu.com/community/ RootSudo, February 2010.
14. C. A. Rusen. Windows 7 vs Windows Vista: the UAC Benchmark. http://www.7tutorials.com/windows-7-vs-windows-vista-uac-benchmark, August 2009.
15. M. Russinovich. Inside Windows 7 User Account Control. TechNet Magazine, July 2009.
16. J. Saltzer and M. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, Sept. 1975.
17. A. Steven. Applying the principle of least privilege to user accounts on Windows XP. Microsoft TechNet Library, http://technet.microsoft.com/en-us/ library/bb456992.aspx, 2006.
18. D. W. Stewart and I. M. Martin. Intended and unintended consequences of warning messages: A review and synthesis of empirical research. Journal of Public Policy and Marketing, 13(1):1-19, 1994.
19. M. Stiegler, A. H. Karp, K.-P. Yee, T. Close, and M. S. Miller. Polaris: virus-safe computing for Windows XP. Commun. ACM, 49(9):83-88, 2006.
20. M. Stiegler and M. Miller. A capability-based client: The DarpaBrowser. Technical report, Focused Research Topic 5. Combex, Inc., Meadowbrook, PA, June 2002.
21. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An empirical study of SSL warning effectiveness. In Proceedings of 18th USENIX Security Symposium, pages 399-432, 2009.
22. How Windows Vista helps protect computers from malware. TechNet Library, http://technet.microsoft.com/en-us/library/cc507865.aspx, September 2006.
23. Understanding and configuring user account control in Windows Vista. http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx, 2007.
24. What's new in user account control. TechNet Library, http://technet. microsoft.com/en-us/library/dd446675(WS.10).aspx, June 2009.
25. Some guidelines for securing your Windows Vista PC. http://download. microsoft.com.Security-Best-Practice-Guidance-for-Consumers.doc, 2007.
26. M. Wogalter. Communication-Human Information Processing (C-HIP) Model. In Handbook of Warnings, pages 51-61. Lawrence Erlbaum Associates, 2006.
27. M. Wogalter. Purpose and scope of warnings. In Handbook of Warnings, pages 3-9. Lawrence Erlbaum Associates, 2006.
28. M. E. Zurko, C. Kaufman, K. Spanbauer, and C. Bassett. Did you ever have to make up your mind? what notes users do when faced with a security decision. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference, pages 371-381, Washington, DC, USA, 2002. IEEE Computer Society.