A substantial number of users of the Windows® operating system run as members of the Administrator group all of the time. Generally, a user runs as a member of the Administrators group (commonly referred to as “running as Admin,” “having Administrative access rights” or “having Administrative privileges”) to ensure that they have access to all of the files and resources required to run each and every application they may use. However, the possession of administrative rights by users significantly increases the vulnerability of the computing devices. Because any application started runs with the security context of the user that started it, running with Administrative access rights means that every application will have Administrative access rights. Thus every application will have the ability to use any resource in the system, and access any persistent state. This is a security risk because it allows malicious software, such as a network worm or virus, that attacks and overtakes a running program to then access any persistent state and use any resource. Accordingly, simply compromising a user network service, such as an instant messaging client, provides an attacker complete control of the system. The security threat is both acute and widespread. For example, attacks against user level networking applications are common and include spyware, self-propagating email, web browser exploits, instant messaging (IM) client exploits and the like.
Unfortunately, a significant number of common applications require elevated access rights, even though most of them could accomplish their goals through some other means that did not require the elevated rights. Accordingly, the proliferation of applications that unnecessarily require elevated access rights further motivates users to run with administrative privileges all of the time. In addition, applications that unnecessarily require elevated rights but are run without such rights often fail with misleading error messages. Thus, users without elevated access rights spend more time troubleshooting. Furthermore, the number of applications that are dependent upon elevated rights is sufficiently great that starting each one from a separate user account with such access rights, or setting up scripts to do this semi-automatically, is a significant inconvenience.
One method of investigating an application's dependency upon a given security context involves setting breakpoints and stepping through execution of the code to determine where security checks fail when the entity does not belong to a particular privileged group, such as an administrator group, network administrator group, domain administrator group, or the like. However, the process of setting breakpoints and stepping through code relies upon a high degree of intuition and trial and error, and is typically prohibitively time consuming. In addition, most individuals, such as information technology (IT) personnel and third-party developers, do not have access to the source code to facilitate analysis.
Other methods include tracing access to the computer objects that are being secured, of which file tracing and registry tracing are two common examples. However, these are limited in the scope of problems they detect, and the overall investigation is often still quite time-consuming. Furthermore, the conventional methods typically determine dependencies upon a given security context one incompatibility at a time, which again increases the time required to resolve problems.