@ the_Monk: You're not getting away with your cleverly disguised attempt to not prepare the article I want from you.
If you just do a paragraph or two per day, you'll finish with no strain, you know...
And I do agree that the best line of defense is the local and group security policies...so...we all continue to await your tutorial.
I've been thinking a lot about any 'write up' I could do about least privilege (I started it a few times even added screenshots to one of my attempts) but I kept coming to the realisation no matter how I approached things while the concept of least privilege can be applied to any OS and/or hardware configuration, the ways in which one might do this are so numerous and varied as to make any one 'guide' not a realistic approach.
There are of course a few very general 'least privilege' principles one can use to shape / change the way most of us may have been (or may still be) thinking with regard to our computer system use.
1. As has been exhaustively pointed out on the internet for years; use of limited user accounts for day to day activities.
2. Using file permissions to grant/deny access to files for different user accounts. Of course keeping in mind that the default behaviour is often for child objects to inherit parent object permissions and that DENY permissions over-ride ALLOW. Delving deeper into file-permissions etc. often has the happy side effect of helping to create a more streamlined digital filing system as well.
3. Using the local security policies to enforce additional privilege requirements such as privileges for things like driver installation, access to external or network devices, denying local console and/or remote logon to certain accounts/groups etc. etc. This is obviously not for anyone who doesn't have a grasp on it, however the internet does have significant resources with regard to (and examples of) using/configuring 'local system security policies'.
'Least Privilege' is when it comes down to it, a completely flexible and therefore never truly enforceable (through standards) approach to computing. Even when setting up a home wireless network. Instead of just using the 'quick setup' offered by most new routers, one should use the 'manual' approach and apply some 'least privilege' thinking. For example. Most new home routers allow for 'segregation' of the wireless network from internal LAN clients. Why might this be important to someone? You may have a 'home server' with personal media or other data on it, by simply segregating the wireless network from your internal LAN (you still share the same internet connection) you have applied 'least privilege' and maybe prevented someone getting access to personal data.
