Roger Grimes discusses the topic of least privilege in his Security Adviser column over at InfoWorld. Well timed, considering the release of my recent three-part series on Vista's and Server 2008's UAC. UAC is a technical mechanism of least privilege that in the minds of many administrators wasn't a best solution with the needs of non-technical users in mind.

Grimes' first column, interestingly enough titled "Why UAC Will Not Work" discusses how UAC doesn't really solve the problem of Malware. Malware authors, in his opinion, will continue to find ways around even the best user-centered tools like UAC. Thus, the UAC's distraction does more for hurting Microsoft's product set than helping it against any Malware threat:

Just to be clear: Not having admin or root access does limit the possibilities for malware writers. They can't take their pick of all the current low-hanging fruit, but there are still plenty of ways to hack a user's computer without privileged access, and that's the pity. For years and years, we've been saying that users need nonprivileged accounts to do most of their work. We say this as if it is the Holy Grail of computer security -- as if it will end all malware as we know it today. But ultimately, this one change won't amount to a hill of beans. Malware writers will learn what it takes to do all the things they need to do without requiring admin access. They have many malware programs they can study today, and certainly, they will develop many new methods in the future.

That being said, Grimes admits that there are reasons why some least privilege-like solutions are good for an environment. Though he comes out strong in his first column against Microsoft's UAC implementation, his second column includes some interesting back-pedalling that discusses where it can come in useful.

Come up with your own opinion. Read Grimes' first column here, and his second one expanding on the first here. You already know my opinions. Discuss. Comment.