How do you NOT run as an administrator?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
When I go into control panel, users, and there is one user -
my name, and it says administrator.

There is also a guest account

As I understand it, I should not be running as the
administrator.  How do you implement this?  Are there any
problems that could arise from doing so?

Thanks

Louise

Re: How do you NOT run as an administrator?


Quoted text here. Click to load it
Create another account (which you can do as administrator), and make it a
member of the 'users' group (which you can also do as administrator).  Then,
do all your work by logging into this account.

Jim



Re: How do you NOT run as an administrator?

Quoted text here. Click to load it
If the OP is using XP Pro, then this is done by creating a "limited
access" user.  If you enable advanced security, you can fiddle more with
group memberships etc
--
Mike News

Re: How do you NOT run as an administrator?

Mike wrote:
Quoted text here. Click to load it
Yes, sorry, I should have said that.  I'm using XP Pro SP2.

If I work as a limited access user, how to I go back to
being an administrator?

And, can I do things like run backups, do AV and Spyware
checks etc. as a limited access user or would I have to keep
switching back and forth?

Thanks again.

Louise

Re: How do you NOT run as an administrator?

Quoted text here. Click to load it

Running as a limited user under XP is a very good idea.  It means that
your computer is far less vulnerable to compromise by malware than it
would otherwise be.

Quoted text here. Click to load it

I think what you mean is if my user is a limited access user, then how
do I do things that need administrator privilege.  You do that by
logging out of the limited access user account & then login as an
administrator.

You will always have at least one user account that is an administrator,
either a user called Administrator or a user with some other name but
anyway a member of the Administrators group.

There is another method of doing administrator things while logged in,
that is the runas command, or the makemeadmin script that uses it - but
those have their own subtleties that need a deeper understanding.

Quoted text here. Click to load it

Typically AV programs & the like do allow you to run as a limited user.
Obviously its important for users to be able to do things that make use
of the PC safer.  They typically do that by running the works of the
scanner in a service which does run with administrator privilege, while
the AV program front end runs as limited user.  Those programs take care
of that kind of technicality & you should not have to worry.

Backup could be a little more involved.  You can imagine that you should
be able to backup user files, but not any that your user is not allowed
to read & you might be more restricted in restoring from a backup - but
then that should be much rarer.

There are one or two odd things which are not possible from a limited
user, but which are not - they are called limited user access bugs.  An
example is displaying the clock window, it is not allowed because that
would allow the time to be changed, but that is a bug - the window
should instead display the clock but prevent the time being changed.
There are individual fixes to such bugs - but many of use manage very
well without.

Microsoft publish a white paper on the merits of running as a limited
user:

http://technet.microsoft.com/en-us/library/bb456992.aspx

It is based on the work of Aaron Margosis, there is much more info on
his blog:

http://blogs.msdn.com/aaron_margosis /

All the best
--
Dave English                      Senior Software & Systems Engineer
                              Internet Platform Development, Thus plc

Re: How do you NOT run as an administrator?

Dave English wrote:
Quoted text here. Click to load it

Thanks a lot for the thorough explanation - including the
"downside".  I will read the blog and check out the MS white
paper

Louise

Re: How do you NOT run as an administrator?

Quoted text here. Click to load it
 >
Run As.. option from a right click?

Alternatively, you need to have 2 administrator accounts on your PC
anyway as well as any normal users.  I just use admin access for backups
and installing, normal users for other stuff
--
Mike News

Re: How do you NOT run as an administrator?

Jim wrote:
Quoted text here. Click to load it

What are the advantages of a 'users' group (non-admin) login?




Re: How do you NOT run as an administrator?

On Sun, 16 Dec 2007 13:44:39 -0500, louise wrote:
Quoted text here. Click to load it
If you're really concerned about the security of your computer and data
then you just will have to learn the rules how to keep secure. Review your
installed 3party software; Remove clutter.

1.  Proceed with 'Hardening' your Operating System (OS) *and* use a
    Non-Administrator Account i.e. enable Limited User Account (LUA).
    
http://www.5starsupport.com/tutorial/hardening-windows.htm
http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

    Note:
    Both Plug & Play and DCOM can easily disabled manually in Services
    (Local) panel and the Windows Messenger can be dealt with as mentioned
    in 1d.

    Therefore there is no need to download the below mentioned tools:
    a) To disable Windows Plug and Play, go here:
    http://www.grc.com/unpnp/unpnp.htm
    b) To disable Windows DCOM, go here: http://www.grc.com/dcom/
    c) To disable Windows Messenger, go here:
    http://www.grc.com/stm/shootthemessenger.htm

1a. In Folder Options | File Types tab add .CAB File.                          
  

1b. Right-click My Computer | Properties, System Properties - Advanced -
    Performance/Settings - Data Execution Prevention is 'checked' Turn
    on DEP...except those I select.
    How to determine that hardware DEP is available and configured on your
    computer.
    http://support.microsoft.com/kb/912923

1c. Local Security Settings (Admin Tools - Local Security Policy)
    Network security: Do not store LAN Manager hash value on next
    password exchange  = ENABLED.

1d. Uninstall/disable Windows Messenger
    Windows Messenger in XP
    http://www.kellys-korner-xp.com/xp_messenger.htm

    Stop Windows Messenger from Auto-Starting.
    Simply delete the following Registry Key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS

1e. Security Policy Recommendations.
    www.nsa.gov/snac/support/sixty_minutes.pdf
    Security Attribute (page 27/28).
    a) Network access: Do not allow anonymous enumeration of SAM accounts
    HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM = 1
    Recommendet Setting: Enabled
    b) Network access: Do not allow anonymous enumeration of SAM accounts
    and shares
    HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous = 1
    Recommended Setting: Enabled
    c) Network access: Let Everyone permissions apply to anonymous users
    HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous = 0
    Recommended Setting: Disabled

1f. Turn - Off Autoplay.
    http://www.dougknox.com/xp/tips/cd_autoplay_pro.htm
    To Disable CD autoplay, completely, in Windows XP Pro
    a) Click Start, Run and enter GPEDIT.MSC
    b) Go to Computer Configuration, Administrative Templates, System.
    c) Locate the entry for Turn autoplay off and modify it as you desire.

    Alternative:
    http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
    Scroll down to Tweak UI, download TweakUI.exe
    Once you've installed TweakUI you'll find a lot of options in it. To
    turn-off Autoplay, in TweakUI expand My Computer, and then AutoPlay.
    Click on Drives and uncheck the drive letter that you no longer want to
    AutoPlay. Click on Apply and that's it. No more "what would you like me
    to do" dialogs.

2.  For day-to-day work/browsing use the Limited User Account (LUA) and
    refrain from using the Administrator Account (AC).
    Least privilege
    http://www.securityfocus.com/infocus/1848
    It is important that administrators follow the rule of least privilege.
    This means that users should operate their computer with only the
    minimum set of privileges that they need to do their job. Typically
    this means operating as a normal user, and only when absolutely
    necessary use the Run As or MakeMeAdmin commands to elevate privileges.

    The Importance of the Limited User Account (LUA).
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

    How the right user account can help your computer security.
    http://www.microsoft.com/protect/computer/advanced/useraccount.mspx
  
    Aaron Margosis' "Non-Admin" WebLog
    http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx
  
    The easiest way to run as non-admin.
    http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

3.  Keep your operating system (OS) and all software on it updated/patched.
    "So, you didn’t patch the system and it got hacked. What to do? Well,
    let’s see: ..."
    "The only way to clean a compromised system is to flatten and rebuild.
    That’s right. If you have a system that has been completely
    compromised, the only thing you can do is to flatten the system
    (reformat the system disk) and rebuild it from scratch (re-install
    Windows and your applications)..."
    http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

    Windows update.
    http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

    Secunia Software inspector
    http://secunia.com/software_inspector
    and
    M/S Security Baseline Analyzer 2.0
    http://www.microsoft.com/technet/security/tools/mbsa/default.mspx
    can assist also.
  
4.  Internet Explorer7.

    IE7 safe/secure settings
    Internet Explorer7 Desktop Security Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en

    The Internet Explorer 7 Security Status Bar
    http://www.microsoft.com/windows/products/winfamily/ie/ev/security.mspx

    Extended Validation SSL Certificates
    http://www.microsoft.com/windows/products/winfamily/ie/ev/default.mspx

    *Tight security settings will break down some websites. You need to add
    these websites into the Trusted Zone for smooth access.*

    Utilizing another browser application and e-mail provider can add to
    the overall security of the OS. But,  
    Microsoft says Internet Explorer more secure than Firefox :-)
    http://www.heise-security.co.uk/news/99955

    Alternative Browsers:
    Opera™
    http://www.opera.com/download /

    Firefox™
    http://www.mozilla.com/en-US /

    Reconsider using OE

    Good alternatives are:

    Opera's built-in e-mail client
    http://www.opera.com/products/desktop/m2 /
  
    Firefox's built-in email client - Thunderbird™
    http://www.mozilla.com/en-US/thunderbird /
  
    Pegasus Mail™
    http://www.pmail.com/downloads.htm
  
    Windows Live Mail™ (Version 2008)
http://www.windowslive.com/?ocid=TXT_MSCOM_Wave2_MSCOMDLCNotifEm                
        
http://www.microsoft.com/downloads/details.aspx?FamilyID=ba346005-45f6-4d14-a7dc-51e13d11a950&DisplayLang=en
  
      
    Good newsreaders (Google for more)

    40tude Dialog™
    http://www.40tude.com/dialog /

    Agent™ 4.2 Newsreader + Email
    http://www.forteinc.com/main/homepage.php
  
    Motzarella™
    http://www.pmail.com/downloads.htm
  
    Xnews™
    http://xnews.newsguy.com /

5.  Don't expose services to public networks. Review and manually disable
    unnecessary services presently active in your OS.
    (This can be a tedious exercise but will bear fruits later on; Initiate
    a good record of your doings).
    Security is a balance between usability and protection.
  
    Beginners Guides: Understanding and Tweaking WindowsXP Services
    http://www.pcstats.com/articleview.cfm?articleid=1759
    Page 1:  Beginners Guides: Understanding and Tweaking WindowsXP
    Services
    Page 2:  Which services are running?
    Page 3:  Getting Information on Specific Services
    Page 4:  Properties of Services
    Page 5:  Why do does WinXP need Services?
    Page 6:  What services should be running?
    Page 7:  Services to disable for better security and performance
    Page 8:  Creating your own services
    Page 9:  Creating Services Continued

    Windows XP Service Pack 2 Service Configurations
    http://www.blackviper.com/WinXP/servicecfg.htm #

    Windows XP SP2 default Services #1.
    http://www.ss64.com/ntsyntax/services.html

    Default settings for services #2.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx?mfr=true

6.  Activate and utilize the Win XP SP2 built-in Firewall; Uncheck *all*
    Programs and Services under the Exception tab and review exceptions
    frequently (the less exceptions the better).
    Read through:
    Deconstructing Common Security Myths.
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."

Exploring the windows Firewall.
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater—it’s a gimmick that only gives the
impression of improving your security without doing anything that actually
does improve your security."

How to Configure Windows Firewall on a Single Computer
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx

Troubleshooting Windows Firewall settings in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?kbid=875357

    Understanding Windows Firewall.
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

    Using Windows Firewall.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

    Use Windows Firewall in conjunction with:
    Seconfig XP 1.0
    http://seconfig.sytes.net /
    Seconfig XP is able configure Windows not to use TCP/IP as transport
    protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135,
    137-139 and 445 (the most exploited Windows networking weak point)
    closed.
    OR
    Configuring NT-services much more secure.
    http://www.ntsvcfg.de/ntsvcfg_eng.html

The only reasonable way to deal with malware is to prevent it from being
run in the first place. That's what AV software or Windows' System
Restriction Policies are doing. And what Personal Firewalls fail to do.


7.  Routinely practice Safe-Hex.
    http://www.claymania.com/safe-hex.html

8.  Back Up regularly.

    Back up manually or use Windows XP Backup utility.
    http://www.microsoft.com/protect/yourself/data/backup.mspx

    Powerful backup that is easy to do!
    http://www.acronis.com.sg/homecomputing /

    Casper™ Backup Solution for Windows
    http://www.fssdev.com /

    Norton Ghost™
http://www.symantec.com/norton/products/overview.jsp?pcid=br&pvid=ghost12
  
    Free Back-Up Programs; There are many more - mileages will vary - get
    appropriate advice
    http://www.karenware.com/powertools/ptreplicator.asp
    http://www.2brightsparks.com/downloads.html#freeware
    http://www.sover.net/~wysiwygx/WinUtils5.html
    http://xxclone.com /
    http://www.educ.umu.se/~cobian/cobianbackup.htm
  
9. Familiarize yourself with Re-installing OS (reformat HDD).
   Be prepared...
  
   Perform a clean install of Windows XP
   http://support.microsoft.com/kb/316941/en-us

   "How to Perform a Windows XP Repair Install":
   http://michaelstevenstech.com/XPrepairinstall.htm

10.Familiarize yourself with Crash Recovery applications.
   ... don't get caught flatfooted :)

   Beginners Guides: Crash Recovery - Dealing with the Blue Screen Of Death
   http://www.pcstats.com/articleview.cfm?articleID=1647

   NTFS4DOS Personal is free.
   http://www.free-av.com/antivirclassic/avira_ntfs4dos.html

   How to create a bootable floppy disk for an NTFS or FAT partition in
   Windows XP
   http://support.microsoft.com/kb/305595

   Bart's Preinstalled Environment (BartPE) bootable live windows
   CD/DVD
   http://www.nu2.nu/pebuilder /

   How to obtain Windows XP Setup boot disks
   http://support.microsoft.com/kb/310994

   Windows XP Professional Utility: Setup Disks for Floppy Boot Install
http://www.microsoft.com/downloads/details.aspx?FamilyID=55820edb-5039-4955-bcb7-4fed408ea73f&displaylang=en

Inspirational reading:
http://home20.inet.tele.dk/b_nice/index.htm

Windows XP Security Guide
Chapter 5: Securing Stand-Alone Windows XP Clients
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx

Install a good (free) real-time av application and some monitoring tools
(Autoruns, Process Explorer) similar to the ones developed by Mark
Russinovich.

Good luck :)
--
Security is a process not a product.
(Bruce Schneier)

Re: How do you NOT run as an administrator?

Kayman wrote:
Quoted text here. Click to load it
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html
Quoted text here. Click to load it
http://www.microsoft.com/downloads/details.aspx?FamilyId=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en
Quoted text here. Click to load it
http://www.microsoft.com/downloads/details.aspx?FamilyID=ba346005-45f6-4d14-a7dc-51e13d11a950&DisplayLang=en
  
Quoted text here. Click to load it
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx?mfr=true
Quoted text here. Click to load it
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Quoted text here. Click to load it
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
Quoted text here. Click to load it
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx
Quoted text here. Click to load it
http://www.microsoft.com/downloads/details.aspx?FamilyID=55820edb-5039-4955-bcb7-4fed408ea73f&displaylang=en
Quoted text here. Click to load it
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx
Quoted text here. Click to load it

Thanks a lot.  Some of the above, the easy stuff, I've
already done such as turning off windows messenger and
running Russinovich Process Explorer every so often etc.   I
also do an image backup using Ghost approximately once a
month and also, a nightly file back backup using Retrospect
(two different external hard drives).  Nevertheless, having
a bootable floppy sounds wise.

But most of this I don't know and I'll learn.

Louise

Re: How do you NOT run as an administrator?


<big snip of good advice>
Quoted text here. Click to load it
Not many of us were born knowing any of this, and that is how we learn.
Jim



Re: How do you NOT run as an administrator?


<snip>

Quoted text here. Click to load it

Unfortunately, the account you set up in Windows XP Pro during install
becomes an administrator account - the actual Administrator account is
always there.

There's nothing you can do to avoid this except to create an account
during install that you do not intend to use on a daily basis and then
afterwards create a limited account for normal use.

Good for you, that you understand, that you should not be running
Windows XP Pro as an administrator.


--
 
"Any girl can be glamorous. All you have to do is stand still and look
stupid."

Re: How do you NOT run as an administrator?

Quoted text here. Click to load it

Well, you can remove the user from the Administrators group & leave in
only a member of Users - preferably before the machine sees any real
risk (e.g. the Internet).

Quoted text here. Click to load it

Indeed
--
Dave English                      Senior Software & Systems Engineer
                              Internet Platform Development, Thus plc

Site Timeline