redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | reply to Tuulilapsi
Re: XP: Your Very own Low-Rights IE
said by Tuulilapsi  :Alternatively, and this works for both XP Home and Pro, use Run As to run IE as your restricted user account of choice. There lies the problem. You have to "Run As" in order to get it to run reduced. If you open a link from any other external app, it will not run with reduced privileges if this policy isn't set (by default if the external app is still being run as admin then IE will be run as admin).
Running a limited account to make sure everything runs with reduced privileges isn't the goal (since it is for pople who must run as admin), and using Run As for all your applications, known and unknown, to protect against browser based attacks is impractical.
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
1 edit | Right you are. Software restriction policies are a very powerful tool. It's quite inexcusable that MS crippled that functionality, along with file & folder permission management on XP Home.
On the other hand, I've noticed most people either don't know or just didn't think about using Run As to run something with lower privileges instead of higher. It does work. 
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
BruceT
join:2001-11-28
Corpus Christi, TX
| I am not that well versed in XP admin rights and such but it seems to me that most people who have XP Home got it as an OEM that came with their computers when they bought them. I am sure that almost all of them are admins since that seems to be the way XP home sets the users up the first time they turn the system on. This means most "lay" people are open to exploits?
Now from reading this, XP Home makes it difficult to use the system running it as a non-admin. Is that correct and if so what should the "average joe" home user do? |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
2 edits | said by BruceT :Now from reading this, XP Home makes it difficult to use the system running it as a non-admin. Is that correct and if so what should the "average joe" home user do? XP all by itself works pretty well running as non-admin, but a lot of software (a majority of software overall, I believe) was written for Windows 9x, where there is no distinction between admin and non-admin (everything is admin in 9x). Microsoft has several products (or has acquired several products) that are incompatible with running as non-admin, but compared to the industry that revolves around it, they're not that bad.
XP was the last attempt to force 9x users to upgrade to Windows NT. What has happened (unsurprisingly) is that we (collectively) are running NT 5.1 in Windows 9x compatibility mode, because then "everything works."
So I guess I would say that Windows makes it difficult to use a Windows system running it as a non-admin. In my opinion, it's not just XP, but how Windows got to the XP version.
From what I've read, Microsoft is attempting to directly addressing this issue of Win9x apps on NT in "Vista," because they aren't going away.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
|
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to BruceT
said by BruceT :I am not that well versed in XP admin rights and such but it seems to me that most people who have XP Home got it as an OEM that came with their computers when they bought them. I am sure that almost all of them are admins since that seems to be the way XP home sets the users up the first time they turn the system on. This means most "lay" people are open to exploits? Now from reading this, XP Home makes it difficult to use the system running it as a non-admin. Is that correct and if so what should the "average joe" home user do? Yes, people that are running as admin are open to exploits in the sense that any program they run as admin whether malicious or not can do anything it bloody well pleases, whereas, on limited accounts, there are strict limits to what can be done. A simple example: You execute a virus that wants to format your partition X. If you executed the virus as admin, the virus can do what it wants. If you executed it as a restricted user, sorry, no format allowed.
XP Home isn't so difficult to run as non-admin that I wouldn't recommend doing it. In my opinion, the average user should set up a non-admin account, and use that for non-admin tasks. Any problems with file permissions can be sorted out by booting in safe mode and editing the permissions there (in XP Home, the security tab appears in the properties menu only in safe mode). Some apps will probably be troublesome, but there's most often a solution for it.
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by Tuulilapsi :XP Home isn't so difficult to run as non-admin that I wouldn't recommend doing it. In my opinion, the average user should set up a non-admin account, and use that for non-admin tasks. Any problems with file permissions can be sorted out by booting in safe mode and editing the permissions there (in XP Home, the security tab appears in the properties menu only in safe mode). Some apps will probably be troublesome, but there's most often a solution for it. The problem is that the additional burden of administrative tasks (and also how to carry out those tasks under NT) is inconvenient enough that most of the people I know outside of computers or IT don't do it.
In addition to the technical difference in security models between Win9x and WinNT, interacting with RunAs or discretionary ACLs is completely foreign to most users who upgrade from Win9x. (And too many Windows software developers.)
Some people have no problem with doing this and I always recommend running as non-admin. But for a large segment of users (particularly consumers with otherwise unmanaged systems) non-admin has to get closer to zero-maintenance, because that's often how much time many people spend on maintaining their systems.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| I agree that non-admin accounts as they are now aren't perfect, and MS has improvements to make, but I don't agree about the whole zero maintenance point. Non-admin accounts as they are now in Windows require some extra work, yes, but just how much extra work is required to constantly sort out malware problems that could have been avoided by not running as admin? According to my own (limited) observations, people actually have to waste less time on maintenance when running as non-admin.
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| Its much less work, my anti-software updates on the system account, and if I really need to I can run as a program to do an admin task. The only real limitation is piss poor programing, anti-software that won't update on the system account, programs which require admin access like games which repeatedly install DRM software which causes problems with everything on your computer, etc...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| reply to Tuulilapsi
said by Tuulilapsi :and MS has improvements to make So do software vendors, that is, constant writing to the registry should be done in HKEY_CURRENT_USER and the current user's Application Data folder instead of the program's folder.
So it seems Vista will ask for a password if a program requires more privileges to write somewhere. I fear this only encourages other vendors to continue this vile behavior even if MS recommends it to them as only a solution for legacy or poorly written apps.
--
Microsoft Windows 2000/XP Security: Some Assembly Required. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| Agreed - software vendors, in particular security software vendors - should both advocate the concept of least privilege and write their programs to work properly with non-admin accounts. What I would like to see is MS getting really rough on anyone who churns out code that breaks with non-admin accounts. If you remember those lovely "This driver has not been certified for XP compatibility" warnings, perhaps something like that would be in order: "Warning: This software is not compatible with (fancy term like 'Windows Protected User Accounts' here). This software is poorly coded and may jeopardize the security of your system, and your socks. Do you still wish to proceed with the installation?" If anyone could get away with doing that, it's MS. What are vendors going to do? Start writing all their apps for other operating systems, as if the majority used them? It would work. 
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Tuulilapsi
said by Tuulilapsi :I agree that non-admin accounts as they are now aren't perfect, and MS has improvements to make, but I don't agree about the whole zero maintenance point. Non-admin accounts as they are now in Windows require some extra work, yes, but just how much extra work is required to constantly sort out malware problems that could have been avoided by not running as admin? According to my own (limited) observations, people actually have to waste less time on maintenance when running as non-admin. Absolutely, I agree with you that it's less time consuming and less of a hassle to prevent problems rather than to fix them. And logically, it's a no-brainer.
But that's a "pay me now or pay me later" choice; a lot of people choose the latter, even if they aren't aware that they are making a choice.
Regarding what Microsoft has to do with non-admin accounts, I think Microsoft is mostly addressing third party applications that don't work. If it was just Microsoft apps, they could have fixed the individual apps without having to make many of the changes that are going into Vista. (They may be fixing them, anyway.) Day to day use of non-admin accounts has been possible on "managed" NT desktops for a long time.
In a way, the changes going into Vista are just another set of compatibility "shims" that Microsoft has to put into Windows to accommodate odd conventions in third party programming. In some cases, I believe those conventions were at least partly the result of a lack of documentation or "under documentation" of best practices for using some Win32 API functions.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
