|
Posted by speeder on May 16, 2005, 12:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I´ve been thinking about creating a limited account in WinXP as
another layer of security. An administrator level account would exist
only for installing new stuff. Is this a valid idea as a threat
deterrent?
My assumption is that in a limited account malicious code from
webpages or possible injection of malicious code through unknown
server vulnerabilities (I run a few) would not be able to install or
provide further attack venues.
If my assumption is all wrong can the limited account be helpful at
all in providing further security?
|
|
Posted by Tony Lawrence on May 16, 2005, 1:27 pm
If you were Registered and logged in, you could reply and use other advanced thread options
speeder wrote:
> I´ve been thinking about creating a limited account in WinXP as
> another layer of security. An administrator level account would exist
> only for installing new stuff. Is this a valid idea as a threat
> deterrent?
>
> My assumption is that in a limited account malicious code from
> webpages or possible injection of malicious code through unknown
> server vulnerabilities (I run a few) would not be able to install or
> provide further attack venues.
>
> If my assumption is all wrong can the limited account be helpful at
> all in providing further security?
Yeah, it's a great idea - but because of how Windows works, I bet you
can't stand running that way very long..
What's really dumb about it is that Windows does have the ability to ask
for a password and run apps as another user - they just don't implement it.
--
Tony Lawrence
Unix/Linux/Mac OS X resources: http://aplawrence.com
|
|
Posted by on May 16, 2005, 1:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options > I´ve been thinking about creating a limited account in WinXP as
> another layer of security. An administrator level account would exist
> only for installing new stuff. Is this a valid idea as a threat
> deterrent?
>
> My assumption is that in a limited account malicious code from
> webpages or possible injection of malicious code through unknown
> server vulnerabilities (I run a few) would not be able to install or
> provide further attack venues.
>
> If my assumption is all wrong can the limited account be helpful at
> all in providing further security?
Yes, this is a good idea. In fact, it is the way that it SHOULD work
all the time. As a long time Unix user, I was flabbergasted when I
installed Windows XP on a machine and found out how many things
(regular, user applications) broke when not run as Administrator.
That's simply inexcusable, in my opinion.
I do have things set up with normal user accounts for everyone who
uses the machine, and a separate Administrator account that's only
supposed to be used to install new software or change configuration
settings. I have had to fight with some software to make it work (the
most common fix is to make the installation directory for the software
world writable -- some software apparently tries to save temporary
files in the install directory!). And a few things just have to be
run as Administrator for some reason (for example, I have to
personally start Harry Potter and the Sorceror's Stone for my son when
he wants to play it, because it has to be run as Administrator --
lovely, eh? Nothing like having to give full admin rights to a 4 year
old...).
--
That's News To Me!
newstome@comcast.net
|
|
Posted by xpyttl on May 16, 2005, 3:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options > I´ve been thinking about creating a limited account in WinXP as
> another layer of security. An administrator level account would exist
> only for installing new stuff. Is this a valid idea as a threat
> deterrent?
It's not only valid, running applications, especially browsing, as
administrator is just plain stupid.
However, as others have pointed out, Windows is not nearly as competent in
this area as Linux.
There are a few programs (really not very many) that won't run properly
except as administrator. In a very few cases, this actually makes sense.
In most cases, though, it is simply incompetence.
Most of the time, as someone else pointed out, the problem is with
protections on the files, so often the program can be fixed by going in and
correcting those protections. This is a piece of cake in Win XP Pro, but
it's a bit challenging in XP Home. You still want to be as stingy as
possible with the file protections and still allow things to work. Open the
files up too much and you have opened yourself up to exactly the kinds of
problems you are trying to prevent.
In general, you want Windows and your personal files on an NTFS partition,
and if your disk is of any size at all, XP does this by default. However,
often you can work around some of the issues with errant programs by
installing them on a FAT partition. In any case, once you have a limited
user, it's handy to have at least one FAT partition anyway, especially on XP
Home. I keep a few FAT16 partitions for specific functions.
...
|
|
Posted by speeder on May 16, 2005, 11:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
something worth going for despite the effort (I´ve noticed, I can
hardly boot my machine in limited mode...).
Where can I get tips on making this work? Right now I don´t know why
things broke or what is the strategy to get them to work under
limited. Someone has got to have thought of these things before. I can
think of things like putting Windows TEMP folder under a shared folder
but I don´t want to reinvent the wheel or do something that I´m going
to regret later.
I do have Pro and all my drives are NTFS.
thanks again.
|
| Similar Threads | Posted | | My limited user seems not so limited (XP) | August 29, 2006, 10:55 pm |
| Someone using my newsgroup account | July 28, 2006, 3:16 pm |
| how to: account lockout timer ?? | April 27, 2004, 3:53 pm |
| Virtual Account Numbers | March 1, 2005, 12:42 pm |
| My user accounts now have very limited rights | October 18, 2005, 5:14 pm |
| Account data stored in Configuration Mgmt DB | January 26, 2005, 6:11 am |
| Commercial Product to Automate Changing Windows Local and Service Account Passwords | September 3, 2006, 11:24 pm |
| WinXP strange behaviour | March 16, 2005, 7:48 am |
| How do I encrypt a whole (external) USB harddisc (under Win2000 and WinXP)? | July 11, 2005, 1:13 pm |
| Can PGP 6.5.8 (=last freeware version) run in an 64bit WinXP system ? | March 2, 2007, 3:21 am |
|
XML site map