|
Posted by Sebastian Gottschalk on August 30, 2006, 8:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Having a problem.. In an effort to better secure my home computer, I
> created a new admin-level user (this is XP Home, by the way) with a
> really long password, logged in as THAT user and changed my usual
> account and my wife's account to "limited user" level. Then I shut down
> and restarted the computer. Logged in as my usual self (now LIMITED,
> mind you) and proceeded to test if I really was locked down like I
> wanted.
>
> So I went into my Norton antivirus and tried to change settings - no
> dice. *Good* so far, right? I tried creating files on c:\ and got
> access denied. GOOD, right?
Good, but actually strange, because the default permission would normally
allow you to create new folders (but no files) in the root directory. I
normally remove that permission, as it allows users to clatter the root
folder with junk.
> Well, next I downloaded some software off the internet and installed it
> and it installed just fine, even making registry entries all over the
> place.
>
> WHY???
Because it was complaint with your permissions.
> Why was the software install not blocked?
Because you didn't explicitly deny exec rights? Because you didn't
explicitily configure Software Restriction Policies to globally remove
exec rights?
> I was able to install both Google Earth and a Trojan simulator called
> TrojanSimulator, which is now resident in memory (TServ.exe) AND has a
> registry entry to help it start up next time I reboot (nice, huh?)
>
> I thought the limited user in XP was supposed to prevent this crap!!
What crap? Works as supposed and designed.
If you don't want the user-specific autorun entry, you can disable it,
either directly of by group policy:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisableLocalUserRun"=dword:1 "DisableLocalUserRunOnce"=dword:1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisableLocalUserRun"=dword:1 "DisableLocalUserRunOnce"=dword:1
What I recommend is to move the startmenu "Startup" autostart to some more
visible location and to disable any other autostart locations. Then the
user has a clear overview over any startup entry in a pure file-based form
(with no need to use any specific tool like a registry editor).
And actually it's quite good that Google Earth installs flawlessly with
limited rights. However, it's still true that it wouldn't require any
installer at all, and badly written installers are the most common source
for failures on installation. As I already mentioned, one can even make
Adobe PhotoShop CS2 install and run without any installer and any
administrative access.
| 
XML site map