Adminstrator priviledges for users... problems?

[43fan]

I've been told that having a user with administrator priviledges opens
"holes" in the security. Is this indeed a problem? The biggest thing is, I
make a number of "changes" on my pc from time to time, and it's a huge pain
having to log out and re-login as administrator in order to do anything.

Thanks!
Shawn


--
It's not just based on number of championships won. Richard Petty won
200 races and 7 Daytona 500s in his 30+ year driving career. He also has
the most top-5s (555), top-10s (712), poles (126), laps completed
(307,836), laps led (52,194), races led (599) and consecutive races won
(10 in 1967) of any driver in NASCAR history.

 

[Ken Briscoe]

I've been told that having a user with administrator priviledges opens

"holes" in the security. Is this indeed a problem? The biggest thing is, I
make a number of "changes" on my pc from time to time, and it's a huge pain
having to log out and re-login as administrator in order to do anything.

Well, if you're logged in as adminstrator all the time, anyone that walks up
to your machine can make any changes they want to. It's best practice to use
another account for day to day use, and use a second account (*not* named
"administrator", but with in the administrators group) for administration of
the domain/machine. If it's your home machine and you have sufficient
protection (firewall, AV, that sort of thing), then there's probably nothing
wrong with using the administrator account all the time, but in any other
scenario, you shouldn't use the administrator account for anything other
than temporary usage for doing legit administrator work.

 

[David Bullock [MSFT]]

The other problem with logging in as Admin is that a virus or other mal-ware
can use the context of the logged in user to install, execute, etc. If
you're logged in as a regular user, such a virus won't have the appropriate
permissions to do anything too horrible.

--

David Bullock, MCSE, MCSA, A+
Windows NT/2000/2003 Setup Support

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.

 

[43fan]

The other problem with logging in as Admin is that a virus or other mal-ware
can use the context of the logged in user to install, execute, etc. If
you're logged in as a regular user, such a virus won't have the appropriate
permissions to do anything too horrible.

I think this is what they were referring to. But my question is, if I'm
logged in as me, but with admin priviledges, is that the same thing?

 

[David Bullock [MSFT]]

Yes. The critical factor is "what permissions does the currently logged in
user have?"

--

David Bullock, MCSE, MCSA, A+
Windows NT/2000/2003 Setup Support

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.

 

[SaltPeter]

I've been told that having a user with administrator priviledges opens
"holes" in the security. Is this indeed a problem? The biggest thing is, I
make a number of "changes" on my pc from time to time, and it's a huge pain
having to log out and re-login as administrator in order to do anything.

Why re-login when you can use the "run as..." to run anything with
alternative credentials? As a non-admin, you can Shift + right-click a
shortcut or application and use the run as... command that misteriously
appears in context menu (SP1 disabled this). Same goes for defining an
alternate account in a shortcut's properties. The added benefit is that only
that application is run in the admin user account priviledge space.

 

[Ken Briscoe]

I think this is what they were referring to. But my question is, if I'm

logged in as me, but with admin priviledges, is that the same thing?

My point was to not run your day to day tasks as a user with administrative
priveleges.

On another note, you should not use the "Administrator" account, as everyone
(read: hackers, virus writes, and their ilk) already know 1/2 of what it
takes to log in as an administrator - the username. So use a *different*
account to do administrative things.

I wasn't too eloquent the first time...I hope that cleared up what I was
trying to say.

 

[Oli Restorick [MVP]]

In addition to what's already been said, if you let your users log into
"their" PCs with admin privileges and, when you go to fix things on their
PCs, you log in as "Domain Admin", you'd be making it very easy for anyone
with malicious intent to get domain admin rights.

Oli

 

[SaltPeter]

I think this is what they were referring to. But my question is, if I'm
logged in as me, but with admin priviledges, is that the same thing?

Thats a fair question. The answer is that it doesn't matter "who" the user
is. What matters is what priviledges that account has.

Any utility, program or application that is inheriting the interactive
user's access level, will inherit the accounts ability to access protected
file and folder objects, protected registry keys as well as the right to
install drivers and replace dlls. Here-in lies the danger of login-in using
the admin account or any account with admin priviledges.

So the answer is that it is "the same thing". Using the "run as.." option is
not the same thing. Since you are specifying that only that application will
run with the alternative credentials.