encryption/firewall question

[r.e.s.]

I use winXP on a single-user pc running McAfee's firewall.
I don't think anyone will be "getting through" the firewall
while I'm on the internet, but there's something I'd like to
understand just as a matter of principle ...

If an internet intruder "gets through", what really does that
mean? Specifically, does it imply that he has access to files
in my *encrypted* folders? (The EFS is nicely "transparent" --
once I'm logged on, no further passwords are needed to access
my encrypted folders -- so does that mean the encrypted folders
are equally accessible to such an intruder?)

IOW, does "getting through the firewall" mean that such an
intruder is effectively "logged on"?

Thanks.

 

[Roger Abell]

There are a number of things you may consider to be
"getting through".
Let;s ignore just getting network packets past the
firewall and assume we mean getting things to happen.
Generally when code is caused to execute it either is
run in the account context of the logged in user, or in
the account context of a service process (like local
service, network service, or system).
If it is system, then what gets run has pretty full reign
on the machine, but does not have EFS decryption ability.
If it is run as the logged in user account, as is often the
case with situations where one is tricked to "Open" and
so run something, then of course that account's EFS data
is transparently available.
One can define a separate account, used for the web by
starting IE with RunAs in order to avoid this exposure
risk to your EFS protected data.

 

[r.e.s.]

Thanks for the info -- I'd like to know more about using
RunAs in this context. Is there any particular online
source you'd recommend for more details?

--r.e.s.

 

[Roger Abell]

There really is not that much to the use of RunAs.
You can make a shortcut to anything (except Explorer)
and then r-click into the properties of the shortcut and
click the second tab where you can mark the shortcut
to start the app with alternate credentals.
When you use such a shortcut, like one to IExplorer,
you will be prompted for an account and password.

This prompting can become an annoyance.
If you start / run cmd and in the cmd window enter
runas /?
you will see a cmdline syntax for runas
This syntax can be used to modify shortcuts, not on
the second sheet but on the first where the target app
is listed. It might say for the target
"%ProgramFiles%\Internet Explorer\IExplore.exe"
this you would modify to be such as
runas /profile /u:surfaccount "%ProgramFiles%\Internet
Explorer\IExplore.exe"
and then you are only prompted for the password.
You need to define some "surfaccount" that is of limited power.
If you have Pro you can add the /savecred switch and then
you are only prompted for the password the first time the
shortcut is used (per account in which it is used) or when the
password of the "surfaccount" account is changed.
Now, to make it even more simple, you can make a
shortcut to cmd.exe and set it to runas some account.
Then, in this window launch what you want, such as
iexplorer.exe or msimn.exe (outlook express) and these
run within the runas account. I personally find this to
be a most useful way to do it, as I only need to keep
straight which cmd window is running in the alternate
account.

Another alternative is to make small bat file. For example,
use notepad to save the following 3 lines as surf.bat
start "Explorer" /B "%ProgramFiles%\Internet Explorer\IExplore.exe"
start "Explorer" /B "%ProgramFiles%\Internet Explorer\IExplore.exe"
start "Express" /B "%ProgramFiles%\Outlook Express\msimn.exe"

Then, make a shortcut the will start this .bat with runas in one of the
two ways above. When you click that shortcut you get two IE windows
and one Outlook Express window running in context of that other account.
(Remember, OE can be just as hazardous as IE is as a vehicle by which
things can get through to execute).

 

[r.e.s.]

Possibly I'm misreading your instructions, but I
can't get them to work. Say my old (admin) account
is oldacct and the new (limited) account is newacct.
Then ...

Start .. run .. runas /userldacct "notepad.exe"
prompts for the oldacct pw, then opens notepad; but

Start .. run .. runas /user:newacct "notepad.exe"
prompts for the newacct pw, then just goes away,
apparently without doing anything.

The same thing happens when I make a shortcut to
cmd.exe and modify the target entry as suggested.
(I've rebooted & checked that the pw is correct.)

Thanks for any further advice.

--
r.e.s.

There really is not that much to the use of RunAs.
You can make a shortcut to anything (except Explorer)
and then r-click into the properties of the shortcut and
click the second tab where you can mark the shortcut
to start the app with alternate credentals.
When you use such a shortcut, like one to IExplorer,
you will be prompted for an account and password.

This prompting can become an annoyance.
If you start / run cmd and in the cmd window enter
runas /?
you will see a cmdline syntax for runas
This syntax can be used to modify shortcuts, not on
the second sheet but on the first where the target app
is listed. It might say for the target
"%ProgramFiles%\Internet Explorer\IExplore.exe"
this you would modify to be such as
runas /profile /u:surfaccount "%ProgramFiles%\Internet
Explorer\IExplore.exe"
and then you are only prompted for the password.
You need to define some "surfaccount" that is of limited power.
If you have Pro you can add the /savecred switch and then
you are only prompted for the password the first time the
shortcut is used (per account in which it is used) or when the
password of the "surfaccount" account is changed.
Now, to make it even more simple, you can make a
shortcut to cmd.exe and set it to runas some account.
Then, in this window launch what you want, such as
iexplorer.exe or msimn.exe (outlook express) and these
run within the runas account. I personally find this to
be a most useful way to do it, as I only need to keep
straight which cmd window is running in the alternate
account.

Another alternative is to make small bat file. For example,
use notepad to save the following 3 lines as surf.bat
start "Explorer" /B "%ProgramFiles%\Internet Explorer\IExplore.exe"
start "Explorer" /B "%ProgramFiles%\Internet Explorer\IExplore.exe"
start "Express" /B "%ProgramFiles%\Outlook Express\msimn.exe"

Then, make a shortcut the will start this .bat with runas in one of the
two ways above. When you click that shortcut you get two IE windows
and one Outlook Express window running in context of that other account.
(Remember, OE can be just as hazardous as IE is as a vehicle by which
things can get through to execute).

 

[Roger Abell]

Not sure what is happening for you.
The methods do work.
Have you logged in with the newacct account,
just to make sure it has been initialized and is
working ?
You could try
start / run cmd
and then in this issue the
runas /u:newacct notepad.exe
as this will capture in the cmd windows any error
messages from the runas

 

[r.e.s.]

The run cmd suggestion worked! While trying to make this
work yesterday, I'd changed the name of newacct to nacct,
rebooted, and nacct *was* the name showing up at login --
but apparently it wasn't really changed, since I just now
found that System Info in *nacct* still shows *newacct*
to be the account name!

Although I swear the same exact thing with newacct did
not work yesterday, it's working now, so I have to decide
whether it's really worth the hassle configuring a new
account from scratch (setting up the internet connection,
setting up OE, etc etc) -- I'm sure there are drawbacks
I haven't even thought of yet.

Thanks again for all the help.

 

[Roger Abell]

Well, glad it is working for you now.
The renaming issue you had is likely due to the
difference between the account and its display name.