How safe is a "Limited" XP account?

[John Brock]

What bad things can happen to me while using a plain vanilla
"Limited" Windows XP user account? In the most extreme case,
suppose I am totally reckless, and I visit every questionable web
site I can find, and click on every questionable attachment that
comes my way. In theory it would still seem that nothing really
bad can happen, other than having files owned by that account spied
on and/or altered. In fact it seems reasonable to expect that any
malware I ran into would -- on finding itself in an unexpected
non-Administrator environment -- simply fail, so even that sort of
compromise wouldn't be too likely. But I am just speculating, and
I'd rather know the facts. So what are the risks?

One thing I have heard is that IE, being fused to the kernel, always
runs with full privileges, and is thus always a security risk, even
in a Limited account. However I always use Mozilla, which I would
think would take care of that problem. Or does it? Is there maybe
some way a malicious web page could get to IE through Mozilla?

And what about Outlook? Does it have the same problem as IE? I
don't use Outlook either, but I an just trying to understand the
issues. In general I am interested in both likely and worst case
scenarios. Any thoughts?

 

[Walter Roberson]

:What bad things can happen to me while using a plain vanilla
:"Limited" Windows XP user account? In the most extreme case,
:suppose I am totally reckless, and I visit every questionable web
:site I can find, and click on every questionable attachment that
:comes my way. In theory it would still seem that nothing really
:bad can happen, other than having files owned by that account spied
n and/or altered.

On the other hand, there have, for example, been cases under XP where
a deliberately malformed graphics file could lead to Bad Things.
If such a file were loaded in the user account and then you later
browsed the user account with a different account (such as Administrator)
then More Bad Things happen.

 

[SlowJet]

If you leave a door open with a naked girl standing under the entry light
waving at strangers something bad may indeed happen.

The user account just assures it will only happen to her and not the three
kids and the dad. With a very strong password (which means very long with
mixed case and special characters) the girl is now dressed in combat
fitigues and the screen door is latched.
(Don't forget the back door called Guest)

Now with a FW, the front door is locked.
A two way FW the windows are locked.
With Av the bugs can't come through the cracks.
Adware blockers - No solicing and no trespassing signs.

NTFS with secure permisions and rights - The girl now lives on an Aircraft
carrier and anything to close gets blown up.

Passwords

No password - attacker can guess the account name in 20 seconds.
Simple word passwords - 30 seconds to 2 min.
Strong long mixed password with long strong account name.

drum roll ....

If the password is hacked at 1,000,000 times per second
it will take 31,000,000 trillion years plus or minus the intelligence of the
checker software.

SJ

 

[Todd H.]

What bad things can happen to me while using a plain vanilla
"Limited" Windows XP user account?

Everything including execution of "arbitrary code."

In the most extreme case,
suppose I am totally reckless, and I visit every questionable web
site I can find, and click on every questionable attachment that
comes my way. In theory it would still seem that nothing really
bad can happen, other than having files owned by that account spied
on and/or altered. In fact it seems reasonable to expect that any
malware I ran into would -- on finding itself in an unexpected
non-Administrator environment -- simply fail, so even that sort of
compromise wouldn't be too likely. But I am just speculating, and
I'd rather know the facts. So what are the risks?

Search the web for Windows security advisories that include the words
"local privilege escalation." These indicate "okay i have a local
(restricted) user account, and this hole gives me administrator
priv's."

One thing I have heard is that IE, being fused to the kernel, always
runs with full privileges, and is thus always a security risk, even
in a Limited account. However I always use Mozilla, which I would
think would take care of that problem. Or does it? Is there maybe
some way a malicious web page could get to IE through Mozilla?

IE is comparatively far more dangerous.

Unpatched Mozilla can still be a big problem though too. You have to
keep up on all fronts. Mozilla was also vulnerable to the malformed
graphic buffer overflow, but its security track record remains far far
better than IE.

And what about Outlook? Does it have the same problem as IE?

It does too many things by default, yes. There are options that need
to be disabled there. Try Mozilla Thunderbird for a little more
insulation, or investigate all the default options you need to modify
to use Outlook relatively safely.

issues. In general I am interested in both likely and worst case
scenarios. Any thoughts?

There are more secure OS's out there.

What are your goals? What need motivates your questions?

Best Regards,

 

[Twisted One]

Investigate all the default options you need to modify
to use Outlook relatively safely.

There's just the one, and it's five easy clicks -- start, control panel,
add/remove programs, "Outlook", "Yes I want to completely remove Outlook
and all its components".

What are your goals? What need motivates your questions?

The need for Ubuntu, from the look.

 

[John Brock]

(e-mail address removed) (John Brock) writes:

There are more secure OS's out there.

What are your goals? What need motivates your questions?

My motivation is very simple; I use a Limited account on my home
XP system, and I want to understand how much extra security this
buys me. I don't rely on it for security, and in fact I am quite
paranoid about security -- I have a hardware firewall and anti-virus
software, I have never used IE on this computer except to connect
to microsoft.com for updates, and I read all my email via telnet.
So far I seem to have avoided any viruses or spyware. I am well
aware that there are more secure OS's, and I'm appalled at how
poorly Windows is designed in terms of security. Still, you process
words with the computer you've got, and I just want to understand
the one I've got as well as possible.

I think my question really breaks down into two parts:

1) How well does the theoretical security provided by a Limited
account hold up in practice? I.e., how hard is it in practice to
"escalate privileges", and how long do bugs which allow this to
happen go unfixed?

2) How likely is it that a given piece of malware will be coded to
try to escalate privileges if it finds itself running on a Limited
user account, or even function effectively at all in this situation?
My impression is that most Windows users spend most of their time
in accounts with Administrator privileges, so maybe most virus
writers wouldn't consider it worth their effort to write code that
deals with Limited accounts. Or maybe not. I don't know, hence
my question.

I do notice that when I see lists of recommendations for securing
Windows PCs Limited accounts are often not even mentioned, and I've
wondered why that is. Maybe it's because some old or poorly designed
software won't run properly, and because you can't install most
software. Maybe it's assumed that the typical user can't be trusted
to understand and use a Limited account. Or maybe it just doesn't
add as much security as I think it does. Again, my question.

 

[Todd H.]

My motivation is very simple; I use a Limited account on my home
XP system, and I want to understand how much extra security this
buys me. I don't rely on it for security, and in fact I am quite
paranoid about security -- I have a hardware firewall and anti-virus
software, I have never used IE on this computer except to connect
to microsoft.com for updates, and I read all my email via telnet.

Sounds like an excellent set of steps. Well, except the last one
where I hope you mean ssh instead of telnet.

So far I seem to have avoided any viruses or spyware. I am well
aware that there are more secure OS's, and I'm appalled at how
poorly Windows is designed in terms of security. Still, you process
words with the computer you've got, and I just want to understand
the one I've got as well as possible.

I think my question really breaks down into two parts:

1) How well does the theoretical security provided by a Limited
account hold up in practice? I.e., how hard is it in practice to
"escalate privileges", and how long do bugs which allow this to
happen go unfixed?

If you're using windows,, using a limited account is definitely better
than using a full priv account. It's decidedly not as strong as
using a UNIX user account simply because the security architecture is
not as robust as *NIX. However, if you're going to be using Windows,
a limited account is the best you can really do.

If you would like to take this security isolation one step further,
however, and still want to use Windows, you might consider running
Linux as your host operating systems and getting a copy of VMWare
Workstation for Linux. Then, run Windows as one guest OS inside a
VMWare virtual machine. You could install two different Windows
virtual machines actually--one "clean" nad one "dirty" and do risky
work in one, and trusted work inside the other. If you run a limited
account inside of there, you get even better protection. With this
virtula machine/VMWare method, most malware you encounter will at
least only be contained to that particular virtual machine, and will
leave the rest of your virtual machines unharmed.

Malware writers, however, are working on ways to break out of virtual
machines like this...but thus far, I don't think they're having a lot
of success.

2) How likely is it that a given piece of malware will be coded to
try to escalate privileges if it finds itself running on a Limited
user account, or even function effectively at all in this situation?

Again, it's hard to answer with hard numbers without a lot of
research, but I'd say that most malware is going after the low hanging
fruit of a default install where the user had admin priv's already.
As such, a limited account does buy you due diligence at the very
least.

My impression is that most Windows users spend most of their time
in accounts with Administrator privileges, so maybe most virus
writers wouldn't consider it worth their effort to write code that
deals with Limited accounts. Or maybe not. I don't know, hence
my question.

I'd agree with your take.

I do notice that when I see lists of recommendations for securing
Windows PCs Limited accounts are often not even mentioned, and I've
wondered why that is.

I think it's perhaps because they're new and unique to XP (at least in
the parlance "limited account.") Win2k and NT had similar constructs,
but the roles were something of default user, power user, and
administrator, and others.

Maybe it's because some old or poorly designed software won't run
properly, and because you can't install most software. Maybe it's
assumed that the typical user can't be trusted to understand and use
a Limited account. Or maybe it just doesn't add as much security as
I think it does. Again, my question.

You've brought up a good point about limited, or non-administrative
accounts. From what I've read, there is a non-trivial amount of
software out there that doesn't work with them. :-\

Best Regards,

 

[André Gulliksen]

I do notice that when I see lists of recommendations for securing
Windows PCs Limited accounts are often not even mentioned, and I've
wondered why that is. Maybe it's because some old or poorly designed
software won't run properly, and because you can't install most
software.

This probably has more to do with history and habits than the actual
security. In UNIX limited user accounts is the rule rather than the
exception. But Windows has a history based upon single user operating
systems, which has later had functionality added to emulate multi user
support. Of course, NT was a huge step in the right direction, but software
designed for NT 3.x/4.0/2000 still had to be designed to also run on Windows
3.x/9x/ME. So it was easier to assume that the user would run under
administrative privileges than to make support for limited users under true
multi user environments.

Even today all accounts created in XP are administrator accounts by default.
And worse; Windows happily accepts blank passwords for all users, including
'administrator'. Even if limited accounts became the norm, it would probably
be easy to spread a worm that runs itself with administrator privileges
simply by guessing that the administrator password should be blank.

Maybe it's assumed that the typical user can't be trusted
to understand and use a Limited account.

Now, _this_ makes no sense to me. The question should rather be how can a
typical user be trusted with a _non_-limited account.

Or maybe it just doesn't
add as much security as I think it does.

It's not likely to be bulletproof, but it does add security. If the goal is
ultimate security then limited user accounts is one of several mandatory
steps.

 

[philo]

What bad things can happen to me while using a plain vanilla
"Limited" Windows XP user account? In the most extreme case,
suppose I am totally reckless, and I visit every questionable web
site I can find, and click on every questionable attachment that
comes my way. In theory it would still seem that nothing really
bad can happen,

<snipped>

any virus/worm you get will affect the entire machine...
not just that account
by setting up a "limited" account you are no safer than your own
(hopefully good) common sense

 

[Todd H.]

<snipped>

any virus/worm you get will affect the entire machine...

not just that account
by setting up a "limited" account you are no safer than your own
(hopefully good) common sense

No, this is not necessarily true. It depends on the vulnerability the
virus/worm utilizes.

A virus/worm that runs in user context (such as one an unwitting user
clicks on and executes via email, or certain buffer overflow exploits
of programs run in local user context) won't be able to overwrite
system files or registry keys that a limited user is not authorized to
modify, and as such, will fail in the general case to infect the
entire system.

That's the modicum of additional security that a limited account
affords ya.

You would be correct only if speaking about the subset of malware that
attacks unpatched vulnerabilities of system processes that run with
system privileges.

Best Regards,

 

[xpyttl]

No, this is not necessarily true. It depends on the vulnerability the
virus/worm utilizes.

Another big "it depends" is the file system. If your XP is installed on the
NTFS it is very, very, much more secure than if it is installed on a FAT or
FAT32 filesystem. On FAT32, your limited account can pretty much write any
file. Not so on NTFS.

I'm afraid that some posters are right in that most Windows users do their
day to day work on an administrative account. There seem to be a number of
applications from major vendors that just plain won't work on a limited
account, especially on SP2.

I'm not convinced that XP/SP2 on NTFS by itself is any less secure than
Linux without SELinux. However, the applications are another matter
entirely.

...

 

[Todd H.]

Another big "it depends" is the file system. If your XP is installed on the
NTFS it is very, very, much more secure than if it is installed on a FAT or
FAT32 filesystem. On FAT32, your limited account can pretty much write any
file. Not so on NTFS.

Thank you for bringing this up. I absolutely should've included that
mention. I've been using NTFS for so many years I tend to forget
this.

I'm not convinced that XP/SP2 on NTFS by itself is any less secure than
Linux without SELinux. However, the applications are another matter
entirely.

I won't argue too hard with that. Linux is certainly no OpenBSD
that's for sure.

 

[Twisted One]

I won't argue too hard with that. Linux is certainly no OpenBSD
that's for sure.

What's this mean exactly?

 

[Twisted One]

OpenBSD is regarded by many as one of the most secure OS's out there.

Neither Linux nor WinXP really come close.

How is Linux worse?

Too bad there are now actually some almost-usable linux distros (ubuntu)
and no openbsd distros worthy of note.

 

[Todd H.]

What's this mean exactly?

OpenBSD is regarded by many as one of the most secure OS's out there.

Neither Linux nor WinXP really come close.

Best Regards,

 

[André Gulliksen]

How is Linux worse?

The basic ideology behind OpenBSD is different than most OSes. Security has
top priority (even higher than functionality, it may seem at times), and a
lot of time and manpower is spent debugging source code not only for known
bugs and vulnerabilites, but even to weed out bad coding which may or may
not prove to cause problems at some stage.

There have been similar attempts to produce high security Linux
distributions, such as Adamantix, Trustix and Hardened Gentoo. Also, I hear
that Novell SuSe Linux Enterprise Server 9 recently passed the Common
Criteria Controlled Access Protection Profile/Evaluation Assurance Level 4+,
which is supposed to be the highest security certification given to any
current Linux distribution.

Too bad there are now actually some almost-usable linux distros
(ubuntu) and no openbsd distros worthy of note.

What is your criteria for "usable"? What do you use it for? I have used
OpenBSD for firewalls and web servers, among other things, and it worked
fine for me.

On a side note: There is no such thing as an OpenBSD "distro". The same goes
for any other BSD. Instead, you have branches and forks. For instance,
OpenBSD itself is a fork off NetBSD.

 

[Todd H.]

How is Linux worse?

No default buffer overflow countermeasures, among other things.
SE-Linux addresses that I believe http://www.nsa.gov/selinux/ but
most distro's by default lack much in the way of stack execute
protection and such goodies that make it much harder for the bad guys
to exploit programs that are vulnerable to buffer overflows.

Linux, however is moving toward OpenBSD levels of security-by-default
faster than Windows seems to be. Windows has a tougher row to hoe
though because the whole damned architecture was sorta caught by
surprise that this internet things really caught on, whilst *NIX's
have lived in a networked world essentially since birth.

Some more info on Open BSD's goals here:
http://www.openbsd.org/security.html

You'll notice their advisory list is a whole lot shorter than either
Linux (pick any distro) or Windows, but their security architecture in
OpenBSD has been among the #1 priorities from the inception of the OS
and code has been extremely thoroughly audited and they have a fairly
tight knit group of developers trusted with modifications. Linux is
much more of a "bazaar" approach with a lot more hands in the cookie
jar.

Linux fans, on the other hand, argue that there are more security
tools available for Linux, so Linux has the potential to be awfully
well secured. Even so, nearly all distros don't come that way by
default, and most users are far from security experts and lack the
knowledge to lock them down all that well. In practice, it turns out
that it's not hard to find Linux boxes that are vulnerable to
something exploitable due to an administrator not keeping up with
patches. OpenBSD boxen on the other hand...if there is a
vulnerability out there, they're a lot harder to exploit on that OS.

Best Regards,

 

[Twisted One]

What is your criteria for "usable"? What do you use it for? I have used
OpenBSD for firewalls and web servers, among other things, and it worked
fine for me.

Usable, as in there's actually a user interface and documentation.
Trying to accomplish typical desktop tasks on it doesn't feel like
trying to fix a generator holding a flashlight in your teeth, groping
about in the dark for your tools while you watch an ominously increasing
amount of smoke pour out of the darn thing.

On a side note: There is no such thing as an OpenBSD "distro". The same goes
for any other BSD. Instead, you have branches and forks. For instance,
OpenBSD itself is a fork off NetBSD.

I meant "packaged distributions", however the heck you get it to install
it.