My limited user is not so limited

[burnedtechie]

I tried to improve the security of my home machine by making the
accounts my wife and I use into "limited user" accounts in XP Home. I
first created a new admin account, of course, with a really long
password.

Now, when I've restarted my computer and logged into my old account
(which is now *limited* and no longer admin), it shows *some* signs
that it's limited but I don't think it really is completely.

Signs it is NOT really limited:
I can install software!! Seriously, I thought limited users could not,
but I totally installed a trojan simulator which even modified my
registry (TSServ.exe). Also installed Google Earth for fun. All
logged in as this limited user and I did NOT do any "run as", nor did I
EVER have to provide that long admin password I mentioned. Ever.

Signs is IS limited:
Norton AV will no longer let me change settings.
Windows won't let me change the time on my clock (says I must have
admin privs)
Windows won't let me create files on c:\ (the root folder).

So, what's up with this? I'm no more secure than I was!!

 

[Vanguard]

I tried to improve the security of my home machine by making the
accounts my wife and I use into "limited user" accounts in XP Home.
I
first created a new admin account, of course, with a really long
password.

Now, when I've restarted my computer and logged into my old account
(which is now *limited* and no longer admin), it shows *some* signs
that it's limited but I don't think it really is completely.

Signs it is NOT really limited:
I can install software!! Seriously, I thought limited users could
not,
but I totally installed a trojan simulator which even modified my
registry (TSServ.exe). Also installed Google Earth for fun. All
logged in as this limited user and I did NOT do any "run as", nor
did I
EVER have to provide that long admin password I mentioned. Ever.

Signs is IS limited:
Norton AV will no longer let me change settings.
Windows won't let me change the time on my clock (says I must have
admin privs)
Windows won't let me create files on c:\ (the root folder).

So, what's up with this? I'm no more secure than I was!!

Any program that installs its files in YOUR profile path
(%userprofile%) will install okay because that path has you as the
owner with permissions for writing. Google Earth installs in your
profile path because of this. Don't know about the trojan simulator
program. My guess is that if it looks like it wrote into the registry
then it probably actually modified YOUR registry file (NTUSER.DAT)
that is, yep, located in YOUR profile path. If you start looking at
permissions on folders and files under your own profile path, you will
see that you have full permissions to them.

 

[burnedtechie]

Any program that installs its files in YOUR profile path
(%userprofile%) will install okay because that path has you as the
owner with permissions for writing.

Then in what sense does running as a limited user (instead of admin or
root) make me so amazingly secure like I've read? I thought it was
supposed to basically let me run stuff I already have installed, surf
the net, write Word docs, look at photos, but not really install
anything (inadvertently *or* intentionally)?

Besides, doesn't my now "limited" user already sort of own most of the
folders on the drive, since it *used* to be the head admin account and
was responsible for creating and installing most of the stuff I have?
Do I have to go make *another* limited account and somehow transfer all
my docs and photos to *him*? What a pain!!

 

[Steven L Umbach]

Limited users can indeed install software that does NOT write to HKLM in the
registry, to the program files folder, or the \Windows folders and
subfolders. Software writers have created software that can be installed
entirely in the user's profile which is probably what you are seeing. In XP
Pro you can use Software Restriction Policies to prevent unauthorized
software from being installed or executed from a user's profile. For XP Home
the free Shared Computer Toolkit can also do the same for user accounts you
want to restrict. You can also change permissions on the folders in your
user account to give your account deny permissions for execute for files
only if you want to configure special permissions. If you want to try that
do NOT try it on the built in administrator account.

Steve

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx --- Shared
Computer Toolkit
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308419 --- XP
special permissions

 

[karl levinson, mvp]

Then in what sense does running as a limited user (instead of admin or
root) make me so amazingly secure like I've read? I thought it was
supposed to basically let me run stuff I already have installed, surf
the net, write Word docs, look at photos, but not really install
anything (inadvertently *or* intentionally)?

Running as limited user does help prevent most adware and spyware. This is
a good thing. However, adware and spyware could very easily be re-written
to work as non-admin users. Running as non-admin helps not because it is
more secure, but because current adware authors are lazy and have no need to
write their apps to work as non-admin.

People who claim that running as non-admin helps prevent viruses are dead
wrong. It does not. This is a popular misconception, and even people at
Microsoft believe this misconception. Running as non-admin is MUCH more
effective at ensuring that users do not screw up their own system and cause
support problems. Non-admin accounts are helpful for configuration control,
not security. In some cases, running as non-admin might prevent some
viruses from re-launching persistently after you reboot your system. But
pretty much every virus on the planet can still run on your system and do
just about anything it wants, at least until you reboot.

Running as non-admin restricts you to only be able to make changes to your
own Windows profile, so that your changes [and infections] should not affect
other users.

Besides, doesn't my now "limited" user already sort of own most of the
folders on the drive, since it *used* to be the head admin account and
was responsible for creating and installing most of the stuff I have?
Do I have to go make *another* limited account and somehow transfer all
my docs and photos to *him*? What a pain!!

No, that won't help. Users by default own their Profile folder in the
Documents and Settings folder and in the HKEY_CURRENT_USER section of the
registry. The fact that your limited user used to be an admin user isn't
the problem here.

There are other things you can do if you want to prevent users from
installing software. However, if your concern is security, you are really
very secure as long as you run as non-admin, run antivirus [AVG from
http://free.grisoft.com is free], use a firewall of some sort [the XP
firewall and www.zonealarm.com are both free], and Windows is receiving
patches regularly. You really have little to fear as long as you do these
things.

 

[Jeff]

Sorry to butt in but I am trying to figure out the same question: should I
run as an administrator account or a limited one.

Running as non-admin restricts you to only be able to make changes to your
own Windows profile, so that your changes [and infections] should not
affect other users.

So, since I am the sole user of this PC, is there a difference in running as
a limited or administrative account? There are no other users on this pc to
be messed up by my doings and actions. Would it not therefore be simpler for
me - the sole user of the PC - to run as a administrator? Limited account do
not seem to add security for a sole user notebook - or am I wrong?

Jeff

Then in what sense does running as a limited user (instead of admin or
root) make me so amazingly secure like I've read? I thought it was
supposed to basically let me run stuff I already have installed, surf
the net, write Word docs, look at photos, but not really install
anything (inadvertently *or* intentionally)?

Running as limited user does help prevent most adware and spyware. This
is a good thing. However, adware and spyware could very easily be
re-written to work as non-admin users. Running as non-admin helps not
because it is more secure, but because current adware authors are lazy and
have no need to write their apps to work as non-admin.

People who claim that running as non-admin helps prevent viruses are dead
wrong. It does not. This is a popular misconception, and even people at
Microsoft believe this misconception. Running as non-admin is MUCH more
effective at ensuring that users do not screw up their own system and
cause support problems. Non-admin accounts are helpful for configuration
control, not security. In some cases, running as non-admin might prevent
some viruses from re-launching persistently after you reboot your system.
But pretty much every virus on the planet can still run on your system and
do just about anything it wants, at least until you reboot.

Running as non-admin restricts you to only be able to make changes to your
own Windows profile, so that your changes [and infections] should not
affect other users.

Besides, doesn't my now "limited" user already sort of own most of the
folders on the drive, since it *used* to be the head admin account and
was responsible for creating and installing most of the stuff I have?
Do I have to go make *another* limited account and somehow transfer all
my docs and photos to *him*? What a pain!!

No, that won't help. Users by default own their Profile folder in the
Documents and Settings folder and in the HKEY_CURRENT_USER section of the
registry. The fact that your limited user used to be an admin user isn't
the problem here.

There are other things you can do if you want to prevent users from
installing software. However, if your concern is security, you are really
very secure as long as you run as non-admin, run antivirus [AVG from
http://free.grisoft.com is free], use a firewall of some sort [the XP
firewall and www.zonealarm.com are both free], and Windows is receiving
patches regularly. You really have little to fear as long as you do these
things.

 

[karl levinson, mvp]

Sorry to butt in but I am trying to figure out the same question: should I
run as an administrator account or a limited one.

So, since I am the sole user of this PC, is there a difference in running
as a limited or administrative account? There are no other users on this
pc to be messed up by my doings and actions. Would it not therefore be
simpler for me - the sole user of the PC - to run as a administrator?
Limited account do not seem to add security for a sole user notebook - or
am I wrong?

Well, running as non-admin when you don't need to be an admin is generally
just good practice. It also is effective at preventing a large percentage
of spyware and adware. However, if it is very annoying for you to run as
non-admin with your current version of Windows, it is entirely up to you
whether or not doing so is helpful. It's entirely your choice. You
probably already know whether adware and spyware are a problem on your
computer today. I personally run as admin myself and it hasn't hurt me,
though I know I should get out of the habit.

 

[Jeff]

Well, running as non-admin when you don't need to be an admin is generally
just good practice. It also is effective at preventing a large percentage
of spyware and adware. However, if it is very annoying for you to run as
non-admin with your current version of Windows, it is entirely up to you
whether or not doing so is helpful. It's entirely your choice. You
probably already know whether adware and spyware are a problem on your
computer today. I personally run as admin myself and it hasn't hurt me,
though I know I should get out of the habit.

Thanks for the reply. Good to know that an expert does the same.

I run as admin all the time. Everytime I changed, I found it very annoying.
I rarely have malware because I have good firewall (ZA), anti virus
software, use mailwasher for my emails, regularly run apps like Ad-aware and
Spybot, etc. and use Firefox 99% of the time.

It would be nice if there was a way to selectively run certain internet apps
like browsers and emailers as isolated limited users while running the rest
as admin, but I guess that is not really there yet.

Thanks.

Jeff

 

[karl levinson, mvp]

It would be nice if there was a way to selectively run certain internet
apps like browsers and emailers as isolated limited users while running
the rest as admin, but I guess that is not really there yet.

There actually is at least one such tool, called "dropmyrights," you can
google for it. However, I am not entirely sure it actually adds as much
security as the article claims. It won't really protect you against viruses
like the dropmyrights article claims, for example. I don't use it myself.

 

[Jeff]

There actually is at least one such tool, called "dropmyrights," you can
google for it. However, I am not entirely sure it actually adds as much
security as the article claims. It won't really protect you against
viruses like the dropmyrights article claims, for example. I don't use it
myself.

Yes, I heard of it too, but have not used it.

Thanks for all the info.

Jeff

 

[Steven L Umbach]

You can do that if you are using XP Pro in that you can use Software
Restriction Policies to run IE as a "basic user". The link below explains
how to do this.

Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01182005.asp