Using Same Account as both Admin and Limited User

[Walter Mingle]

Hi,

Is there any reason I shouldn't use an account as an Administrator to
install programs, and do other things that require Admin privileges,
and downgrade that same account to Limited User for every-day web
surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission
trouble that comes from a LUA running programs installed a another
account.

If this isn't the way to do it, how else can it be done? I'm using XP
Home (SP3).

Thanks for any advice.

Cordially,

Walt

 

[1PW]

Hi,

Is there any reason I shouldn't use an account as an Administrator to
install programs, and do other things that require Admin privileges,
and downgrade that same account to Limited User for every-day web
surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission
trouble that comes from a LUA running programs installed a another
account.

If this isn't the way to do it, how else can it be done? I'm using XP
Home (SP3).

Thanks for any advice.

Cordially,

Walt

Hello Walt:

This is a basic computer security percept that isn't easy for some to
grasp or for others to practice. The time you will require actual
administrative privileges is very small when compared to all other
chores you do with your system.

By forgetting to return to a less privileged user mode, from Admin,
one lays the system open to well known security risks.

For the basic safety of your system, use the admin account for as
short a time as is needed to tend to security and system related
chores. When those chores are done, return to a less privileged user
account. Avoid giving user accounts more privilege then needed.

Congrats at being at SP3! Here's hoping all your other security is
excellent.


Pete

 

[Walter Mingle]

By forgetting to return to a less privileged user mode, from Admin,
one lays the system open to well known security risks.

For the basic safety of your system, use the admin account for as
short a time as is needed to tend to security and system related
chores. When those chores are done, return to a less privileged user
account. Avoid giving user accounts more privilege then needed.

Hi Pete,

I think I understand the security precepts you mention, and I agree
with them - that's why I'm interested. What I'm really asking: is
there any technical reason why I should stick with separate Admin and
Limited accounts, rather than changing one single account back and
forth as needed? In other words, does the mere act of upgrading a
limited account to Admin, and then returning it back to limited status
alter the permissions that a limited account should have, as you
mentioned above? I'm not technically knowledgeable enough to know the
answer.

Congrats at being at SP3! Here's hoping all your other security is
excellent.

Pete

Thanks, Pete.

Walt

 

[Old Rookie]

It almost always is better to simply use one account for administrator only
activity and then another regular account for everyday use. That way you are
much less likely to forget to demote your regular account if you had
elevated it to administrator access because the account you use for
administrator access will have an obviously different user profile with
different desktop, favorites, etc.

Steve

 

[VanguardLH]

Is there any reason I shouldn't use an account as an Administrator to
install programs, and do other things that require Admin privileges,
and downgrade that same account to Limited User for every-day web
surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission
trouble that comes from a LUA running programs installed a another
account.

If this isn't the way to do it, how else can it be done? I'm using XP
Home (SP3).

The Administrator account should never be touched except in case of
emergency. Create a new alternate admin account that you use for
installing software, creating user accounts, and other admin duties.
Make your own account a limited or power account. You don't want to end
up with a corrupted Administrator profile and have it as your only
admin-level account that is no longer usable (a corrupted can be fixed
but requires some work). You could also use the alternate admin account
as a backup and use the Administrator account as your regular admin-
level account; however, most recovery instructions will assume you are
using the Administrator account and you could forget what is the name of
the alternate admin account if you use it rarely.

You can either logoff your own limited account and logon under the
alternate admin account, or you can use Fast User Switching to flip
between the two.

For Internet-facing applications, you can run them under a LUA (limited
user account) token which removes the admin privileges from them. They
run with the same reduced privileges as when you run them after logging
under a limited account. You can use DropMyRights. I use SysInternals'
psexec to run a program under a LUA token. TallEmu's OnlineArmor has
its RunSafer attribute that you can assign to applications to run them
under a LUA token; however, I ran into some personal dislikes with OA
(see my posts in their forums) and decided to stop using it, but
periodically I revisit the product to see if they fixed my problems with
it because I really like logging under an admin account but have some
programs always run under a LUA token (you can easily use their tray
icon to temporarily disable their Program Guard when you need, say, the
web browser to be unlimited, like when using the Windows Update site).

 

[1PW]

Hi Pete,

I think I understand the security precepts you mention, and I agree
with them - that's why I'm interested. What I'm really asking: is
there any technical reason why I should stick with separate Admin and
Limited accounts, rather than changing one single account back and
forth as needed? In other words, does the mere act of upgrading a
limited account to Admin, and then returning it back to limited status
alter the permissions that a limited account should have, as you
mentioned above? I'm not technically knowledgeable enough to know the
answer.




Thanks, Pete.

Walt

Hello Walt:

Steve's post is spot on. Words to live by.

Regards,

Pete

 

[Walter Mingle]

The Administrator account should never be touched except in case of
emergency. Create a new alternate admin account that you use for
installing software, creating user accounts, and other admin duties.
Make your own account a limited or power account. You don't want to end
up with a corrupted Administrator profile and have it as your only
admin-level account that is no longer usable (a corrupted can be fixed
but requires some work). You could also use the alternate admin account

<snip rest>

Ok. Nobody likes my idea of switching the same account back and forth
between elevated and limited as needed, so I'll give up on that idea.

I wasn't planning on using the real Administrator account (the one
that lives in Safe Mode in XP-Home) - I would have used a regular user
account with admin privileges for that.

Many thanks to all who answered - I *really* appreciate the time you
folks took.

Sincerely,

Walt

 

[Anteaus]

Look for a script callled MakeMeAdmin.

BTW, I have long thought that what you say is correct. The lack of
understanding, if any, lies in people who insist on applying 1960's
shared-access mainframe principles to a personal computer.

What is actually needed on a one-per-desk computer is a way to prevent
access to system files when in 'normal mode' so as to offer better security
against malware, and to allow such when in 'maintenance mode.'

What happens instead is that all system configuration is done under an
entirely different collection of settings, and any changes to the settings
are thrown-away when returning to normal mode. This causes extreme
awkwardness (in fact it means that most apps have to be configured
twice-over) and is the main reason most people don't run as a limited user.

As Zaphod Beeblebox would point out, two heads which constantly disagree are
not necessarily an advantage over one.

 

[Walter Mingle]

Hi Anteaus, and thanks for replying.

Look for a script callled MakeMeAdmin.

I don't think I want to make it too easy to switch the account back
and forth between LUA and Admin rights. There's no time pressure to
produce, so I'd want to do it deliberately (in the sense of 'not
spur-of-the-moment'), with plenty of thought involved.

BTW, I have long thought that what you say is correct. The lack of
understanding, if any, lies in people who insist on applying 1960's
shared-access mainframe principles to a personal computer.

Well, I do buy into the whole security thing: run as a LUA account,
only use Admin rights when absolutely necessary, make it tough - or,
more correctly, not as easy - for the bad guys to mess with you.
Practice safe hex. I believe in that, just like the folks who replied
to me earlier do, and they're right - you risk getting taken to the
cleaners if you play fast and loose. What seemed to concern them the
most was that I would forget to switch back to LU mode without some
sort of visual reminder of where I was. I make no claim about having
a mind like an elephant, but if said pachyderm were to find itself
stuck with a human-type mind, I submit it could do worse than mine

What is actually needed on a one-per-desk computer is a way to prevent
access to system files when in 'normal mode' so as to offer better security
against malware, and to allow such when in 'maintenance mode.'

What happens instead is that all system configuration is done under an
entirely different collection of settings, and any changes to the settings
are thrown-away when returning to normal mode. This causes extreme
awkwardness (in fact it means that most apps have to be configured
twice-over) and is the main reason most people don't run as a limited user.

I believe the two preceding paragraphs to be correct; in fact, it is
that exact scenario that has caused me the most trouble in XP, and
I've been surprised that this way of handling it hasn't gotten more
air time, so to speak. I've tried it, carefully, on two or three
occasions, and it seemed to work - at least, nothing blew up. So,
I'll keep looking for technical reasons to avoid this method, but I
won't keep looking too much longer. It feels too "right" to not make
use of, barring good reasons not to.

Cordially,

Walt

 

[Robert Carnegie]

What is actually needed on a one-per-desk computer is a way to prevent
access to system files when in 'normal mode' so as to offer better security
against malware, and to allow such when in 'maintenance mode.'

What happens instead is that all system configuration is done under an
entirely different collection of settings, and any changes to the settings
are thrown-away when returning to normal mode. This causes extreme
awkwardness (in fact it means that most apps have to be configured
twice-over) and is the main reason most people don't run as a limited user.

Well, that's why Microsoft made Windows Vista. Uh, wait...

You can do several useful administrative things from a limited user
desktop with right-click "Run As..." to select your administrator
account. Other things you can't do at all, and some you can do by
using "Run As..." in an indirect way. I think that's a way to run
hard disk maintenance tools, for instance - through "Computer
Management". But Windows Explorer, and "Windows Update" inside
Internet Explorer, seem to be out.

Administrator is always present and active in your computer but may
not be talking to you.

On the other hand, "Ordinary user" could be compromised while
administrator is not - or so we're told. And yet frequently we hear
of a Windows Update that stops a malicious exploit that invades as
"Ordinary user" and then escalates to administrator. Which is not
even needed if /you/ escalate "Ordinary user" to administrator
status. I'm sure there are exploits that just assume that, like very
many users even today, the victim is an administrator.

As it happens, I'm looking for advice on securing an XP Home netbook I
just got. Is there a good FAQ?

Let's say my administrator account is named "Arthur" and the everyday
user is named "Galahad" - although that's not leading anywhere. Now
for instance there's a "real" Administrator that only works in safe
mode, right? Apparently with no password as default? On the WWW I
can find people telling me to rename /that/ administrator, delete it,
change the password. Does any of that stuff matter if the account
isn't accessible except for explicitly invoked mainenance?

Also, I've apparently been silently but legally supplied with Norton
Internet Security 2008 on hard disc, but not configured. But I favour
F-Secure's products, and I want to upgrade protection on other systems
I own, too. Also, my employer uses F-Secure. Still, I have this one
copy of Norton for free - temporarily, I expect, a limited-time
subscription.
<http://voices.washingtonpost.com/securityfix/2009/07/
update_for_norton_internet_sec.html> (Brian Krebs) repeats but
disagrees with criticism: "NIS has earned a bad rap over the years for
being a slow, resource-hogging beast of an anti-virus program, but
when I trialed the program for a few months, I found NIS2009 to be
very fast and unobtrusive." He doesn't mention it being hell to remove
from a system, which I've also heard. So I guess it could be (1) best
avoided or (2) too late, since it's kind of there.