Limited vs Administrative

I'm glad that you agree with me. By the way: Here's what Microsoft is saying about the "LUA approach" - interesting reading.

Well, a password is absolutely necessary. But what are "all the apps you need to run in admin mode"? In my experience most applications work flawlessly in a limited account. All modern applications aware of user accounts should save their data in "c:\Documents and Settings\<user>\..." where you have full write access. There are still some applications that want to save data or individual configuration settings in the Programs folder (where you don't have write permission as user). In this case you should try to change the path for data etc. in the configuration of that application. If this is not possible you can grant full access to your user just for the configuration file or the data subfolder. Sometimes this is also necessary for some registry entries which you can find out with Regmon. But again - these are really rare exceptions in my experience. I haven't had any problems with newer applications.

Which ones? Those problems could possibly be solved by applying what I described above.

Yes, KAV 7.0 and SSM work without any problems.

 

WilliamP, I'm not really shure what's happening on your system. If you can really only download as admin, then perhaps you input a download folder in your browser where you have no write permission. Change that to a folder in c:\Documents and Settings\<user>\... . Or if you use a folder like c:\Downloads change its permissions. Start the Explorer as admin, go to the Security Tab and grant full permission to your user account for c:\Downloads. Important note: The Security Tab is only available in Windows XP Professional and must be displayed by following the steps oulined here. There is no Security Tab in the Home edition (only Bill Gates knows why ). In this case I strongly recommend installing Fajo XP in order to add this tab (on this website you'll also find some useful links regarding this topic). This way also in the Home edition managing file/folder permissions is very comfortable.

 

tlu, please forgive my ignorance. I have never used a limited user account and assumed that it had to be in administrator to load anything. So if a program can be loaded in either account ,how does a limited account protect you?

 

From a security standpoint this is probably true. With a HIPS you have more control over what an application is doing, e.g. accessing the Registry. On the other hand, as I wrote in another post, for trusted applications you tend to click the "Allow" button over and over again anyhow. So for me the most important aspect is if I doubleclick, say, a "good-looking" mail attachment received by a friend and this attachment is probably not able (because you are in a limited account), but trying to do something it shouldn't, and the HIPS issues a warning. This is a strong hint that something is wrong and this file might be some kind of malware.

So there is no reason to not use both since all HIPS I know work also in a limited account while protection against new techniques or zero-day attacks is definirely better than using a HIPS in an admin account.

 

You don't have to be an admin in order to start an application. The benefits of a limited user account is that the user has no write permission for the critical parts of Windows, especially the Windows folder, the Programs folder, most parts of the Registry and most of the approx. 50 autostart locations. That means that it is extremely difficult for any malware to seriously compromise your system - even without any HIPS.

A more comprehensive explanation can be found here, here, here and here

I recommend reading these articles.

 

Well Thomas,I gave it a try. I downloaded suDown to my test snapshot. When I rt clicked it told my to put in a password. When I put in a password it told me that it was the wrong password. So I got out of my test snapshot.

 

I am actually trying the Limited User Account approach here for the 1st time in XP Pro. So far it seems to be great. I have no AV and no other HIPS or security software installed, just the router. Everything is super light, fast and responsive now, it's pretty amazing. And as a backup in case anything does ever happen, I have an image of my setup, so if necessary I can restore in 10 minutes. Seems like the ideal setup for me...

 

Kerodo did you do a new install ? I have tried several times to simply add a limited account to an existing installation and it has always been a real pain.

 

Yes, I recently (2 days ago) did a fresh reformat and install of both Windows XP Pro and MS Office, fully updated both, then did an image for safekeeping. During XP install, all I created at that time was my main user with Admin priveledges.. That was it.

Later, in order to change my default main user account to Limited, I first had to create another Admin account. So I did that, then simply changed my main user account to Limited, and that was it. Everything went fine, and it was relatively painless..

Also, before I changed my main account to Limited, I installed whatever software I thought I'd need or use first. Seemed easier than trying to install with a Limited account.

At any rate, everything seems to be working fine, and I feel extra safe knowing that I have an image to fall back on should something somehow happen here..

 

I am trying this sudown. Installed it, and rebooted. Changed my account to limited but I cant see any sudown account type. My account is simply limited.
I see in my right clik that I can choose sudown to install a software but sudown just crashes all the time.
What am I doing wrong?
I have no hips running (only boclean and panda antivirus and looknstop) and do have NET 2.0.
When I look in control panel/ accounts it is limited but I still can install any software without using sudown

 

I couldn't quite figure out Sudown either, so I decided to just go with converting my account to a Limited account. Seems easy enough anyway. If you want to install software or run something that needs admin priveledges as a Limited account user, just right click on the program icon and select Run As. It will ask you which account you want to use to run this program. Select the check box below that says use the following user, and use the Administrator user, enter the password, and it will run and install fine. You may run into problems with some software that can't run properly in a limited account, but you'll have to wait and see if and when that happens.. So far here everything I use runs fine in Limited account.

 

I did another reboot and now it seems I am truly limited, but thats not thanks to sudown. It is just a basic limited account created the normal way in windows, I think. I can not install applications when I try to install them the normal way.
If I do it through the sudown link in the right click menu it still crashes. Obviously sudown desnt like my machine
But FDISR (which I thought needed a admin account) seems to work fine.

 

Yes, that's part of what it means to run as a Limited User.

Can you not right click on the application file icon and select Run As, then run the install program as Administrator? That should solve that problem...

 

After trying SuDown, I decided that it is a waste of my time. Running as admin posses risks, that's why I have bought a crap load of software to protect me. The way I see it, to use sudown is to ditch my already secure setup in order to gain annoying extra steps that I have to complete in order to accomplish my tasks.

 

I ditched SuDown also, mostly because it was too much hassle setting things up with the user groups or whatever you're supposed to do. I am now just running a Limited User Account and it's not much hassle at all. I could go either way though, back to Admin account with a few necessary security apps is ok too. Main benefit I see now is XP seems to run super light and fast without any AV or other apps slowing things down. Just light and simple now, so I will stick with the LUA for a while unless it turns out to be a problem. For me, most of the HIPS programs are a lot more annoying than an occasional right click Run As needed in a LUA. But to each his own...

 

Okay, since there seem to be some probelms with limited accounts and/or suDown, I'm going to give you some hints:

1. The easiest way to create a new user account is to change the existing one from a administrator type one to a normal user type one. Go to Control Panel, create a new account - let's call it Admin -, define it as administrator account (define also a password), log off, log on into the new Admin account, go to Control Panel and change your old account to a user account (and don't forget to define a password also for this one if none exists!).
2. While you're still in your new Admin account install suDown (remember: .Net 2.0 must be previously installed - you can get it via Windows updates!), reboot and log on into the new Admin account. Go to Control Panel, where you'll find that a new user group called SUDOERS was created. Add your old (and now limited user) account to this group.
3. Log off and log on into your limited user account. suDown is now available by right-clicking any application and selecting sudo ... . A windows will pop up and you'll have to enter the password of your user account (not the one of your Admin account!!!). By right-clicking the Desktop and selecting sudo Control Panel you have access to Control Panel with admin rights - this way you can change all settings as you were used to do before.

I hope this clarifies some things.

 

Hello,

For years, althought I was promoting the fact of running under a restricted user account, I was using an admin account and never hidden this fact. I was explaining that the Windows built-in "Run as" was flawed and sometimes programs and setup you launch with "Run As Administrator" fail to work or to install. Also, there is dumb programs requiring you to be part of the Administrator group to work. I still stand on that.

However, I managed to switch to a restricted user account without any hassle by creating differents accounts. One admin account obviously to defrag, make backups/image, install or uninstall security programs. Another restricted account, my day to day one I use for everything else. We could imagine to create another admin one if you have video games not working on a restricted account.

About the security programs not working on a restricted account, I would uninstall them, simply. restricted rights + restricted account compatible security programs, offer better security than admin rights + restricted account incompatible security programs. KAV6 & 7 work fine, SSM also, Jetico/Outpost/Comodo also, etc... no problem on my side (Win XP SP2 by the way). If you read Nic's tests about HIPS, you will learn that some are vulnerable if you are on an admin account (due to flaws or bugs in these HIPS) and can be disabled, whereas they are not if you are under a restricted account.

If you go the restricted way, don't have false hopes, some of your program will refuse to work (defrag, backups, games, etc...). Then if you cannot afford having to switch to a secondary administrator account for these rare tasks, you can try the right click "Run As" way, althought it is not always working fine.

Regards,
gkweb (secondary account).

EDIT : @tlu

Absolutly, the best way IMO

 

I would guess the answer will probably be yes but here goes anyway.

If running with something like Returnil or deepfreeze 6 would people still advise
running as limited ? On most machines I am behind a Netgear DG834 and have no
online security.

 

Hello,

Absolutly. This kind of software are really helpful to bring your system back to a known good state, at every boot. However, they do nothing to protect you while your computer is running, and althought malware cannot install permanently, they can still do harm while they are active.

For instance a kernel keylogger could install, record your keystroke, and send them away. Granted, the keylogger will be gone at your next reboot, but the harm is already done... I consider softwares such as Returnil or Deepfreeze as a secondary security/backup layer, not as a primary line defense. Running under a restricted account adds a valuable security margin.

Regards,
gkweb.

 

with vista it's suppose to be really easy running with a limited account. for some reason i never got around to finishing off my vista setup so i haven't tried it yet, if i do i'll post back.

 

Ok, I´m slowly getting the idea. I have been an admin all my computing life so I dont know anything else but now I am using a limited account. I can see the benefit not having to use any security software (well at least HIPS or CIPS) I can turn of noscript in Firefox without have to worry? If so there is a whole new world opening up here
I uninstalled my HIPS and only use AV and firewall, but are they really needed in a limited account? I mean I always read that the admin account is the root of all evil.
Sorry for the silly questions but I´m a bit thick headed. If nothing can install without using "runas" I shouldnt have to worry about anything, right? If I understand it right malware cant do anything really, or is this my ignorance speaking? Can it really be that simple?

I understand that image software like Shadowprotect wont work in a limited account but I can live with that.
I notice that FDISR works as it should and that fact is the thing that makes me wanna try limited user account.
I have not yet found anything annoying with limited user. Its only when I try to install anything (and when starting software like process monitor) I feel the difference...
Maybe it is only psychological but system feels faster too.

When I do run something with "runas" does that mean that all the child processes of that software have admin privileges too? Like the opposite of sandboxie for example?

 

Have followed instructions and made a new admin and then reset my normal admin as limited user. Seems ok so far.

Perfect disk works as limited - is the normal ? correct ?
Crap cleaner also works. I wouldn't have been surprised if they had refused.

Acronis - said no way but that's ok I can just go to admin and make an image or use the CD.

Returnil - worked quite happily from limited.

Although I have never seen a virus nor found any malware it seems like I can not really object to limited.

 

I've been running as a limited user and temporarily using Returnil, except when I need to do administrative chores like a backup in the admin account. Assuming all your software is always fully patched, adding a router and using any browser other than IE6 would negate the need for just about any real-time security software IMO, unless you have some specific requirements (which some of us do). In my case, Returnil is basically keeping me from having to delete and recreate the limited user account, should it become infected. If that wasn't an issue for me, then I probably wouldn't use Returnil, as I don't execute anything but well-known software from it's original site in my admin account on my system from home.

Concerning what gkweb rightly pointed out about malware infections like password stealing programs in the current Returnil session before a reboot: you could have 2 LUAs. A main LUA for browsing/email, and another LUA for online banking, etc. Even without Returnil running, this ensures security as well as privacy for any sensitive financial information stored on your computer (another concern with Returnil in addition to what gkweb pointed out).

 

Tlu, I didn't see any mention of .NET 2.0 being required on the SuDown web site, nor did I see SuDown complain about it not being installed when I installed SuDown, are you sure about this? There is indeed another program called SudoWn, which does much the same thing as SuDown, and which DOES need .NET installed. Perhaps there is some confusion here? Not sure...

At this point though, I have returned to a normal Admin setup and added back my trusty security apps, just feels easier and more comfortable. However, this has been an interesting discussion.. thanks for all the info also..

 

Sure, ShadowProtect works just fine under a limited account. You have to be an admin to install it, but a limited user can control it, create new backup jobs, mount backup images, etc. To do this click on "Network View" and then add a new network node in ShadowProtect (in addition to the default) which is for your computer and specify admin credentials to be used to connect to the service, the select that new node and click on Connect. You'll then be able to backup/restore/mount/etc.