Do you run as Administrator?

[Windchild]

Quote:

Originally Posted by HungJuri

You don't have to hold your breath - I see it - point taken. But that is a first for me, so you are the 'one' that seems to know what he is talking about. Congratulations. But it doesn't change the fact that running XP in a LUA is a user choice - that is all it can ever be. It is not a fundamental axiom of computer security, it is not necessarily so that it needs to be emphasized more, and it is not an "of course" answer.

Thank you for not making me hold my breath! I'm really not very good at it.

I do like to think I somewhat know what I'm talking about, but I'm certainly not the only one, and there are people out there who know so much more than me that if I knew half of what they know my brain would in actual fact explode all over the place making a really ugly mess. But, when it comes to LUA or Windows security in general, I don't usually give much bad advice or make very big mistakes and if I do I feel rather miserable about it. To return to Tlu's excellent thread, as he said, it included changing an existing account to LUA simply because that allows them to keep their settings so that they won't be distracted from the security effect of LUA simply because of the "Hey, why is my desktop wallpaper and My Documents folder gone?" effect of creating a new user account. It will cause ownership issues, but advanced users such as those often found on security forums can more easily correct those especially when given very thorough advice like Tlu always does. So, it's "special advice" for "special people". The general rule to follow is to create new limited user accounts and never make 'em admin, unless you're just really sure you really know what you're doing. And if you create your new limited user account right after you just installed Windows, you don't even suffer from the "Hey, why is my desktop wallpaper and My Documents folder gone?" effect since the admin account will not be customized to your liking yet.

But yes certainly nothing changes the fact that LUA is a user choice in XP, in Vista, in 7 and in pretty much every OS where LUA even exists. Even in such Unix family systems where you default to something else than root, nothing stops you from just logging in as root anyway and using it to do everything. Well, actually, sometimes something does stop you (like Ubuntu where you have to manually enable the root account to use it), but typically you can get around that easily as well if you want. But LUA being a user choice does not prevent LUA from also being a fundamental part of computer security in modern operating systems. Because LUA is exactly that. Users certainly don't have to make use of LUA, but users who do tend to have less security issues than those who don't - and there's actual scientific research about this very subject. This is a reason for people like me to try to emphasize LUA more, since there are many people who would benefit from it that do not really know enough of it yet. It's certainly not necessary to advocate and emphasize LUA as we do, but I believe that it can help many users, so that's why I do it. And for myself personally, LUA is an "of course" answer, due to it fitting my computing habits and policy very well, and that's really all that I meant with my original reply to this thread's question.

Peace. We LUA guys can be noisy but we've got an F in evil.

[HungJuri]

Quote:

Originally Posted by Windchild

Peace.

Fair enough post - Peace here also. Maybe the only good that comes out of this thread is for some to realize that maybe the saturation point has been reached as far as hyping LUA. Maybe the 'of course' set me off as the needle that broke the camels back. Just getting tired of reading threads that are completely thrown off topic 'for the good of all mankind' such as the WarWagon thread. Anyway - Peace again.

[Windchild]

Quote:

Originally Posted by HungJuri

Fair enough post - Peace here also. Maybe the only good that comes out of this thread is for some to realize that maybe the saturation point has been reached as far as hyping LUA.

Peace is good. There may really be some kind of saturation point that has been reached in some environments with all the LUA talk. Many LUA advocates have background in Unix, and in that world "don't run as root" is heard everywhere, all the time, so LUA advocates with Unix experience may be a little too used to talking about how being root is bad-bad. It's problematic, though: where advanced users who have no problems with their security setup may get annoyed by the LUA advocates going off about LUA for the millionth time again, there's always the less advanced Joe Users out there who haven't heard enough of LUA yet for it to be helpful to them. Perhaps one could think that the advanced users get to suffer a little (well, okay, a lot, not just a little) from hearing the same things a million times in order for everyone to help the average users. It's rather like the eternal "Everyone should run an AV in Windows" rule that is everywhere. Advanced users are very tired of hearing it (many don't run AVs anymore), but some average users unfortunately still haven't heard enough of it and may be surfing around the web with an unpatched system, as admin, and no AV or any security software at all leaving them pretty much cannon fodder for malware. Difficult stuff to find a reasonable balance, or perhaps more accurately to be able to reach the masses of the average users, most of whom never visit security forums or only infrequently visit via Google when they realize they're infected too badly and need help. But it's for those latter cases largely why many LUA advocates repeat the same mantra always, and also in hopes that if advanced users learn about LUA - even if they don't choose to include it in their own security policy - they can then spread the word and perhaps help average users that have more need for LUA.

[captainron]

Quote:

Originally Posted by guest

Really, what strong protection are you thinking you will get using LUA?

Let me show you the reality:

1. Some malwares like keyloggers don't need administrative privileges to work, be it in XP, in Vista or in 7. In fact, the best and most hidden methods/APIs to log keystrokes (the ones few HIPS are able to detect) don't need administrative privileges in any Windows;

2. Complex malwares exploit privilege escalation vulnerabilities in the host OS, so they will infect you and it doesn't matter if you are admin or not. Even the Guest account is considered a vector vulnerable to malwares that exploit these vulnerabilities - and several of them are unpatched in XP. Win Vista and 7 are less vulnerable, but they still have this kind of bugs.

I don't want to start another painfully long debate, but I kinda disagree.

Malware writers want to infect as many systems as they can, even on a security forum 75% run as admin, in real world is probably about 97%. You really cut down on possible number of malware you are open to in a LUA. Its like taking condoms with you to Las Vegas. Keyloggers, as far as I am aware, hook into the system exactly like a driver for the keyboard, something which theoretically requires admin rights. Guest account should always be disabled and its been commonly exploited in XP. Also -

http://pm.beyondtrust.com/company/pr...03Feb2009.aspx

Thats on an unpatched system. With a patched system, programs kept up to date, and an AV this would be very secure IMO. Add in a software restriction policy and IMO you couldn't infect the system even if you tried, even with AV disabled.

[captainron]

Quote:

Originally Posted by HungJuri

But it doesn't change the fact that running XP in a LUA is a user choice - that is all it can ever be. It is not a fundamental axiom of computer security, it is not necessarily so that it needs to be emphasized more, and it is not an "of course" answer.

also, just so I don't appear like an LUA drone, I agree with this post and I am a big fan of sandboxing & virtulization. I think the 'safe mode' in Kaspersky IS and similar tools in other programs will soon be built into every AV system, its also why I often recommend KIS. Eventually most will run windows 7, not admin by default, running a tool to sandbox programs like the ones in Kaspersky. IMO this will eventually be the setup for 95% of systems and malware writers will attack this setup, which will probably put LUA on the backburner and look at other methods down the road.

[HungJuri]

When I saw Chrome install right into Documents and Settings is when I really took notice. I knew that programs could install this way but I guess it just didn't register. Anyway, I was surprised. My bad. But this was a full fledged browser for geez sakes - and from Google. Now I think it was a tad underhanded of them to not offer me an install location during the setup - and for that single reason, I will never use it - but that is just me. But back on topic, LUA without SRP apparantly isn't much protection. So the true 'full' story needs to be LUA plus SRP, and then of course Surun. When you couple that with the items we have already beat to death here, it just seems logical to go the Admin/sandboxing/virtualization route. On XP.

[Saint Satin Stain]

Quote:

Originally Posted by Saint Satin Stain

Yes, but with lower privileges most of the time. I use Sandboxie, Online Armor, and NOD32. The first two have settings to run programs with lower privileges. I run all internet apps, browsers and emai clients sandboxed, and with lower privileges. I have to unblock consciously even zip files before I can open them. I am prevented from downloading questionable files. I have to deliberately bypass the security. Limit accounts are a pain. I haven't been infected yet. This security I have with XP Pro SP3 and above apps.

The above is the same except change NOD32 to Prevx 3.0. Prevx is as good or better and has lower ramprint.

[ameyap]

its such a pain to use windows without logging in as an admin. only public pcs tend to have user login options

[HungJuri]

Combined with this thread; http://www.wilderssecurity.com/showthread.php?t=261959 - I honestly can not see how anyone can reccomend LUA on XP. With the issues on hacking Home to Pro, to relying on Surun to be flawlessly coded, to the undereducation of most users on the pitfalls of converting an Administrator to Limited, to having to check the actual permissions granted to the User group, there is no way this can be the an acceptable reccomendation to the casual user. It seems that keeping your security 'native' to Windows is one of the key points to all this, and then only to find out that many proponants of this approach also tout Firefox as being more 'secure' than IE. At least here, I like consistency - I need to know exactly where I am at as far as security goes so I can have at least some basis for the decisions that come later as to other security to add.

[linuxforall]

Never did, in Linux its sudo, in Windows its LUA. I never ever ran into any issues running LUA, also run full DEP, for rare programs needing admin rights like CD burning software etc, I always used RunAs.

[abels]

I'm running at Administrator and my computer hasn't limited accounts.
I'm always install and use many system programs, and I want to have wide right to use my computer easily.
My security programs are pretty good and I don't worry about any threats

[hugsy]

I have an "admin" named account but it is limited user so the bad guys can spend their time trying to abuse it. I use unrestricted account with dropmyrights for Firefox, sometimes i shutdown explorer in the taskbar and run it with dropmyrights, so its a combo of admin and limited user for explorer and firefox.

also running CIS

Yes -absolutely....... run on max settings

[xandros]

yes yes

[J_L]

Yes with no-prompt UAC.

[Sully]

muh-ha-ha - resurrected from the dead she be - mateys.

Avast! Be ye Admin ye yellow bellied bollox or be ye LUA ye pox infested swine?

Aargh! Ye both of ye be keel hauled an dumped o'er board to have ye visit wit Davey Jones!

Nay says I! Let him that be able to hoist that thar Admin flag o' his be done with it then!

Nay says I! If ye says unto me, ye LUA ist' whats keepin yer boat afloat, then I says so be it!


Aargh!

Come now me mateys, lets us hoist some rum together and have our selfs a grand time, lest we be for fallin into a roe wit each another!

Sul.

[mrgigabyte]

Yes with no-prompt UAC

[SIR****TMG]

Yes I do

[ExtremeGamerBR]

Yes with Safe-Admim.