Benefits of running as non-admin?

Discussion in 'other security issues & news' started by Doug Baker, Apr 9, 2005.

Thread Status:
Not open for further replies.
  1. Doug Baker

    Doug Baker Guest

    Hi,

    I was wondering what some of the benefits are of running as non-admin.

    Can I still get viruses, worms, spyware, trojans and rootkits?

    If I read my email this way will it protect me from becoming infected?

    Do I need to run my regular security software (av/as/fw), while running (surfing) as non-admin?

    Any other benefits from running as non-admin?

    Thanks very much.
     
  2. Hi
    1// Yes you can still get them, but they won't be able to get to the core of your system, since getting to the core requires admin privileges. Your non-admin account would get infected, but you'd then restart the computer, get into your admin account, and from there delete the infected user account.
    Data from this account would be lost, however.

    Also, if other partitions or hard drives are available from the user account, the malware could get there in ambush for later, so yes, an AV would be welcome, at least from that moment on.

    2// See 1//

    3// Your FW is launched at the system level, so it will continue to run while switching to and running in user mode. same thing for real-time protection AV/AT. No end-of-the-world destructions in user mode, but cleaner to have FW and AV as well, especially FW

    4// Adds another welcome layer of security without clogging the computer with more software. A very intellignet habit to get, indeed. The idea of Admin/user duality comes from the Linux world, where it has been apllied for many years.

    Rgds
     
  3. BornMember

    BornMember Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    75
    this seems like a good idea

    Does anyone else agree? what do the seniors think?
     
  4. DigitalMan

    DigitalMan Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    90
    Good question - asked it myself.

    See this for an excellent, detailed discussion of pros/cons of running as a limited user in Windows:

    Security Benefits of Logging in as Admin

    Also see Wilders threads:
    Thread #1 - Limited User Accounts
    and
    Thread #2

    The bottom line answer to your questions seems to be:
    It can help to run as a limited user - maybe a little, maybe a lot
    It will not prevent infection / intrusion
    There may be some useability / convenience tradeoffs in doing so

    I personally decided not to run as limited user because I have 2 applications that won't support that mode and I don't want to dedicate the time to track down workarounds.
     
  5. squash

    squash Registered Member

    Joined:
    Mar 25, 2005
    Posts:
    313
    I run this Windows XP computer as limited user for everyday use and admin stictly for installing software, upgrading software etc.

    I think that if you install lots of software, it will definitely be inconvient for you beause most programs require access to the registry. With a limited user account, it does not allow write access to many parts of the registry except for its own registry seciton HKEY_USER.

    By running as a limited user, you will still be able to get infected if a malware install to for example "My Documents" instead of C:\Program Files... that is why you will still need a antivirus and firewall for protection at the very least. The limitations of the limitation accounts complement an IDS such as PrevX.

    Running as limited account in Windows XP should not however be used as a security feature on it's own but as an additional layer (somewhat a good one) to your additional security apps. In the *Nix/Linux world, the concept of Chmod 700 etc allows the non-root user to be further limitated by what the root user gives as the previleges.

    Windows XP Professional has this "Chmod" concept (as Read, Write Modify instead of numbers) however Windows XP Home does not. If you have Windows XP Home, a limitated account is another layer not a security "feature". If you have Windows XP Professional, you can you limited account as everyday and furthermore increase limitation with (Access, Write Modify) on critical files such as the operating system core files.

    Limited account can be considered as a security layer and not a security feature on its on as in *Nix/Linux because Windows XP does not have these capabilities and was slanted towards ease of use not security such as *Nix/Linux which has carried out this tradition every since it's invention.
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    There's a challenge... Okay, I'm quite senior here, and I consider this a major security measure.
    If you need to, you can always, form a limited account, run as an administrator.
    Even Microsoft has a tool to allow administrators to lower their rights for certain apps (IE more specific) (forgot the specifics, sorry).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.