Can XP be run as Admin securely?

I am having to go back to using XP for a while and after using Windows 7 I am concerned about the security of XP. I like XP but don't like the hassle of running as a Limited User. The last time I used XP I tried software such as sudown and surun but did not have much luck with them.
If I install antivirus software, a firewall and something like WinPatrol how secure would XP be running as Admin?
Is there a better way to make XP secure without the hassle of being a Limited User?

 

NO...and YES using e.g. something like DropMyRights or similar feature called RunSafer in Online Armor, Restricted/Limited Aplications in Privatefirewall or Restricted Apps in SpyShelter...

 

If you're running Pro, yes. With folder permission (unsimple file sharing), SRP (you can make a user friendly default deny policy by excluding .dll's and good whitelisting), Local/Group Policy tweaks, and a bunch of other hardening tweaks (I've deployed so many I don't know where to start). You can make XP Pro very safe in admin.

There's one GP tweak in particular that makes you enter your admin password to install new apps, even when under your admin. account. Otherwise this usually only applies to an LUA. Another GP tweak where you can restrict/filter file types that can be downloaded.

Throw Sandboxie in there and set up something like VT Hash Check to autoscan new downloads before recovering them. And deploy something like Shadow Defender or Macrium Reflect/other imaging hardware... HIPS software, and you've got a pretty darned safe admin. account on XP Pro. Sandbox your USB ports, CD/DVD rom drives too and disable autorun (GP).

This is usually how I run these days. I also grew tired of the restrictions of a full LUA. I used to run that way all the time and run admin only once a month to update Windows. To me this is the best of both worlds. Now I only run LUA when doing something deemed sensitive.

I don't see how you could be much safer running Admin on Win7?...

Home on the other hand... something like SuRun would be your best bet. But really, not a very secure OS.

 

I never run XP in other mode than admin, but I've always used Softpedia and other trusted sources for my software.

 

I found the easiest way is to use AppGuard. DefenseWall would also be an equally good option for 32-bit Windows XP. With these type of policy restriction applications, you can temporarily suspend and re-enable the various protections on the fly without having to switch user accounts.

 

Of course, and without any special issues or configs.
Mrk

 

The easiest way with any system is do a image backup
""A CLEAN IMAGE BACKUP""

Then actually you don't really need to worry about any mareware
if you do get infected "who cares"

Just re-image your system drive

I've come to the point of not really worrying about it
just harden your system as much as possible by removing
attack area's, doing on demand scans "benefit of this is questionable"
and anytime you do something that might pose a threat
just re-image

This type of setup has worked for me better and more dependable than
anything else that I have tried

The XP setup I run has ONLY a Admin account without the ability to even run user accounts and as I know of I have been infected only once and that lasted about 3 minutes

 

I share many of your sentiments about imaging.

But don't forget to include a very important piece of information! Don't save what you want to keep to the system drive/partition, or at least make sure you have a good storage structure in place so you can save that important data before you re-image.

Sul.

 

Admin/User makes very little difference for XP. Because of the lack of separation between users (ie: admin and user accounts) privilege escalation is not difficult, trivial if you're on an earlier XP version.

If you're using XP you'd best make use of 3rd party software because it doesn't really have a leg to stand on.

 

Wait, I thought WinNT provided good separation between privileged and unprivileged accounts from quite early in its history. Can you provide examples of where the separation is broken in XP? And is this stuff unique to XP, or can it also be found in 2003 Server, or earlier NT versions?

(Mind, I won't argue that Vista and 7 aren't more secure by design... But my understanding is that NT has been a bona fide multi-user OS from day one, even if the implementation is not convenient for end users.)

 

https://en.wikipedia.org/wiki/Shatter_attack

 

... Wow.

 

Me too and I also only download software directly from the developers or from trusted sites. But it's not as secure to run as an admin compared to Windows 7. Maybe my wife and I were lucky when we were using our old desktop for over 5 years as admins on the net.

Now that old desktop hardly get's any use although it has EAM and Online Armor Pro installed. Back then it was mainly using the Windows firewall, McAfee and then Eset.

 

Me too 2 . Naturally, I use a multi layer defense system, but I would use it also if I run Seven. A disk image is needed a priori, not only for security.

 

I wonder though... what would one have to do to contract this "Shatter attack"?

Probably be sitting there on an unsecured network, ports hanging wide open, vulnerable services listening in on them, or maybe Java, etc..., no password protection, no sandboxing, virtualization, or anti-executable in place. Playing around on some shady site with no script blocking, or secure DNS warning/other link scanning to warn you off about it... clicking on random things.

As with most all exploits, it depends on several things having to fall into place for it to work, the biggest ingredient being a dumb end user. So while the added security in Vista/7 certainly helps the average Joe out, my chances of being compromised on any of the above OS's are identical... slim to nil. And I'd think the same applies to most Wilders members.

XP "can" most certainly be run, very securely, as Admin. And I believe this is what Mrkvonic was eluding to when he casually retorted: "of course". I've managed to do it for 8 years now.

 

We're talking about local security ie: admin vs user. The assumption is the attacker has already compromised some program (admin vs user makes virtually no difference for remote attacks). Whether they did that by getting an XSS vuln and hosting a malicious link with a 0day exploit for your browser or whatever, it's not really relevant to account separation.

Once they're on the system it's just a matter of a shatter attack for privilege escalation. On later XP versions this is somewhat more difficult depending on the type of system you're running.

 

There's a big difference between user and admin.
Let's not assume anything is compromised, because it is not.
Let's not invent fear scenarios that are irrelevant.
Mrk

 

We are explicitly discussing a scenario where LUA is the security implemented to protect the system. This is a purely local defense - it assumes that an attacker already has compromised a program, service, or has managed to otherwise launch malicious code on the system.

No, there is not a big difference between user and admin. That's the point.

 

Probably a lot better if you're seeking convenience and better security than full-time admin is to use Surun to elevate selected Programs and System settings conveniently.

 

You are mistaken.
Mrk

 

Thank you all for your replies, you've given me some interesting options to consider. Not sure which option I will take so I shall bookmark this topic