Is Limited User Account enough? Not really...

Discussion in 'other security issues & news' started by thanatos_theos, Mar 13, 2008.

Thread Status:
Not open for further replies.
  1. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Just a reminder to all and to emphasize what is already stated - use real facts - not random screenshots that have no context and ill-defined parentage and meaning, meaningless technobabble, and/or logistically outlandish scenarios. Focus on genuine technical points, not the personalities involved.

    On the general question, security discussions in any context (PC, personal, home, etc.) and at any location do seem to generate a high level of FUD. As always, caveat emptor.

    Blue
     
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Solcroft at least we all know now what the meaning of FUD really is.:D:D
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Mmmm, are you listed as the owner of those folders? See here for more in-depth details.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    thx for the link lucas. i went over there followed the instructions and did a quick dir /q. even though everything comes up as being owned by the "built in administrator" when i log on my limited user account, i can still write to c:\temp, c:\xnews, etc...
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    How did you create your limited account? Is it a new account or it was previously an admin account?
    Is explorer.exe running with limited privileges?
    Try AccessEnum.
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    i'm 100% sure it was created as a limited account (not as an admin account made limited).

    in my limited user account? or in my admin account? and how would i check?

    i just downloaded and ran it. it has the following sections : path, read, write, deny. for example my c:\temp, has read : administrator, users. write : administrators, users.

    EDIT :

    ah ha! after messing around with AccessEnum and seeing just how much folders had write access : administrators, users and going into a panic :D i messed around with the "security" tab located in the folder property option. it seems there was a whole group of "users" that had "special permissions" with the following options enabled : files/folders with create folders/append enabled. and another entry for "users" that had "special permissions" with the following options enabled : subfolders with create files/append enabled. i disabled each and then tested again. lo and behold, i CANNOT create files or folders anywhere except my desktop in my limited user accounts!

    now i have to do this on my desktop and my brother and sister in laws pcs. quick question : how the heck did this happen?
     
    Last edited: Mar 15, 2008
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,752
    Location:
    Toronto Canada
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I've created the limited account from an existing admin account and I've made a new admin account and a fake account (an account called Administrator but with no rights)
    With Process Explorer :)
    I thought that somehow you were running Explorer with admin privileges and this was the cause of being able to write "protected" folders.
    I don't know what to say o_O Clearly, something wasn't/isn't right. Maybe tlu has an answer :doubt:
     
  9. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    all i know is thanks to you i finally figured it out :) and my LUA now acts like a LUA. i configured both my laptop and my desktop and nothing "broke" in my LUA on either machine (all the programs in my LUA run just fine. although i did have to change my downloads folders in limewire, which is to be expected).

    the only thing i can think of is, i'm not using windows xp pro. i'm on windows media center. maybe MS fiddled around with the LUA in windows media center edition to make it more "user friendly" (ie save files anywhere except c:\, c:\windows, and c:\program files). also my windows media center editions aren't windows originals, they are installs from the manufacturers cds (one from HP, on my laptop, the other from gateway, on my desktop).

    thanks again for your help and patience lucas :thumb:
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'm glad that I was able to help you :)
    As you said, maybe Windows Media Center is somewhat different from XP Pro.
     
  11. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
  12. wat0114

    wat0114 Guest

    You need to read my statements thoroughly, instead of choosing the negative so that you can eagerly lash out, as you are apt to do. To clarify in case I didn't do so already: I also use a limited account at home, and it works great. I choose how limited I want it to be so that it does not interfere with the normal operations of my programs. I also work in a corporate environment where the IT department places monumental restrictions on the O/S environment that do interfere with the normal operation of some programs and where it causes instability issues. The restrictions are too intrusive in this environment. Truth, not FUD! If administered properly, these accounts do work great (and don't forget I'm talking about XP/W2K), but overzealous restrictions do cause problems.
     
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    In which case I suggest you re-read post #9 in this thread, where contrary to your dramatic beliefs that I'm out on a personal vendetta against you, you personally claimed that a limited account is overkill and a knee-jerk approach on home PCs.

    It's not polite to lie, wat.

    I'll tell you what will work perfectly fine in a limited account. Internet browsers and email clients will work just fine. So will word processors. Same goes for most media players (I've tried WMP, vlc and Winamp with no problems). Some games and special gaming utilities will fail, but nothing that a right-click and choosing "Run as..." won't solve. BitComet is one download utility I know of that has minor problems with a limited account, but again, nothing that can't be solved by "Run as...", or using one of the numerous fine alternatives out there.

    I think that covers the majority of what the average user does with his/her PC. Unless you do debugging work on a daily basis, or something to that effect, you won't even notice that you're using a limited account. I've installed it for every friend that bothered to ask for my help, and they certainly never noticed anything different. In fact, the chances are that the more computer-illiterate one is, the less problems they'll have with a limited account, since they won't be messing around with core OS functions as much.
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Indeed. As more "standard" is your usage pattern, the less likely is LUA to cause problems.
     
  15. wat0114

    wat0114 Guest

    There was no claim you have a vendetta against me solcroft, only that you tend to lash out against anyone who states something you don't agree with.

    The same paragraph I mention partial limitations are used on my own pc, so I'm all for it! I am, however, against it being administered to the extent where the machine is virtually chocked by excessive restrictions. Kids, for the most part, need a chance to try and figure things out so they can learn something, and the parent can take an active role in this. This is impossible if the restrictions are too excessive. Then you claim I'm lying :gack:

    If they want to be/stay that way, then, sure, that is perfectly fine.
     
  16. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Then the problem isn´t with LUA in itself, but that the IT administrators at your company doesn´t know, or choose to ignore, the usage-pattern of the employees. I would suggest to let them re-analyse the patterns for each targetgroup for proper configuraton of the group restrictions.

    /C.
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Of course, I do it only when I know I'm right and they're wrong. In case this sounds arrogant to you, I'm only stating a fact.

    That depends on what you term as restrictive. As I've said, the usual daily activities go completely unhindered by a limited account. You seem to harp incessantly on these "excessive restrictions", so from the standpoint of an ordinary computer user who doesn't edit system files, configure group policies or perform kernel debugging tasks every day, might I know what those "excessive restrictions" are?

    Unfortunately, that's not what this thread is about.

    That's the perfectly logical conclusion to draw, judging from your claims on the detrimental effects you heap on LUA in post #9, followed by your about face turn and attack on me when all I did was to ask for the basis behind your claims. Do you have an alternate explanation?
     
  18. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all:

    How about we all drop the rhetoric a notch or two?

    My take is that everyone here has made some valid points, and probably engaged in a bit of hyperbole as well.

    LUA/SuRun/etc. are extremely straightforward and easily implemented solutions that are robust and have wide applicability for anyone. Occasionally, one needs to exercise a bit of finesse in using this approach, but that's it.

    Although a comment regarding SRP/LUA/limited policy was made to the effect that "On a home pc, however, it is overkill", one can easily make the case that the opposite is true. What is likely overkill is a nuanced, elaborate, and customized SRP. Approaches like LUA or (my own preference) SuRun are a dozen keystrokes anyway for anyone and involve very little after that. At least in my own case, I've never experienced any of the issues (programs don't function properly, freeze, error messages abound, reboots are needed frequently) mentioned aside from single case instances which indicated a need to run at the Admin level, which immediately resolved the problem.

    I do recognize that, implemented without planning or forthought, any scheme can create problems.

    Blue
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That's been my experience with SuRun also, in fact i only experienced one small difficulty and it was quickly resolved on it's own where i had elevated a main system file to complete a program and it appeared my account was left ADMIN instead of user. It very well could been that PrivBar add-on wasn't refreshed, at any rate there was no need to even uninstall/reinstall it again to return the permissions back as intended.

    Other then that slight detour of my own doing, SuRun is been flawless and i thank everyone who is contributed to this thread with their comparisons, suggestions, and concerns as well as solutions because with the flood of security protection apps we now have readily available & effective, i wouldn't even have bothered with a LUA if not for SuRun.
     
  20. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    now that i've correctly set up a LUA (with SRP), i have a question that really does relate to the topic of this thread :D

    what type of virus/trojan/malware can wreck havoc on a LUA+SRP (with autorun disabled on all removable drives)?

    i mean you can't write to anywhere but your user folder and you can only run executables from your programs and windows folders. this seems foolproof no?
     
  21. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Malware types that:

    1. Doesn´t need write/change permission for doing its evil thing.

    2. Whose file extensions isn´t designated.

    3. Are using known application exploits for acquiring elevated rights.

    /C.
     
  22. wat0114

    wat0114 Guest

    You got it :thumb:

    As for hyperbole, please be assured there was none intended. The kids reference was ot; sorry about that. Absolutely there is a place for lua/srp as long as it is administered correctly. There is also, in many cases, more to an office computer environment than browsers, word processors and spreadsheet programs. Some specialized programs like protocol analyzers (software based with RS232 hardware interface) and eprom burners do not work well if restrictions are overbearing or implemented incorrectly, especially when the registry and custom-built scripts are involved.
     
  23. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    You forgot #4: that don't need to be executed to cause damage.
     
  24. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Is there any example of malware (excepting macro/script viruses and network worms exploiting vulnerable services) that infects/installs under LUA + SRP?
     
  25. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @cerxes and solcroft

    good grief! i thought LUA+SRP was more secure than that :doubt:

    i basically wanted to cut back on the number of security apps on my brother and his wife's machines (as to not confuse them) and just go with LUA+SRP+real time antivirus. hmm i guess i'll keep geswall on their PCs too.

    real quick question, i added a a few extensions to the SRP block list (that were not in the default list created by the SRP and handled by script defender) found here :
    https://www.wilderssecurity.com/showpost.php?p=1089855&postcount=4

    will this help stop script viruses?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.