Necessity of Using Limited Accounts

I am a Windows XP Pro user curious about the often recommended PC security strategy of doing the majority of your computing activity on a limited user account. Generally, this idea is logical because of the way Win XP works. As explained in Prevx's blog, if you accidentally install malware it can run on the same level as Prevx, potentially making it harder for Prevx (or any AV) to handle it. This makes sense, however:

Using a limited account can be very inconvenient. Even software already installed can encounter scenarios in which they will not work. Also, if you decide to implement this strategy at a later date and have been using a single admin account and you haven't installed your programs for all users, this can be a frustrating dead end.

My question, however is, why would someone absolutely NEED to use a limited account in this situation:

- 100% internet browsing activity is done in a Sandboxie sandbox with administration rights dropped.

- Any files downloaded are first downloaded into that sandbox, scanned with Prevx and other AVs, and once found to be safe to use, are installed.

- Any other potentially unsafe applications on the computer that download form the Internet are evaluated first in a rights dropped sandbox.

- Sandboxie forced programs and folders are enabled. No browser process can start outside the dropped rights sandbox unless given sole permission to. Any file opened in specified download folders is forced to run in a sandbox with dropped rights.

I'm not seeing what more a limited user account would do for me other than cause me to be annoyed having to redo all my Windows settings, and reinstall tons of applications that I didn't check "install for all users" on.

 

I don't find it inconvenient at all. Search the forum for a thread on SuRun. This makes using an LUA very easy. You get about as close to the convenience of sudo in Linux as is possible in Windows.

Some software does require admin privileges, like defragmenting apps, which is logical, since they are moving files around in areas a limited user can't. Some that don't work in LUA are leftovers from the Win 9x days or just poorly programmed. If you absolutely have to have these and there are no suitable alternatives that work properly in a limited account, then SuRun can help here as well.

One reason would be if you want to use a 64 bit system. Apparently Sandboxie doesn't have full functionality in the 64 bit version due to kernel patch protection.

My personal reason for using LUA and a software restriction policy is so that I don't need Sandboxie, Prevx or any other security apps running in the background eating resources. I can do other things besides configuring security apps and worrying about whether they will really do the job.

If you don't feel like taking an hour or so set up a new LUA you could make a new admin account and then change the account you're using to a LUA. This is the quick and dirty method which purists will warn you against. I've done it on a couple of crates and never had a problem, but ymmv.

 

Well I did make one, and it wasn't as much effort as I thought it would be. Most of my applications seem to have carried over what settings they could.

Mozilla Firefox obviously does not, but special thanks to FEBE (Firefox Environment Backup Extension) that problem is a non-issue and matter of a few minutes setup.

The only dead end so far is I'm losing a layer of security known as PeerBlock which is an IP blacklist program, and I'm guessing it refuses to run in an LUA because it relies on some admin privilege to block or allow connections.

 

The one fundamental misconception with LUA, however, is that it isn't perfect on a few levels. First, privilege escalation exploits crop up every once in a while which allow software to get administrative rights from within LUA.

Additionally, if something is running within LUA, everything within that LUA can be compromised with it, including any web browsers, email applications, etc.

Being under a limited user account prevents threats from affecting the underlying system at a system level but it does not prevent threats from stealing your information either by keylogging, Man-in-the-Browser attacks, screen grabbing, clipboard stealing, or any myriad of other techniques.

This is where Prevx (and in particular with the above case, SafeOnline) come into play and provide substantial additional benefit over LUA alone.

Sandboxes are also not impervious to this style of attack - anything running within the same level as another application can modify that application unless there is an additional filter in between the two.

Zeus, SpyEye, and most of the other new information stealing trojans definitely prefer to have administrative rights as it lets them guard themselves better but they function perfectly fine under a limited user account, happily stealing user data if there is no additional security in place that can circumvent/block them.

LUA is certainly a step in the right direction but as with any other security solution, it is unfortunately not a panacea. I hope this post isn't misconstrued as FUD, but the core fact is that if software can run, there will be vulnerabilities (or intentional features like file deletion) and there will always be the potential for malicious attacks.

 

OK, I realize that you have a product to sell, but if you set up a system like this and also turn on DEP it will be a hell of a lot safer than running as admin. If someone wants to buy Prevx anyway, fine, you deserve to make a living. But with all the blah blah about "layered approaches" why ignore the ones built into the system that are free, require no updates, are guaranteed system compatible and use little to no resources (and probably stop 99% of the malware ITW)?

What I find irresponsible are these postings here and on your blog that try to play down the effectiveness of LUA. Some will interpret this as justification to run as admin. Sorry to say it does come across as FUD and a sales pitch for your product.

 

You can read this blog post, where no one is saying LUA is not effective. We are saying the opposite. We are just saying that it is not enough by itself.

Moreover: do you think that the average user would understand all needed steps to set up SRP in the right way without feeling himself frustrated? This is another good point you have to take care

 

I consider myself to be a bit more than an average Joe user and have read about LUAs here and elsewhere, but I still run as admin. Why? Because I'm the only one here and I see no point in trimming down usage rights on my PC as I control what I do online et al.

 

Same here and it works well for me and never had any problems with running and admin account! But some want to Run a LUA and that is up to them to each there own!

TH

 

In Prevx's defense, and going along with what I believe is computing common sense,

I feel anyone is ignorant to believe that using an LUA, DEP protection, and anything related is enough to stop online security threats. Afterall, all you are doing is using a function built into Windows to make it more secure. But everything in Windows can, will, and has been hackable.

I have decided to use an LUA, but there are advantages and disadvantages. It is advisable to everyone, but for those that want a less restrictive, more selective application I'd recommend a dropped rights sandbox.

But virus protection on a Windows based machine is essential unless you are an extremely advanced user and you prefer the HIPS / entire sandboxed approach like DefenseWall which Matt @ Remove-malware recommends.

I feel that under no circumstances is using an LUA and DEP enough, and DEP is on my default already.

 

it sure is not enough to use LUA and DEP only..
but adding SRP vastly improves it. XD

 

OK, this blog posting is quite a bit better than the other ones you've had on the topic. You at least mention a few of the nasties that fail in an LUA instead of just presenting some exploit that runs in user space. It's also nice that you explicitly recommend not running as admin.

BTW, setting up a software restriction policy using the guide that I linked to in the response to PrevxHelp is easier than configuring some of these security suites. In fact, using Sully's Pretty Good Security app it's a no-brainer. Just as an experiment install Comodo CIS on some n00b's machine and count the number of phone calls you get the first three days

 

I browse internet in a LUA to help my security software to protect me. If you think a LUA can do more than that you are only dreaming.

EDIT:

Now I have read that Prevx's blog post and it says exactly the same thing. LOL.

 

There are a few people here relying on system policies for security, such as Windchild, tlu and Lucy, to mention three off the top of my head. Search for postings from these members and you will see that they are anything but ignorant.

You will notice that I mentioned a software restriction policy. This greatly enhances a LUA, see the instructions for setting it up, it's easy. You create a Catch 22 situation for malware. Where you can execute something you can't write. Where you can write, you can't execute. This is simple, but very effective.

To make your LUA more convenient to use, take a look at SuRun. Here's a very long thread about it. If you don't feel like wading through 500+ postings (and I'm sure you don't) then read this tutorial on setting it up. This is written by Wilders member Mrkvonic. SuRun really does take the pain out of using a LUA.

 

That's your opinion. I have two machines with LUA, SRP, DEP and no autoruns for users with all unnecessary services turned off and all patches installed. They've been running about three years now without real-time security software and they don't get infected.

LOL is right. Do you expect them to say anything else? Ask an insurance agent if you really need that additional policy.

 

WOW!!!
What a statement!

 

Assuming that you are being sarcastic, you should re-consider the context that which I am responding in. You should also re-consider the forum you are posting in -- this isn't a general PC security discussion -- this is a Prevx support forum. People using Prevx are generally in favor of the realization that (with lack of a better way to phrase this) Windows has insufficient self-defense and utilizing some sort of 3rd party security software is paramount. We're now having people discussing a so-called viable method of achieving PC security solely by using functions built into Windows. Doing so is therefore controversial, because again this is an anti-malware software forum, and generally what most malware experts recommend is to use a 3rd party security solution of some sort, no matter what sort of build you have set up.

Anything in Windows can and will be hacked, and if you think otherwise, then companies like Prevx and even bigger companies wouldn't be in business, and even if they were, the definition list wouldn't be truck loaded with threats waiting to compromise you. So yes, what a statement indeed, be it because of its sole popularity or because the constant security holes are due to a subpar OS, either way it's true, Windows is very hackable and thousands of threats are discovered everyday.

And if ever a hacker or piece of malware does exploit and bypass your setup, how would you know? Are you regularly using some sort of process scanner such as HijackThis to determine what is running and/or if anything has been loaded after an incident?

"Creating a Catch 22 for malware" isn't the same thing as preventing it from being installed, if I'm understanding you correctly. It sounds like what you are doing is essentially using functions built into Windows to essentially create an auto-immune HIPS style of protection. While I would agree that this would excellently complement Prevx or another security solution, I would definitely argue against relying on this solely, just like I would argue against solely relying on Sandboxie.

If it works for you, then it works for you, until some guy in a basement halfway across the world figures out otherwise, and then eventually you'll get the lovely Home Antivirus 2010 pop ups too. Moreover, despite the 1st amendment, you must come to expect resistance, whether you agree with it or not, on a forum dedicated to support for a particular product that which directly contradicts your security setup mentality.

But just like The Oracle told Neo in the first Matrix movie, when you finish reading this post I wrote you are just going to laugh to yourself and conclude that I'm an idiot and I don't know what I'm talking about, when in reality I fundamentally agree with what you are suggesting, just not the sole reliance on it. Nor am I sure I believe that the everyday, basic PC user would be able to configure and understand it as easily as you claim, but then again, the average PC user is satisfied with the McAfee/Norton that their ISP includes for free, so that argument is really a dead one. There's people smart enough to care about PC security, and people not smart enough to care, and when they are in fact smart enough to care, then comes the many types of ways they feel are best to protect their PC.


P.S.
I must admit, your analogy to an insurance agency is clever, and true, yet Prevx remains very honest about their products, especially when compared to some of the claims made by AVs that are regularly tested as inferior every AV-comparative.org report released.

 

I say LUA is not enough and you reply "LUA, SRP, DEP, no autoruns, etc...........so, indeed, LUA is not enough. (As I said, I use it too).

BTW, you forgot a chastity belt in your system.

I prefer installing a good AV and forget about it.

 

@STV0726
I'm not too PARANOID to cover every MS holes.
so just by running Prevx along with my LUA/SRP/DEP and behind my NAT router is definitely good enough.

I don't install much after setting up everything I need to get down to work.
and my PC is highly unlikely to be nuked so, I guess it is enough.

My pc also can't afford to install another realtime 3rd party app since I need every ounce of system resources during intensive tasks.

LUA is a necessity for me, if you think its not for you then...
to each their own!

 

you know... If I can't trust my OS. I'd ditch it.

 

Probably the same way someone would know he got infected when his AV didn't detect the malware. I do have Avira on one and Avast on the other as on-demand scanners to check files I download. I used to run on-demand scans every couple of weeks just for peace of mind, but they never found anything. I used quite an arsenal, Malwarebytes, SuperAntispyware, Avira, AVZ and Gmer. I would say if all of those don't find anything, then there most likely isn't anything to find. A couple of months ago I also ran a Kaspersky scanner from a boot disk that was in one of the magazines here, also nada. I came to the conclusion that this setup really does work. If someone doesn't agree, that's fine, c'est la vie.

If you read the article on SRP I linked to, it explains it pretty well. Most malware will probably try to install itself somewhere in the Windows directory. Since your LUA can't write there, that's a fail. Let's say you get a malware that's smarter and installs itself in your user profile just in case you are not running as admin. This is where the SRP comes into play. The malware can copy itself to your user profile, but it won't be able to execute. It's simple, you can execute where you can't write, where you can write you can't execute. With no autoruns for users (kafu.exe), it won't be able to set itself up to start with Windows, although Windchild told me this is redundant. Now I suppose you could have something running in memory, but that would go away when you reboot. You could possibly have something like a keylogger running in Sandboxie until you empty it, but I'm speculating here since I'm not a Sandboxie user.

Now the AV guys say this isn't bulletproof and name a couple of things that could theoretically bypass this. Compare this with the number of missed malware samples in the tests at AV-Comparatives and those one or two items are almost irrelevant.

True, the results of AV-Comparatives are disappointing, to say the least. With a million samples, an AV with 99% detection is still missing 10,000 samples of malware. These tests are one of the reasons I quit relying on AVs for protection. The only times I've ever been infected was on Windows 9.x where there wasn't any user rights management and I was totally dependent on AVs and software firewalls. BTW, the user rights management of Windows seems to be one of the more robust features of the OS, at least I've never read anything about it being bypassed without something like a buffer overflow and escalation of privileges. In that case, though, you'll most likely get pwned no matter what your setup is like.

 

I feel the urgent need to make it clear that I am in no way disregarding or trying to demean the potential effectiveness of using built-in Windows functions such as the LUA, complimented by SRPs, to protect your PC. I am simply stating that I feel that implementation and method of protection probably isn't generally the best for the majority of users for many obvious reasons.

Personally, the next computer (or next OS reload) I do I am going to SERIOUSLY consider that setup, but I'd still load Prevx without a question, because in my mind, no matter what type of security build you have, you always have room for a super light anti-malware program that gives you a clean health bill in less than minute. Perhaps I'll skip the ESET / traditional AV with that build, though I'd still love to have MBAM and SAS for "para-scanners," a term I sort of constructed.

EDIT: And I also feel this is an ideal time to add in my personal opinion of Prevx's evaluation version. This would be perfect for a LUA/SRP set up, because if you are an advanced user using that type of build in the first place, you probably therefore have the experience to manually remove any malware that might get through which wouldn't be hard based on the way it can't execute where it writes. A lot of people speak negatively of Prevx because their trial isn't the traditional idea of a trial, i.e., thirty days of the real deal. But I actually like the idea, it allows you to use their software essentially for what I would call "software good/bad determination advice," and if you're an advanced user, that can be in some cases all you need, therefore, they are essentially giving you a free program of love and sugary goodness.

 

Hee hee - a great strap line "Prevx - Gives you Love and Sugary Goodness - Guaranteed!"

 

I am now using an active SRP and it was indeed very, very simple to set up. Four steps for XP, five to six for Vista/7. Very easy indeed yet could be confusing for a basic user.

So far my first error was it tried to block Flashgot.exe, an addon in my Firefox on my LUA from running.

I haven't yet installed SuRun because I'm seeing how my programs work without it.

 

Yes, it is simple. When I see some of the info on AppLocker I wonder why people think that's easier. To me it sounds much more complicated.

For Flashgot you can make an additional rule, either a path rule or a hash rule if it isn't something that's being constantly updated. If it updates a lot it's a pita to have a hash rule.

Windows 7 and Vista are probably much easier to use without SuRun than XP, I believe you can use UAC to serve the same purpose.

 

So for SuRun can I just follow the instructions on that tutorial? Is it OK to just use the limited account I already made? I don't have to create an additional one for SuRun?