Administrator or Limited User Account

Discussion in 'polls' started by Threedog, Feb 7, 2008.

?

Administrator or Limited User Account

  1. Administrator

    139 vote(s)
    73.5%
  2. Limited User

    47 vote(s)
    24.9%
  3. Other

    3 vote(s)
    1.6%
  1. aniku

    aniku Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    34
    Administrator of course,
    on my 32-bit XP PRO intelcual dore.
     
  2. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    other:

    Have been experimenting with a "power user" on xp professional. With software restriction policy (SRP) in place and dropmyrights for web facing apps (including Sun's xVM VirtualBox), it seems to be doing OK so far... It runs apps that will not run in my LUA. (I still prefer to administer in the Admin account and not enable the Secondary Logon service).

    However, I'm doing this with my eyes open, aware of the poor "power user" security review here:
    http://blogs.technet.com/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx
    The Power in Power Users
    "The bottom line is that while Microsoft could fix the vulnerabilities I found in my investigation, they can’t prevent third-party applications from introducing new ones while at the same time preserving the ability of Power Users to install applications and ActiveX controls. The lesson is that as an IT administrator you shouldn’t fool yourself into thinking that the Power Users group is a secure compromise on the way to running as limited user.
    "Note that the eWeek study shows that most malware writes to the Run key in HKLM\Software and the \Windows directory and so doesn't work in a limited-user environment, but does in Power Users. That will change over time, especially after the release of Vista, as malware adapts to a limited-user environment.
    "The study does not reflect the fact that malware can take control of the system using the techniques I outline.
    "Just another reason not to run as Power Users.

    Would the exploits outlined in this blog post work with SRP and DropMyRights?
     
  3. normishmael

    normishmael Guest

    Admin account,but with Firefox and IE7 both started under "drop my rights"
    or ran with Sandboxie drop rights feature on.
    media players are either blocked from connecting out ,at all by Kerio 2.1.5,or ran in Sandboxie.

    About the only time I am not under Returnil,Sandboxie,or some sort of drop rights scheme,is when I have to use IE7 to download Windows updates.
     
  4. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    Admin with OA Run Safer for the browsers.
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,280
    Location:
    UK
    Admin on XP plus SetSAFER to drop rights for Internet facing apps.
     
  6. PoetWarrior

    PoetWarrior Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    345
    I use Win 7 beta with UAC turned up to Vista level on my desktop. Single account only.

    On my older laptop I use Win XP with limited account.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Admin on XP, with all apps facing potentially hostile content running as SRP level 'Basic User'.

    Comments such as the following give me concern about actually switching to LUA again:

    "After much playing, I have finally got my system working great. The tool Unlocker and RivaTuner, the main 2 reasons I started this, are very tricky to get working in a LUA environment. Even with SuRun."
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    since i last posted in this thread my setup has changed.

    my parents machine now runs as standard user account (xp home).
     
  9. progress

    progress Guest

    Me too, but I'm back to the limited user account. I think the power user account makes no sense :rolleyes:
     
  10. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    UAC is misunderstood

    Is there anyone here who's going to change to a limited user when using Vista or 7?

    The whole point of UAC is not security, but usability. When using XP, you need administrative powers a lot of the time, even for doing simple tasks. The 'runas' doesn't always work as desired, so people tend always to use an administrator account.

    With Vista's (and 7's improved) UAC, the whole point is that you can run as a limited user all the time, and fill in your admin credentials only when really needed. When using an administrator account, you only get the consent prompt. To my opinion, the consent prompt is more of a compatibility mode for all those users who say "non administrator is bad", without experiencing it.
     
  11. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    Re: UAC is misunderstood

    once all my apps become compotable with it i started running vista as limited user all the time.
    about the only time i have to switch to admin account is for a program called impulse from stardock. its a program that installs and updates all the programs made by stardock.
    all my other programs allow me to install in limited user accounts by giving me a uac prompt.
    sometimes i have to run programs as administrator to work properly for example ventrilo so i can talk on it while the program is minimized and i also need the logitech extra keys program to run as admin to work with a game.

    if a program wants you to use a admin account on vista you should ditch that application and find one that works on limited user accounts. if a program doesnt work on limited user account imo its not written properly so you shouldnt use it. only tools such as defrag,imaging,partitioning etc should need admin rights and will give you a uac prompt on limited user accounts.

    i hope no one here is an admin for a business network and gives employees admin accounts.
     
    Last edited: Sep 13, 2009
  12. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Re: UAC is misunderstood

    That would be the best way indeed.

    A lot of software programmers still live in the "9x era". No user accounts, just click and run. The result is that many people simply need the administrative permissions to use the program. The runas command, or even in elevation of rights, isn't really the solution, since most software should be able to work on every account, no matter if it has administrative rights or not. You can't blame Microsoft for that.

    Exactly. Tools that effect the whole system (eg: multiple users) should be "restricted".

    My company does. Every user is a local administrator. Recently they tried to do a lockdown, but at least 60% of the users said they need administrative rights because their applications wouldn't work.
    :(
     
  13. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    Re: UAC is misunderstood

    XP Pro SP3

    Limited user account + SRP + SuRun

    works great
     
  14. Saint Satin Stain

    Saint Satin Stain Registered Member

    Joined:
    Feb 16, 2004
    Posts:
    222
    Location:
    Huntsville, AL and Greenwich Village, NYC
    I run in Administrator Account but run browsers sandboxed and I use the drop rights feature of Sandboxie. I recommend that most folk, like my kin and kith, should run in a Limited Account. If you use an Admin Account, you have to keep attention active all the time. No napping.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.