Do you run as Administrator?

Discussion in 'polls' started by Gullible Jones, May 12, 2009.

?

Do you run Windows as an adminstrator?

  1. Yes.

    159 vote(s)
    76.1%
  2. No.

    50 vote(s)
    23.9%
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    In xp sp3 I run as admin, too much intererence with AV, HIPS, FW, etc. I can recover and have never had an issue except when using OA's run safer feature. Never could get it to work for me.

    On W7 it is kind of non important as W7 runs in LUA mode and then when a program needs to run in admin mode say CCleaner popup asks me and away I go, No problem.

    So in OA on W7 run safer is no longer needed.

    So on this poll I have to vote no and yes
     
  2. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    You know, this would all make a lot more sense if it were pointed out more often that LUA does offer up a bit more in the way of options available to the owner of the computer. What I mean is this; When you first install XP Pro, you are set up as an Administrator. This never made a lot of sense to me as that account is basically the same as the 'real' Administrator account. Why not just be Administrator and be done with it. Anyway, from here the Administrator can tweak the permissions available to the users group. Heck, you can even deny 'write' access if you want. Now an new account can be setup, as a user, with those permissions that the Administrator has chosen. You can set it as 'Full Control' all the way down to 'Read Only' - and you can change those permissions later if you choose. So the grandkids are visiting? No problem, I'll just change the permissions to what I want those Grandkids to do ....
    So that approach would offer up more options available to the owner. But I never hear that .... all I hear about is LUA as limiting to you, and some 'just in case' method of defeating 'behind the scenes' malware as you - the owner - are using the computer.
     
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    You are very convincing with your arguments and your posts are always well written and informative, thank you. Yes, there is a big difference between LUA and SRP, and after reading your post I've decided to give it a go and open a standard user account within my Vista Ultimate.

    It was quick and painless mainly because nowadays I'm not running so many security applications as in the past. There are, however some odd things happening still and namely Google Chrome completely disappeared from my program list (Start/All programs) and from (Start/Control Panel/Programs), CCleaner disappeared from the program list but shows in the main list of installed programs. Apart from these 2 applications everything else somehow seems to work perfectly
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    For some using SuRun is more comfortable (or convenient) than having to switch to an admin account for admin tasks.

    Its the same as Linux. Using sudo you can run admin tasks without having to switch to root.
    Alternatively, installing SuRun saves you from switching between admin and user accounts.
     
  5. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    My computer is a laptop, but I never use it as a laptop. It has a tabletop workstation that it plugs into and the screen shows up on a larger desktop monitor. That is how I like it. I can unplug the laptop and take it with me, even if I don't plan to use it as a wireless computer, so that no one has a chance to even touch it if I am not home. All valid reasons for my usage. 99.9% of the time, it just slides in to its' receiver and you don't even see it. Sorta like the old 8-tracks in cars that slid in and out to protect against theft.

    While I am in Admin (prior to creating any other accounts) I change the power settings from the default - which is set as a laptop - to "Always On". I also change the instruction on what to do when I close the lid, and what to do when I press the sleep button. I change these to "Do Nothing". I can not stand the computer going to 'sleep' - I prefer a screensaver as the comp springs to life much quicker than coming back from sleep. Also the setting for closing the lid is defaulted as "Turn Off". I also want this to "Do Nothing".

    Anyway, I set all that up as the Administrator and create a new account as limited and log off and log on the new account. Of course now I am not allowed to change the power scheme, but it stands there as what the computer default had been - not what the Administrator just told the comp to do! So now to use the thing I have to leave the lid open, run a wire over to the desktop and set there on the computer with two screens showing (not too good for privacy from walk-bys). Also, heaven forbid I walk away for 10 minutes, as now the thing goes to sleep.

    Now I understand that you wouldn't want users changing the power scheme - but why doesn't Windows take the new settings the Administrator just gave it? And how can I change it so I am comfortable without Surun?

    Item 2; I am on the phone while on the computer making plans (remember we have lives too) and I merely want to know what day of the week March 17th is. I can look at the tray and see the time .. but I can glance at the wall clock for that. I can hoover the mouse and the tooltip will tell what today is. But as for what I want, I am not allowed. OK, so you don't want users changing the time - how about viewing the calander?

    Now I am not trying anything out of the ordinary here, not installing rootkits and stuff, I am just setting things up. Lord help me if I want to create a new sandbox later....

    And all for what?
     
  6. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    No, It's not that - we are only talking theories here. I am just pointing out that it is not the slamdunk some make it out to be. And I am not about to start typing passwords to see my calander. :rolleyes: On sandboxes, I hear people worry all the time about sandbox-aware malware. They say that you can test something in the sandbox and it lies dormant, only to spring up at you when you install in on the real system. What about malware acquired while in a LUA? Not installed, just waiting for the account to become Admin, because the malware writer knows you will become Admin sooner or later. In a sandbox, all is flushed away from your session, and with Returnil things can be as they were before.

    The reason you need Surun to do the things you need to do is that Windows (at least XP) is not LUA friendly. That is why the ownership isn't done correctly on the permissions - as Tlu points out. That is why I can not view the calander - let alone change things. Microsoft can recco a LUA till the cows come home but they have had 8 years and 3 Service Packs to take of of these little items in XP and they have not. They also could provide a Surun-like tool, as far as I know they have not. When I say 'not friendly, I mean in a behind the scenes way, more with file or permission corruption.

    The entire premise (with XP) is built on a house of cards.
     
  7. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    We can't have this thing going both ways here, I was posting about LUA plus SRP all along - as that is how I thought most were referring to. Then it got shifted to sandboxes vrs just LUA.

    LUA plus SRP plus Surun is one level - analizing each one as a singularity is a far different thing than looking at the three as a total.
     
  8. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    The issue here may be that some software installs only for one user, the current user, by default, instead of installing system-wide into Program Files. Google Chrome is one prominent example of software that installs by default only for the current user: it will install into the user profile folder of whatever account you use to execute the Chrome installer. This means that other users won't be able to access it, since users can only read their own profile folders. The downside to this is that if you install Chrome as admin with the default settings, only that admin account will see it, limited users will not. The good side is that you can execute the installer as a limited user and install Chrome for that limited user account, without needing admin privs to do that. (Incidentally, the latter is a case where a default-deny SRP would be a little problematic, as it would prevent the installer from even running in that limited user account.)

    Sure, for some it is more comfortable. But necessary in general, for a majority of users? Absolutely not.

    As for me, the choice is simple: less software on the system means less vulnerabilities in the software on the system, and considering that switching to an admin account to perform the random admin task I need to do is not a bother, I will not use SuRun or anything like it. In general, when it comes to security, solutions like Runas, SuRun or even sudo in Linux are less secure than simply logging out of your current account and then logging in as the account that has enough privileges to do what you need. But that's another discussion.

    But, to summarize, it's not that I have anything against anyone running SuRun. If people like it and find it useful, good for them! Anything that makes one's use of the system more comfortable should be a good thing. Me, I just don't consider SuRun necessary for a comfortable LUA experience, since it, well, isn't necessary, and I don't like adding new software when I don't need it.


    The power management settings thing is less than optimal, indeed. I don't rightly use many laptops, so it doesn't bother me very often, but the issue surely is there. In XP. It has been corrected in less ancient versions of Windows. In XP, you could correct it by less than obvious methods, such as simply changing your limited user account into an admin temporarily, modifying the power management settings with your newly found admin privileges, and then changing the account back into a limited one. This would not cause permission issues with ownership. But, it's certainly not as smooth as it should be, and you should not do it if you suspect that you might have malware infections in your limited user account. Or, you could edit the registry as admin to simply give limited users permission to change power settings, if that's what you want. http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx So, SuRun really isn't needed for this thing, either (and installing and configuring SuRun could take more time than any of those two workarounds for the power management issue).

    But in any case, it's true that XP in particular has a few fairly stupid problems with LUA like this power management issue, although most users won't meet those problems much and those that do could find relatively quick solutions by the power of web search engines. :) All in all, those issues aren't something that I would consider so serious as to make the entire LUA experience less than comfortable or easy. As an example, on the system I'm currently writing this post on, I've not done anything to the power management settings - they're the same as they were when XP was first installed, there have been no changes by me at all, and no 'hacks' to get around the issue of LUA not having permission to change power options.

    This is another XP funny business with LUA. In Microsoft's defense, maybe they were embarrassed about the calendar being so useless, and decided not to show it. :D Assuming you don't use any email/calendar software that you could use to see what day of the week March 17th is, not being able to view the calendar in the Windows Date and Time applet can be a problem. Personally, I feel that the easiest workaround for this is simply using a real calendar software with much more functionality (I, for example, need such calendar software anyway to keep tabs on everything I need to do).

    For security, obviously. And for some strange choices in configuration by the MS devs. But obviously the main reason is security: running as LUA is safer than running as admin. As practically always, an increase in security does mean some kind of loss of convenience. For example, if you run LUA, you can't do admin stuff as easily as you can in an admin account - at the very least you'll have to give the admin password when prompted, or if you're very interested in security you have to actually log out or switch users. As another example, if you run some sandboxing security software, you have to put up with sandboxed software starting more slowly than before, and taking time to configure which programs run sandboxed and which do not, or when to empty the sandbox and what to recover from the sandbox to the real system, and so on. These are the kinds of tradeoffs that one has to deal with if one wants to increase security. As I always say, getting in your car or house would be easier if there were no keys needed, but then, that would be less secure. Most people can deal with these tradeoffs without feeling uncomfortable.

    As for the reason why a new admin account is created during installation, that's likely to be simply for better user experience. People generally like to customize things, preferring to use an account called "Dave" rather than "Administrator". Assuming their name is Dave, of course. :D

    Tweaking the permissions of various groups is less often mentioned than the most obvious benefits of LUA (like malware you run not being able to infect the entire system or your own user errors being unable to delete system files) simply because tweaking permissions is a lot more complex, and probably not something that the kind of user who didn't even know about LUA yesterday would be comfortable doing today. The learning curve of LUA is relatively easy, but the learning curve of understanding and configuring file permissions is much harder on you. It's not very difficult to be a little too click-happy with denying permissions, causing the entire system to be unusable. If one needs limitations beyond even those of a normal LUA, then such limitations are best created by creating either a new account or a new group, and modifying the permissions for that new account or group, instead of messing with what the Users group or other existing groups can do. There are group memberships that may seem a little "unexpected", and that can cause surprising problems to those who don't know much about group membership.

    Now this is just silly. LUA doesn't somehow "become admin sooner or later". Not if you use the account reasonably, anyway. In fact, if you use it reasonably, it never becomes admin, after the initial set up (during which you obviously shouldn't be surfing the web or launching untrusted executables...) As an example, the limited user account I'm using right now has never been admin, and never will be admin, not even for a second. As with sudo in Linux, it's entirely true however that if you enter an admin/root password while logged in as a less privileged user, there is a risk that software running inside that less privileged user account can capture the password and then use it to gain greater privileges. So, if you want maximal security, simply don't ever type the admin password anywhere when logged in as a limited user, and never elevate anything to admin privileges while you remain in the limited user's desktop. That's not hard to do. When you need to do admin stuff, simply use Fast User Switching, or log out traditionally and log in to the admin account to do what you need. Simple, easy, safe. Malware can't somehow magically jump from one account to the other. When you log out of the limited user account, and then log into the admin account, nothing that may have infected your limited account runs. The admin is a different account, with a different user profile and desktop and different everything. The only way any malware you have infected your LUA with is going to get admin rights is
    1) You act stupidly and actually go and manually execute the malware when logged in as admin, that is to say, browse some folder where LUA can write, see a strange file there and then execute it. Smart move. :D
    Or...
    2) The malware uses an unpatched privilege escalation vulnerability to gain admin privileges. This is like any software vulnerability, including those in security software that allow bypassing said security software, such as escaping the sandbox.

    But yes, it's true that if you act foolishly LUA can be useless. For example, if you download malware into some folder, and then use Runas to execute the malware as admin, LUA didn't do you any good. But that's only because you did a very unwise thing that you should not have done. LUA can't protect anyone who knows the admin password from being foolish. Nothing can.

    I don't think you understand ownership quite correctly. There is no issue of ownership not being done correctly in Windows XP. Ownership is done exactly as it should be done. The problem is, instead, what the user is doing, and the user lacking understanding on how the operating system works: the user is changing the privileges of an account, and then getting all surprised when that account still remains the owner of files and folders it has previously created and thus become owner of. That is not surprising. That's how it's supposed to be. That is no mistake. The user simply does not understand how ownership works, if he expects changing an existing admin account into a limited user account would somehow strip the account of all its ownership to files it has created. That would be absurd... And of course, stuff like this is why people should keep things simple. Just create a new account, and you won't have any issues with ownership.

    MS does not change XP because XP is an ancient operating system. Two major newer versions of the same line of systems (NT) have been released since. There's no reason why MS, being a business, would still make large modifications to XP and thus make its newer products seem less superior as compared to XP.

    House of cards? Certainly not. LUA on XP is on very solid foundation - just as in Vista or 7. Instead of being a house of cards, a better comparison would be that LUA in XP is simply slightly rough around the edges, whereas in later versions it has been fully mirror-polished.

    The title of this thread is "Do you run as Administrator?" The thread is not about SRP. It's simply about user accounts. Of course, threads live and topics change as people discuss. But LUA is useful without SRP, and SRP can actually be useful (slightly) without LUA, as well. And both are useful without SuRun. Most people who run LUA do it without SuRun.

    But all that was on the long side, again.
     
  9. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Long but, as always, well worth the read.

    I normally run LUA/SRP/SuRun and you hit the nail on its head - convenience and security are in tension. SuRun provides a convenience, and as an almost inexorable result, there's a decrease (of some level) with respect to security. That decrease may be large or it may be small, it really depends on the user, but it's there.

    Too bad LUA is not the default in the Windows world, that would do more to convert people to an LUA frame of mind than anything else.

    Blue
     
  10. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Fully agreed. As long as MS defaults to creating admin accounts during the install of the OS, a vast number of people will keep running as admin, no matter how many people recommend LUA instead. The default configuration for any software is very important since so many people stick with it instead of making changes to improve security. Hopefully, MS will be brave enough to default to limited accounts instead of admin by the time Windows 7's successor comes around. UAC has already helped make a large part of the most popular Windows software fully LUA compatible, and as 7 takes market share from XP, that situation will only improve. By the time Windows 8 or whatever it will be named comes out, I don't think most home users would face compatibility problems with the software they run even if the default was to create limited user accounts instead of admin. Probably the same would be true for business, although there is a lot of legacy custom apps used that are really not made for LUA.
     
  11. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Windchild ... "Silly"? There you go with that high and mighty attitude again. You kool-aid drinkers always revert to that, every time. Your post is so laden with contradictions, and now XP is an "Ancient" system? That's it? LUA isn't great on XP ..... so its' the fault of XP? And as for staying on topic ... I can certainly read the title of this thread. Any discussion on LUA is destined to evolve into LUA + SRP and then logically to Surun. And yes I have tried Surun and I know about the shortcuts you can take with the passwords (to get back to where you were already btw), I was just emphasizing the point.
     
  12. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    I would say limited user accounts are a fault of xp. to do pretty much any task in xp you have to use an admin account. To even look at the calander you have to use an admin account. wih vista and 7 its easy to use an admin account every single day. microsoft should force people to use limited user accounts. i think microsoft should sotp people from logging in to admin accounts and only allow admin rights by using UAC.

    I use ventrilo to talk to people from a game I play. the only way i can use the standard push to talk button is to run the program with admin rights. if someone sends me a link it opens in internet explorer with admin rights.... for a start it should open in my default browser firefox but it must of been coded to use internet explorer. I posted on their forums but no one ever replied.
     
  13. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    I am running Vista as an Administrator. I never even tried running as a limited user on Vista as it was such an annoyance when I used XP. DefenseWall and ShadowDefender keep me out of trouble these days.
     
  14. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yes, "silly". "Silly", because it's a clearly incorrect argument with absolutely nothing factual presented to support it. That makes it silly in my book. "Silly", as in "nonsensical". The argument seemed to be that malware could possibly jump from LUA to admin by waiting for the limited account to become admin, since the limited account would somehow mysteriously "become admin sooner or later". That is nonsensical, since LUA does not and should not become admin "sooner or later", unless the admin changes the privileges of the account for some reason. Or in other words, that's silly.

    Personally, I find the "kool-aid drinker" claim a little more high and mighty than stating that an argument which is clearly factually incorrect is nonsensical - IOW, silly. But I guess such things are open to interpretation.

    As for contradictions in my post, you can show me one if you wish, and I'll try to better explain what I was getting at with my statement.

    But yes, XP is an ancient operating system. It's two major versions out of date, running on extended support and nearing ten years old. That is ancient in the world of software. LUA, if anyone asks me, works just great on XP for the purposes of security and actually using the system for productive work, but does have a few rather stupid issues that while not showstoppers in any way can be annoying if you actually ever meet them. And yes, those issues obviously are the fault of XP, or rather the developers of XP, but that's close enough for me. But before I digress, ancient certainly doesn't need to mean "bad" or "poor". XP works for me for many tasks even still. And actually, the even more ancient Windows 2000 would work, too.
     
  15. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    This is what I am referring to. So it becomes Admin for a time - malware only needs an instant. And everyone does that, and they also do it with Surun. Of course I do not mean that somehow by magic, an account changes.
     
  16. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Two full systems since XP, that's right. On the first - Vista - I have never seen such an outcry from the buying public. On mass, companies and individuals stated that they were not going to switch off XP. As for Win7, well that is brand new. But to prove your point XP 'needs' to be portrayed as "ancient". XP when run as Admin is probably the best OS ever invented. But you would advocate throwing that away and having it become "rough around the edges" by running it as LUA. That is the kool-aid talking, as there exists today lightweight programs such as sandboxie and returnil to keep your computer pristine.
     
  17. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Well, you missed my point there, but perhaps I should have emphasized said point even more in my earlier post. But let's go back to that post of mine that you just quoted and read on. You left out a rather important part of that paragraph of mine that you quoted. I said this:

    Notice that part that I bolded just now for further emphasis? I think the meaning is pretty clear: if you suspect you might have malware in your limited user account, then obviously you should not give that limited user account admin privileges, even temporarily! If you give an infected account admin privileges, then sure, you'll give the malware admin privileges as well. So, just don't do that.

    It's really quite simple. The assumption is that we're starting from a clean system that is not infected with malware. If we assume the system is already infected to begin with, then the whole exercise becomes pointless, because we'll be talking of a system that is already infected getting infected again, and that would be a fairly pointless discussion, considering that nothing much would change - the system was owned all along, and the new infection would not change that. If you have a clean system when you start creating your new limited user account, then there's no problem. Just configure your limited account to your liking, and if you meet power management issues, change the limited account to admin temporarily if you want, and then change it back once you're done with the power options. Malware won't magically appear on the system. If you know you're going to change that limited account into an admin temporarily, for heaven's sake don't use that limited account to do potentially dangerous things that can get you infected, like executing untrusted files or browsing random web sites, until you have done with the admin change and have returned the account to being a limited account for the rest of its life. :D If you manage to avoid doing such things, then there isn't any issue, because there won't be any malware in your limited account. This stuff really isn't that hard or complicated. If you haven't done anything with the account that could get it infected, then there's no problem and no malware will infect your system if you change your limited account to admin temporarily. If you have done something with the account that could get it infected, like execute untrusted files or browse untrusted web sites, and you don't know whether the account is clean or not, then simply don't change the account into admin, or you will risk also giving any possible malware admin privileges. If you have just created the account on a clean system and haven't used it to browse the web or execute untrusted files or run public web servers and so on, then there's no risk of the account having become mysteriously infected. If you have an old limited account that you've done all sorts of things with and you're not sure whether it's infected with something, then you need to decide whether or not you want to take a chance: if the account really is infected and you change it to admin, you've just owned yourself. If you ask me, you obviously should not give suspect accounts admin privileges, but people don't always listen to what I say. :D

    Really, pretty much the whole idea of this separation of superusers (admin) and normal unprivileged users (LUA) business is that you should use the admin accounts only for admin stuff, and leave the dangerous stuff dealing with untrusted files or daily use that doesn't need admin access to LUA. If you do something in LUA that could get it infected, then you should never change that account into an admin one. If you do, you have only yourself to blame for breaking the rules. I don't know what more to say on that subject.

    I really don't see what any outcries against Vista have to do with how old XP is or how many new major versions of the same line of operating systems have been released after XP. Talk don't change reality.

    XP doesn't "need" to be ancient, and certainly not to somehow prove my point. But neither my words nor yours will change the fact that XP is very old, so old that most operating systems as old as it is are completely unsupported by the developer. Find me a couple other operating systems as old as XP or 2000 that are still supported by the developer. Guess why the devs don't support operating systems that are so old? Because they're ancient, that's why, and the devs have released tons of new and possibly even improved products since then that they want to sell you and therefore they don't want to spend their resources on supporting a very old version of their product. We could sit here and argue for days about how you feel about XP or how I feel, but none of that would change how old the OS is, or how many improvements from newer releases it lacks. But since there seems to be an emotional tangent in the discussion, let me make my opinion clear: I like XP, and have used it for many years. Many years, as LUA, on many systems, but some systems also as admin for many years. I think it's one of the better operating systems, giving a reasonable balance of security and convenience, when configured properly. I'm not someone who runs around the web yelling at people and urging them to upgrade to Vista or 7. Stick with what works best for you: if you like XP, and don't feel a need for newer versions, then stick with XP for as long as you like. How could there be anything wrong with that? The reason I even mentioned that XP is ancient was to point out that problems with power management for example aren't a general rule of how things are supposed to be in LUA, but rather just an issue with XP in particular, and such issues have been corrected in newer versions of NT.

    If you like to run XP as admin, then do so. Who's stopping you? Not I. What I'm doing is simply making a general recommendation to people: it's safer to run as LUA, so you should probably do it, unless you really know what you're doing and want to run as admin. I certainly consider XP when run as admin to be rough around the edges, quite like LUA in XP is rough around the edges, even though XP is a good OS. As a good example of that roughness you would see when running XP as admin, the default settings for many things in XP are simply bad - rough around the edges, and require manual polish by the user, for even such things as actually seeing file extensions and hidden files in Explorer... That doesn't stop me from liking and using XP and considering it comfortable. My aim is certainly not to advocate throwing away something you love and replacing it with something less nice. Instead, my aim is to make folks at least consider that they replace something that is less secure with something that is more secure.

    As far as kool-aid talking, I find it fairly ironic that when I advocate the use of security features already included in the operating system that people have paid for, I get accused of drinking the kool-aid by someone who advocates commercial security software like Sandboxie or Returnil. :D Why is it that advocating a built-in security feature of the OS is drinking the kool-aid, but advocating a third party commercial security software somehow is not? But stuff happens. I would wish people could be less emotional and more concentrated on the facts, however. The fact that some people advocate LUA really isn't going to take away your freedom to run as admin or use commercial security software. If we approach the subject rationally, how exactly can we avoid coming to the conclusion that making people more aware of LUA is a good thing? LUA is free, it requires no extra software, and it has a serious security impact. Why shouldn't I advocate that to people who have trouble with malware and other security and stability issues? Really, my goal is not to get anyone to surrender their security software and start relying blindly on LUA alone. My goal is simply to make people more aware of something that does not require yet another purchase and install of new software and still can vastly improve security. I think people have had worse desires. :D
     
  18. wat0114

    wat0114 Guest

    The translation is a bit rough around the edges, but it does not seem Surun turns the entire LUA into an administrative account.

    http://translate.google.com/translate?u=http%3A%2F%2Fkay-bruns.de%2Fwp%2Fsoftware%2Fsurun%2F&langpair=de|en&hl=de&safe=active&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools

    BTW, I run as LUA. For the first couple years using XP pro, as power user (customized restrictions, rights), then the last few as LUA. LUA also with Vista and now Win 7. Linux has a nice warning about running as sudo :)

     
    Last edited by a moderator: Jan 20, 2010
  19. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I think about the only thing on my LUA account that I do use Surun for is to defrag. And about the only time I switch over to my Admin account is to do updates. I only started to run a LUA account after reading all the excellent write ups about it on here and was reluctant at first with it but after running with a LUA account for a while I got used to it and it's no bother now.
    I will admit when I set things up I did it as an Administrator level account and did the switch so I could get all the programs I wanted to use installed. It might not be the best way but was a little easier to do and I haven't run into problems.
     
  20. captainron

    captainron Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    77
    Pretty big reach to say everyone does that, I know I haven't. When I setup a new system I install all the apps I need as admin. Then create a new account with admin priv's and turn the account previously tweaked/setup the way I like to limited and keep it that way permanently. Then browse, game, dl, everything off that account and log into my admin when needed to add/remove apps or defrag. For some reason someone did want to change their LUA to admin they should of course scan the system first. Realisically, you won't have dormant malware laying around because you should scan your system regularly.

    Regarding XP, it is ancient in software years but still very stable, secure, and not obsolete IMO. Why would schools/companies shell out $ for new OS, hardware, troubleshooting, etc when XP isn't broke? No reason. XP pro configured as LUA with SRP is the default configuration of corporations and universities even though its nearly 10 years old. Every corporation/univerisity I have been a part of has their systems set up this way. Its a testament to the functionality/security of LUA with SRP. My .02
     
  21. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    In the context of the conversation at the time of my comment - we were discussing creating a LUA account and working from there. Not tweaking an Admin account and changing in to LUA. So "Everyone" was said in that framework.
     
  22. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Well, even in that case, not everyone does anything to the power management settings, or change their LUA temporarily to admin. I know quite a lot of people, including myself, that don't necessarily do that on their systems. But even those that do can easily avoid any malware jumping from LUA to admin simply by using their brains: if you've done something with the limited account that could get it infected, then don't change it to admin. If you haven't done anything risky with the account, then you don't need to worry. It's that simple.
     
  23. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Well, around these parts, "Everyone" should be running LUA. And there is *ABSOLUTELY* no reason not to. And there is *ABSOLUTELY* no ill effects on any OS that exists, and no matter the usage.

    Bottom line - I set the settings for 'Power Options' as an Administrator. I created a new account as LUA. Those changed settings were *not* carried over. Some other hand was at work. It was the OS itself using the default setting. Now there are millions of settings ...
     
  24. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That's a straw man, actually. I don't recall people around these parts saying that everyone should be running LUA and that there is absolutely no reason not to do so. Quite obviously, as I've stated numerous times and as others have, LUA is unsuited to someone who does things that require admin rights all the time, such as run legacy software that just bloody well refuses to work in LUA or install new software and hardware all the time. People who do such things constantly would likely be better off just being logged in as admin all the time. As for ill effects, it's not a term I would use. Instead, I'd say that as with any software configuration there are always pros and cons, and nearly always some kind of minor nuisances that fortunately most often have easy workarounds. And then there's of course the fact that people have different standards for comfort and ease of use. For example, to me, not being able to view the Date and Time applet in LUA is a non-issue, since I constantly use actual, real calendar software for time management. For someone else, not being able to view the Date and Time applet could be downright horrifying. Tastes differ, and all. But as I can only speak for myself, that's exactly what I'll do, and make the obvious recommendation that since the improvement in security caused by running LUA far outweighs the cons of running as LUA, running as LUA would be a good idea to most people. Even with XP. To pretty much everyone I personally know, it's quite comfortable, even with the funny business XP does with a few settings.

    Yes, it was XP defaulting the new account to XP's default power management settings, and then the new account won't have privileges to change the settings. That's what XP does. It's not smart, but it's what XP does. Later versions do not. That's why I called XP ancient - it is, and newer versions have some fixes to old XP nuisances. Fortunately, there are workarounds for those issues on XP, such as the simple registry edit to give users rights to edit their own power management settings.

    And sure, there are many settings. But only a handful of them have any of these funny XP issues. The fact that tons of settings exist isn't a ton of problems if and when you only have trouble with a small number of those settings. You've mentioned trouble with power management and the Date and Time applet. Some workarounds for those have been discussed. If you have trouble with any other settings, even millions of them, just tell us about it, and you're likely to get some workarounds to fix said trouble, if you wish. But it's all been discussed before: the LUA issues in XP are well known, and no wonder, since XP has been around so long.

    Of course, now some will say that tweaking stuff like this is horribly difficult and comfortable. Well, to some it might be. But when it comes to security measures or security software, it's seldom the case that you can get away with not doing any changes in the configuration. There's lots of installing and configuring that needs to be done for light virtualization or sandboxing apps, for example, and some people don't seem to consider that too much to handle. In some cases, you may have to do more tweaking than in others. In XP, you may have to do some tweaking to get the power options and Date and Time applet working like you want, assuming that you're not satisfied with the default - many are satisfied with it, actually I'd say most of those people who use LUA that I know personally. In Vista or 7, you don't have to tweak those things. Progress. It's great. :) And freedom is great, too. If you consider the issues in XP to be too much, it's not like anyone is stopping you from just doing what you've done until now.
     
  25. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    Your very first line in this thread "Do You run as Administrator?"
    No, I don't. Of course I don't. Note the 'of course'. Later you are "Flabbergasted" that a user has a different way of doing things. But this is petty.
    You are right; Vista and Win7 have come along since XP. Both of those systems made significant progress regarding LUA. Is it really that silly to think that a system that existed before those two would be somewhat less than perfect in regards to handling LUA? I point out a couple of items to show what I am referring to, and the response is an answer on how to solve that specific item. Of course I know how to get to my power scheme and calendar - that never was the point. Some software doesn't install properly in XP LUA. You can assume it is poorly coded - it may not be, it may be the fault of something amiss in XP. XP is (right now) probably the most used system worldwide, and there are none of these issues in Admin. There are ways to keep your computer clean (I mention returnil and sandboxie). True they are 3rd party. 3rd party to make up for a lacking in the OS in regards to LUA. You can switch the product to Windows Steady State if you like. The point remains the same.

    Even here (after 8 years) there is disagreement on how to even set up a LUA. Making your settings as Admin and then switching to LUA? Well, Tlu cautions against that;
    https://www.wilderssecurity.com/showpost.php?p=1201866&postcount=146

    Starting it as LUA and keeping it that way? That's fine, if you are limiting other users of the computer. We are talking about the owner of the computer. It is unreasonable to expect a good portion of people who are owners of the computer to create a LUA, and stay in it forever. (You have already lost the malware war at that point). It is perfectly reasonable to have them run Surun. But there are potential problems there as well.

    It is reasonable when asked what to do about LUA if the answer is to purchase WIN7 so as not to be ancient. It is not reasonable to pontificate to an XP user that is making a perfectly legitimate decision to run as Admin, and cover his vulnerabilities in some other fashion - other than LUA.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.