Are "Limited User" Accounts Worth It?

Discussion in 'other anti-virus software' started by DaveD, Oct 28, 2006.

Thread Status:
Not open for further replies.
  1. DaveD

    DaveD Guest

    RE: Windows XP Home Edition

    1) Are "Limited User" accounts worth the hassle of setting them up?

    2) Do the majority of software programs still function properly?

    3) How do "Limited User" accounts react to the majority of virus infections?

    I am considering a change in security measures on my machine. The biggest change recently is encrypting a partition with TrueCrypt that stores all of my personal files, downloads, backups and Mozilla profiles. I am mostly familiar with Linux and understand the significance of Administrator accounts, but I am just trying to get an understanding of just how safe "Limited User" accounts are in Windows and if it worth going this route.

    Thanks,
    Dave
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yes and No.
    Yes because malware has far fewer chances of causing damage to your system under a Limited User account.
    No because it causes inconvenience to you, some programs may not work properly, you cannot install programs, operations that do not function under a Limited User account have to be done using the Run As command...

    I still think Administrator has no problem, but you have to be very careful. IMO, if your security setup is tight enough, then there is no need to run under a Limited User account as it imposes excessive restrictions if your security configuration is strong enough already.

    There is a freeware utility you can use, I recommend it to XP Home users.
    http://www.dougknox.com/xp/utils/xp_securityconsole.htm
     
  3. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
    1) Depends on what you want to achieve

    2) If they're written properly. Not all are though.

    3) Well, in my experience this affords little protection in reality. There are way too many escalation of privileges vulnerabilities that may be exploited so viruses can happily write to system directories and the registry.

    I administrate about 50 machines used by students (high risk). All run as restricted accounts and yet still often end up riddled with viruses despite having AV software running (AVG). IMHO the main reason/advantage for running restricted accounts is to restrict your users. This isn't Linux and Microsoft's implementation of restricted accounts is a farce in comparison. If you deliberately run a virus as a restricted user there's no way it should be able to write to system directories or the registry without the admin password, but they can with impunity.

    Although it's good advice to run restricted accounts on a daily basis, in reality it offers little additional protection against viruses due to the way they've been implemented.
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i cant run as limited account because sonicstage needs to be admin rights to use it and dont know if run with will work. i have always used admin rights for nearly twos years and havent got infected but then again im normaly careful.
     
  5. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    Based from my experience, Limited User Account + NTFS file system is a very powerful-layered defence, it greatly reduces many infections I've seen.

    I work for a quite large corporate network, we've deployed the Limited User Account + NTFS on some high risk areas, e.g. public zone for our customers/employees, but of course, we can't deploy this policy to all machines because of some of our specialized software can't work on limited account.

    I've seen many worms and trojans that propagate via customer's USB devices, web traffic or adware/spyware-like malware come via browser simply die on our machines just because of they have no admin right to installing itself (e.g. can't write its folders and files into C:\, C:\Windows\, C:\Program Files, etc.). Even our antivirus solutions FortiGate Antivirus Firewall or eTrust sometimes fail to catch those malware but our machines still survive, e.g. recently, eTrust fails (at that time) to catch malware called Flashy comes via customer's flash drive but Flashy simply dies and can't do anything to our machine except writing some file into limited user's startup folder.

    I personally, however, love to live on the Limited User Account + NTFS without any antivirus/antispyware/antieverthing rather than living on the admin account with so-called the best antivirus/antispyware/antieverthing. Of course, Limited User Account + NTFS has its own drawback (e.g. inconvenience, hard to manage, can't protect you from installing malware yourself, etc.) and it's not a panacea to stop all infections but as I said it can be the last line of defence which greatly stops/reduces many infections when other security tools fail.

    I'm happily using Limited User Account + NTFS on my personal laptop, I have only avast! Home Edition which works perfectly on limited account + Windows Firewall as my security software, I don't use any antispyware or dedicated software firewall.
     
    Last edited: Oct 29, 2006
Loading...
Thread Status:
Not open for further replies.