Can XP be run as Admin securely?

Discussion in 'other software & services' started by davewood, Oct 12, 2012.

Thread Status:
Not open for further replies.
  1. davewood

    davewood Registered Member

    Joined:
    Oct 12, 2012
    Posts:
    3
    Location:
    England
    I am having to go back to using XP for a while and after using Windows 7 I am concerned about the security of XP. I like XP but don't like the hassle of running as a Limited User. The last time I used XP I tried software such as sudown and surun but did not have much luck with them.
    If I install antivirus software, a firewall and something like WinPatrol how secure would XP be running as Admin?
    Is there a better way to make XP secure without the hassle of being a Limited User?
     
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    NO...and YES using e.g. something like DropMyRights or similar feature called RunSafer in Online Armor, Restricted/Limited Aplications in Privatefirewall or Restricted Apps in SpyShelter...
    ;)
     
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    If you're running Pro, yes. With folder permission (unsimple file sharing), SRP (you can make a user friendly default deny policy by excluding .dll's and good whitelisting), Local/Group Policy tweaks, and a bunch of other hardening tweaks (I've deployed so many I don't know where to start). You can make XP Pro very safe in admin.

    There's one GP tweak in particular that makes you enter your admin password to install new apps, even when under your admin. account. Otherwise this usually only applies to an LUA. Another GP tweak where you can restrict/filter file types that can be downloaded.

    Throw Sandboxie in there and set up something like VT Hash Check to autoscan new downloads before recovering them. And deploy something like Shadow Defender or Macrium Reflect/other imaging hardware... HIPS software, and you've got a pretty darned safe admin. account on XP Pro. Sandbox your USB ports, CD/DVD rom drives too and disable autorun (GP).

    This is usually how I run these days. I also grew tired of the restrictions of a full LUA. I used to run that way all the time and run admin only once a month to update Windows. To me this is the best of both worlds. Now I only run LUA when doing something deemed sensitive.

    I don't see how you could be much safer running Admin on Win7?...

    Home on the other hand... something like SuRun would be your best bet. But really, not a very secure OS.
     
  4. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    I never run XP in other mode than admin, but I've always used Softpedia and other trusted sources for my software.
     
  5. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    I found the easiest way is to use AppGuard. DefenseWall would also be an equally good option for 32-bit Windows XP. With these type of policy restriction applications, you can temporarily suspend and re-enable the various protections on the fly without having to switch user accounts.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Of course, and without any special issues or configs.
    Mrk
     
  7. guest

    guest Guest

    The easiest way with any system is do a image backup
    ""A CLEAN IMAGE BACKUP""

    Then actually you don't really need to worry about any mareware
    if you do get infected "who cares"

    Just re-image your system drive

    I've come to the point of not really worrying about it
    just harden your system as much as possible by removing
    attack area's, doing on demand scans "benefit of this is questionable"
    and anytime you do something that might pose a threat
    just re-image

    This type of setup has worked for me better and more dependable than
    anything else that I have tried

    The XP setup I run has ONLY a Admin account without the ability to even run user accounts and as I know of I have been infected only once and that lasted about 3 minuteso_O
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I share many of your sentiments about imaging.

    But don't forget to include a very important piece of information! Don't save what you want to keep to the system drive/partition, or at least make sure you have a good storage structure in place so you can save that important data before you re-image.

    Sul.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Admin/User makes very little difference for XP. Because of the lack of separation between users (ie: admin and user accounts) privilege escalation is not difficult, trivial if you're on an earlier XP version.

    If you're using XP you'd best make use of 3rd party software because it doesn't really have a leg to stand on.
     
  10. Wait, I thought WinNT provided good separation between privileged and unprivileged accounts from quite early in its history. Can you provide examples of where the separation is broken in XP? And is this stuff unique to XP, or can it also be found in 2003 Server, or earlier NT versions?

    (Mind, I won't argue that Vista and 7 aren't more secure by design... But my understanding is that NT has been a bona fide multi-user OS from day one, even if the implementation is not convenient for end users.)
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  12. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    Me too and I also only download software directly from the developers or from trusted sites. But it's not as secure to run as an admin compared to Windows 7. Maybe my wife and I were lucky when we were using our old desktop for over 5 years as admins on the net.

    Now that old desktop hardly get's any use although it has EAM and Online Armor Pro installed. Back then it was mainly using the Windows firewall, McAfee and then Eset.
     
    Last edited: Oct 13, 2012
  13. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe


    Me too 2 ;) . Naturally, I use a multi layer defense system, but I would use it also if I run Seven. A disk image is needed a priori, not only for security.
     
  14. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I wonder though... what would one have to do to contract this "Shatter attack"?

    Probably be sitting there on an unsecured network, ports hanging wide open, vulnerable services listening in on them, or maybe Java, etc..., no password protection, no sandboxing, virtualization, or anti-executable in place. Playing around on some shady site with no script blocking, or secure DNS warning/other link scanning to warn you off about it... clicking on random things.

    As with most all exploits, it depends on several things having to fall into place for it to work, the biggest ingredient being a dumb end user. So while the added security in Vista/7 certainly helps the average Joe out, my chances of being compromised on any of the above OS's are identical... slim to nil. And I'd think the same applies to most Wilders members.

    XP "can" most certainly be run, very securely, as Admin. And I believe this is what Mrkvonic was eluding to when he casually retorted: "of course". I've managed to do it for 8 years now.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    We're talking about local security ie: admin vs user. The assumption is the attacker has already compromised some program (admin vs user makes virtually no difference for remote attacks). Whether they did that by getting an XSS vuln and hosting a malicious link with a 0day exploit for your browser or whatever, it's not really relevant to account separation.

    Once they're on the system it's just a matter of a shatter attack for privilege escalation. On later XP versions this is somewhat more difficult depending on the type of system you're running.
     
    Last edited: Oct 14, 2012
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    There's a big difference between user and admin.
    Let's not assume anything is compromised, because it is not.
    Let's not invent fear scenarios that are irrelevant.
    Mrk
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    We are explicitly discussing a scenario where LUA is the security implemented to protect the system. This is a purely local defense - it assumes that an attacker already has compromised a program, service, or has managed to otherwise launch malicious code on the system.

    No, there is not a big difference between user and admin. That's the point.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Probably a lot better if you're seeking convenience and better security than full-time admin is to use Surun to elevate selected Programs and System settings conveniently.
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    You are mistaken.
    Mrk
     
  20. davewood

    davewood Registered Member

    Joined:
    Oct 12, 2012
    Posts:
    3
    Location:
    England
    Thank you all for your replies, you've given me some interesting options to consider. Not sure which option I will take so I shall bookmark this topic :thumb:
     
Loading...
Thread Status:
Not open for further replies.