Limited vs Administrative

Discussion in 'other security issues & news' started by WilliamP, Jul 30, 2007.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I know that it is safer to use a Limited account, but how much of a hassle is it to do that? I checked in Polls and 83% of people that voted use an Administrative account. And that was here at Wilders with all us Security nuts. I have also noted in some posts people having problems with some of their security programs in limited user account. I would like the extra security but that would depend on the the extra hassle.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Depends what you do. Are you a gamer? Do you use P2P software? Then, most likely, limited account is not for you. Then, if you know what you're doing, you can fare quite well with admin account.

    Finally, what is the threshold of hassle that you're willing to suffer?

    Mrk
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I'm not a gamer and don't use P2P. I have what I feel like is great security software. But from time to time I read of someone bringing up ,but if you were in a Limited account. Just recently in the SSM forum dealing with the last update to prevent malware.
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    If youre considering a limited account I would check how all your software works with it. Some software may need admin privileges to update etc.
     
  5. tlu

    tlu Guest

  6. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
  7. Dogbiscuit

    Dogbiscuit Guest

    tlu's posts are right on.

    It's interesting that so many people on Wilders refuse to use limited accounts in XP. Yet many of those very same people swear that Linux is more secure than XP, in part, because Linux by default uses limited accounts. I'm sure they have their reasons, but it still seems ironic, especially on a forum dedicated to computer security.
     
  8. attila4000

    attila4000 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    51
    Location:
    Rahway, NJ, USA
    i set up two limited accounts. i dont use p2p programs and i dont play games online. all the software that i use works fine with winxp pro limited accounts.
     
  9. tlu

    tlu Guest

    Thanks for your support. Please note that you can tighten your security even more by following the steps I outlined in this post. I described them for MakeMeAdmin but you can also use suDown, of course.

    Note: If you use Windows XP Home I strongly recommend using FajoXP in order to add the security tab available in XP Professional.
     
  10. tlu

    tlu Guest

    As for DropMyRights, I still think it's the wrong way. There is at least one other process (namely explorer.exe) permanently running with admin rights which is an easy target for malware using Windows messaging (although I have to admit that this problem seems to be solved in Vista). The danger is that under Dropmyrights applications, which were started with lower rights, can break out from this security context and gain admin rights. An interesting read is also http://blogs.securiteam.com/index.php/archives/188 .

    Another important drawback of the DropMyRights approach is this one: Even if you started, say, IE with limited rights there is always the danger that another instance of the browser is started indirectly by a casual click e.g. through local URL- and HTML-files and hyperlinks in Office and mail applications (DOC, XLS) or help files (CHM). These instances run with admin rights ! - and you probably wouldn't notice.

    Conclusion: A limited account with suDown is the much better way.
     
  11. Blue Ring

    Blue Ring Registered Member

    Joined:
    Apr 13, 2007
    Posts:
    100
    Tlu,

    Thanks anyway but I think I would rather run in a limited account than install .Net framework in order to then use sudown. If I could I would be removing more of Windows not adding more that could lead to more flaws and possible compromise. Anything that requires me to install additional Windows components is usually a no go for me. Just my opinion of course.
     
  12. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello,
    some apps i use daily need admin rights so it would be so annoying to use a limited account.
    lodore
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    It is quite simple, if you admin your PC often, you will choose an admin account, if you use your PC, you will use an user limited account, because it will suffice.
    It is allways the same, it depends on the user and also skilled user does not need a limited account or do not want it and a common user do not know to use it.
    But fortunatelly Vista allows common users to use the limited account, which makes it quite comfortable even for admins, who do not admin their PCs so often.
     
  14. tlu

    tlu Guest

    You can easily start them with suDown - where's the problem?
     
  15. tlu

    tlu Guest

    Wrong. You can administrate your PC with suDown without any problems.

    Wrong again. A skilled user does use a limited account beacuse he/she knows that permanently being logged in as admin is careless and unnecessary (see remark above). Have a look at Linux: Any user permanently working as root is considered a fool by the Linux community. Why should it be any different in the Windows world now that suDown is available?

    Agreed. But it can also be done in XP.
     
  16. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello thomas,
    where do i download sudown?
    and how does it work?
    lodore
     
  17. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England
    Don't know if Thomas is still on line but check out here

    http://sudown.sourceforge.net/
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I have checked out suDown and it seems like it will log you in as a non-admin user, and everytime you need admin access you will have to run the app via suDown. But I´m not sure if it´s the right choice for someone who doesn´t want to bothered by this stuff. I like to have complete control, and besides, right now my account is not protected by a password, it slows things up!

    Of course if your HIPS is not able to stop malicious behavior, a limited user account might save your ass, but still, what if such an app asks for admin access, and you decided to trust it? Then you´re still out of luck, so I don´t think I will be running as a non-admin anytime soon. Common sense, some knowledge and high quality anti-malware tools is good/secure enough for me.
     
  19. tlu

    tlu Guest

    Hi Iodore - please read this post of mine.
     
  20. tlu

    tlu Guest

    An interesting question;) If I assume that you install only applications you trust (why should you do otherwise?), your logic leads to the question: What's the use of a HIPS anyhow? Don't you allow them in your HIPS if you trust them?
     
  21. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    To be honest using HIPS is roughly the same as running as limited user but with more popups and a bit more flexibility. But using just a limited account is easier on the computer and more stable than rely on HIPS with use undocumented APIs.

    I suppose you could do both but i think what Rasheed is getting at is that it probably gains you little to do both.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ tlu, ok you got me there, I guess I´m just trying to talk myself out of running as non-admin, but I agree it´s the right thing to do for more security, that´s why they have introduced this in Vista.

    I will experiment a bit more with this tool to see how things go, but I already don´t like a couple of things. I already mentioned that I don´t use a password to protect my account, the reason is perhaps a bit silly, but when I boot up my system (usually once a day) it takes about 2 minutes to boot, and I´m not going to sit behind my computer waiting for my system to bootup. Plus having to enter a password for all apps you need to run in admin mode, gets annoying after a while.

    I have also noticed that some apps give annoying messages before startup, telling you that you´re not admin. Also, I had a bit of a problem with the prueba trojan, normally it shows up in "Program Files" but now I had to search for the little bugger, because even in non admin mode it still worked, a bit strange that SSM didn´t alert me about it, but this may be related to some conflict on my virtual machine. On the plus side, my security tools still seem to be working correctly.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ LUSHER

    Yes, nowadays running a HIPS which is able to protect the registry, file system (and offers protection against process tampering) will in fact do the same job as when running as non-admin. But I guess the main selling point of a tool like "suDown" is: what if your HIPS fails?

    You know what would be cool, what if you could just switch between non-admin/admin mode with only one or two clicks, without the nags about passwords, at least if you don´t want to? Sort of like how you would connect/disconnect SSM´s interface. I think I might use a tool like this.
     
  24. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Tlu,I am confused as to the gain with suDown. I have SSM and I will have to ok something to load. If it is bad ,I foo fooed. With suDown ,won"t I have to ok it also. If I'm to download something I'm going to have to be in administrator mode. It is hard getting my head around it.
     
  25. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    If you go study a bit on what limited accounts do, you can pretty much spot which areas are directly equal to which HIPS functions. and which are extra ones added by HIPS (which usually are less important).

    LOL. I know we are in paranoid central here, but I think anything that gets pass all your paranonia, plus AV, hardware firewall, software firewall, 2 HIPS and more besides, probably deserves to own you for all that hardwork don't you think? Don't be a spolsport and deny him with sudown.. :)

    Honestly, I didn't know you could run mostly as limited user while running HIPS. I remember reading some HIPS having problems with that in the past. Personally I would either use a limited account, or run HIPS (i actually do both as the mood strikes me), but both I haven't tried.

    The point of the password would be so malware (or rather another less previlaged user) wouldn't do exactly the same thing and switch modes right?

    I'm not quite sure if conntect/disconnect SSM interface is that similar to admin/non-admin.
     
Loading...
Thread Status:
Not open for further replies.