Limited vs Administrative

Thanks Dogbisquit, gkweb and the rest of you. I get more and more tempted to try this. I known for a long time that LUA increase security, but I did not know how important it is. It's a strong HIPS

If more and more people try suDown I hope they post their experience with it. Or other similar tools.

 

Haven't tried sudown yet. so far I gave been able to do all I want with limited.
Using Returnil with Limited seems to help. Certainly the hassle factor does not seem to increase. using returnil I would have to leave protected mode anyway to update a program. now I'm simply going to admin at the same time.

If limited works what is the benefit of sudown ?

 

Hello,
If you want to try real limited user with 100% modularity, with no glitches and bugs, then you should try Linux. Windows can work with LUA, but it was not designed that way.
Mrk

 

I will be trying Linux soon - have read a couple of your guides BUT
can I run Paperport, Omniform etc under Linux ? As far as I am aware a number of programs that I rely on only work under windows ?

 

Hello,
You can run them using:
1. WINE (only for 32-bit apps under 32-bit kernel)
2. Virtual Machine of a sort (VMware, VirtualBox)
3. Use a similar, alternative program
Mrk

 

Well, I have re-evalutated things and gone back to a LUA here. Main reason is, with Nod32 and CyberHawk I was getting some substantial slowdowns in both browsing and also general system functions. Not sure which apps caused what, but it was no good for me. I value good performance above extra security. So I removed both Nod and CH, put on a basic AV which isn't as good but still offers some basic file protection, then set up my account as a LUA again. For me, this is the best way to have decent protection as well as good performance.. Now I will try to see if I can live with the LUA..

 

Good question, maybe somebody can answer, but I passed on sudown too as I can do everything as needed with LUA already.. Don't need sudown as far as I can tell..

 

Yes, Runas doesn't work properly in all cases. However, I can't remember a case where installation with MakeMeAdmin or suDown didn't work. For example, I installed KAV 6.0 with MakeMeAdmin and recently KAV 7.0 with suDown without any problems. But it's true that there are some rare applications that are better installed in an admin account: As far as I remember, after installing Outpost (which I had used earlier) and reboot a configuration window automatically pops up for which admin rights are necessary. This wouldn't probably work in a limited account. This might also apply to other security applications.

 

The point is that for the installation of most (or at least many) applications admin rights are necessary. So if you are logged on as limited user you could switch to your admin account (which is cumbersome), try it with Runas (which works mostly but not always) or you do it with suDown which is definitely the most convenient way for me. Moreover, by right-clicking your desktop and selecting "sudo Control Panel" you can access all Windows setting for which admin rights are necessary. It couldn't be easier.

 

Mrk, everybody knows that you don't like Microsoft. To be sure, I, too, prefer my Kubuntu machine over Windows. Nevertheless, I state explicitly that working in a limited account in Windows can be comfortable and rather unproblematic when following the hints given in this thread.

Yes, Linux is the superior OS but even Windows can be improved, i.e. more secure than it is out-of-the-box.

 

Hi,

It's not that I don't like MS, don't get me wrong. It's MS that doesn't like me. When they started their guilty until proven innocent policy with WGA, it was the last straw.

Regarding LUA, I did try it quite extensively in Windows - and found it lacking severely. You know that I have zero tolerance for software and that I only go for the simplest and most convenient solutions. Unfortunately, Windows was never built to support modularity and LUA as intended.

I'm talking trying everything - gaming, sharing, P2P, security software, tweaks, etc.

Mrk

 

That´s funny, it looks like Vista has already implemented it in a way that I like, you can run as "protected admin" (with autologin hopefully) and this basically means that you run in "non admin" mode but as soon as you need admin rights you will get to see a prompt, with the ability to allow or deny, no password required. So it seems like a nice and hassle free extra protection method.

But just for the record, even in non-admin mode I would still use my HIPS, because LUA won´t save you from everything and besides I like to have full control over my machine. Perhaps I will make the switch to Vista faster than I expected, I just saw that PC´s have become less expensive and more powerful. And Vista SP1 is also coming up.

http://en.wikipedia.org/wiki/User_Account_Control
http://www.edbott.com/weblog/?p=1602

 

But then again, all of my favorite tools will have to work on Vista, including my security tools, and I´m not sure if HIPS will work on Vista because of certain changes in the OS.

Also, I don´t want to be bothered by annoying messages telling me that "I´m not admin" (some apps give this on startup) but this shouldn´t be a problem since eventhough your protected your still admin ("protected admin"). And from what I´ve read, the new "file/registry virtualization" feature in Vista, will make most apps run problem free in non-admin mode.

 

I've tested my comfort level on Vista Home Premium from both admin and standard (limited) user accounts. Since I've found Returnil coupled with UAC enabled in admin account, I've decided to run entirely from the protected administration account.

I'm not running antivirus until I need to scan a file for installation. Not even using Windows Defender either. I always do my "sensitive information" events after rebooting to get a fresh virtualized C partition.

I do appreciate that the standard account is better in Vista than XP's limited account for ease of use.

 

I am testing the limited account in Vista right now and it is a bit easier than LUA in XP since you never have to tell Vista to "run as" Vista senses when a task is not permitted for the limited account and pops up the a small window with the admin account name and one only types the password. Little more user friendly imo.

Its a bit like UAC in a admin account, I wonder what the difference is (other than you dont have to enter a password with UAC) Are UAC and LUA in Vista equally safe? If so there seems no point in running LUA in Vista...or? (well password is always a bit safer, but other than that..)

 

I've been using LUA for a few months. I just installed this suDown and it seems nice. Too bad it lacks any documentation at all or settings possibility. It doesn't even install in the Program folder but in some mysterious place.
It's also strange that my account is LUA but when I login with suDown installed it becomes an admin account with LUA restriction. It's a bit strange.

I don't get this demo, http://sudown.sourceforge.net/index.php?page=demo
If I'd want to install a program wouldn't I use sudo which temporarily gives you admin rights? Wouldn't that mean that I'd get infected and the DNS servers would've changed anyway?

 

ive been running as limited for a while now. i dont even use realtime AV anymore

sudown looks like a good product ill give it a try. will prob save me all the hassle below

but for those who have been switching to administrator to install programs, youll notice that many wont work when you try to run them in your limited account. almost always, the problems is a file/registry permissions problem. using the sysinternals tools you can find what you are denied access to. usually is the programfiles directory of the app as well as some reg keys. give your acct full permission to those and voila the app works

 

Have pretty much got admin and limited set up the way I want ( protected with Returnil) and ultimately Acronis.

post #9 explains about Make me admin. I have been able to get to the point where I am supposed to stop the last few autostarts. I can get to the registry - but then what ?

I will try Sudown next but before I do will this program make it possible to stop all autostarts i.e to stop any malware from being able to run ?

any help here would be appreciated

 

I'm not sure that I understand. What exactly have you done?

You need Macromedia Flash installed. It's also possible that you blicked this site with Noscript.

Short answer: See posting #20.

 

LOL. Well, perhaps MS are listing posters here on Wilders that always argue with them ...

I don't know what you tried exactly. Read through this thread and it should become clear that LUA is possible and it can be very comfortable using the right tools (suDown).

See my post #26 to solve possible problems. In general, Regmon and Filemon are your friends.

 

"cheber" is added to "sudoers".
When I check on my administator account ("Users and settings) called "admin" it says "cheber" is a LUA.
When I check the account on "cheber" is says the account is an administrator account.

Heh, well I just meant I didn't understand the reasoning or how it functioned. My Flash works fine. But I guess you post #20 explains it. I also read more on the site and the Flash just wanna compare LUA and admin, not <sudo installing with LUA> and admin (which I thought) as that'd practically be the same thing.

 

Hello,

tlu, that's exactly the reason why not to use LUA. I don't want to play with file permissions to get things to work. That's exactly the problem. Of course you can eventually get it to work. But when I want to play a game online, I don't want to have to try 7-8 times before everything fits.

Using the given tools / options provided by LUA, I found quite a few bugs with lots of programs. Therefore, I've decided to drop the issue. I can achieve the same productivity without losing anything with admin account - or as an alternative, use Linux, which offers 100% modular limited user.

Mrk

 

Hi Mrk

I'm using LUA now and apart from occasionally booting to admin to load or update I haven't had any real problems.

I'm still trying to get make me admin to work and at some point I will probably try SuDown but I am trying to remove complications rather than add them.

So how would i go about achieving the same productivity without loosing anything with the admin account ?

 

Only problem I've had with LUA is with Nero BackItUp. It won't save backup jobs created with a LUA. But that doesn't matter as I don't create new jobs often.

 

I have to ask this.
Using Roboform's Customize Toolbar as an example, is there no software that is easy to use that would list all the programs that would be affected by changing user accounts and enable the user to just Add or Remove them into the limited accounts?
If there is something that simple, and stable, more people would jump into this safer way of computing.
Regards.
Doc