Windows 7 -- Standard User Account?

Discussion in 'other security issues & news' started by snowdrift, Dec 22, 2009.

Thread Status:
Not open for further replies.
  1. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    How safe is using Windows 7's Standard User Account?

    Does it really work well enough to avoid malware infestation on that platform?

    If you use it, do you you antivirus/antimalware software in tandem?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    I am looking for studies that might have tested LUA on Windows 7 and correlated those to relative safety.

    And how does Windows 7 Standard USer Account compare with one from a new Linux distro, for example?
     
  4. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Everything is of course relative, but it's reasonably safe. Certainly orders of magnitude safer than using an admin account. It's one of the basic security measures. As in, "if you're going to do something to improve security, then at least do this, because it has an enormous effect."

    In general, if you execute some malware in a standard user account, it'll only infect the account, not the entire system. So, no kernel mode rootkits and other stuff like that. But, many nasty things can be done with just standard user privileges: keylogging (for that user account, not for others), joining a botnet and spreading spam or DoS attacks, destroying any files the user has write access to, things like that. The benefit in that case would be that the malware could easily be detected and deleted by an admin, and it would be unable to infect the entire system and other accounts, unless it can exploit an existing privilege escalation vulnerability.

    That depends largely on the user and how they run the system. Even if one normally uses a standard user account, one can still get infected: for example by downloading a malicious file and then running it as admin or having some exploit site use a vulnerability in the user's browser to infect the user account. It's up to the user to try to avoid such things. If the user keeps the operating system and installed software, especially internet-facing apps like browsers and their plugins and Office and PDF software and media players, updated and patched, the chances that they will be infected by a remote code execution exploit are relatively small.

    In short, using a standard user account will greatly limit what malware can typically do on the system, but it's not a free pass to do stupid things and get away with it. Currently lots of malware out there will just die and do nothing when executed by a standard user. But some things, like many rogue anti-malwares, will work just fine and will infect the account. In the future, malware authors will likely be making more and more malware that works in a standard user account.

    Personally, I don't use AV software. That's simply because it doesn't offer me anything that's even remotely worth the trouble it causes (such as endless false positives and wasting resources on scanning stuff that I'm not going to execute anyway).

    In general, however, anyone who isn't sure whether they need AV software should probably continue using it, or perhaps experiment without AV software on a system that is not mission critical. AV software can help, even though it can also cause trouble (false positives, slowdown, additional vulnerabilities and so on).

    They're largely the same thing. Pretty much the second biggest reason for Linux's reputation of being secure is because in Linux everyone is (kind of) a regular user by default instead of being an all-powerful superuser. The main difference here is in the default file permissions: in Windows everything including newly created files is executable by default, while in Linux it depends on the default umask that typically makes newly created files not executable. If you want to achieve something like that in Windows 7 without messing with the actual file permissions, you can use AppLocker to block standard users from executing any files not approved by the admin (that's to say, allow executing files only in locations where standard users have no write access).
     
  5. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    Windchild, thank you for your excellent, thorough response.

    I am glad I switched to an LUA under Windows 7 and will couple that with my common sense to continue avoiding malware on that platform.
     
Loading...
Thread Status:
Not open for further replies.