[OT] Limited User Account (WinXP Pro SP2). - Firewalls

This is a discussion on [OT] Limited User Account (WinXP Pro SP2). - Firewalls ; Hello. For security reasons I created a Limited User Account (LUA) and begin to wonder if the security benefits outweigh the hassles. Most applications are working only with Administrator-level accounts. http://support.microsoft.com/default...b;en-us;307091 recommends to contact the software manufacturers...well, most of them ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: [OT] Limited User Account (WinXP Pro SP2).

  1. [OT] Limited User Account (WinXP Pro SP2).

    Hello.

    For security reasons I created a Limited User Account (LUA) and begin to
    wonder if the security benefits outweigh the hassles.

    Most applications are working only with Administrator-level accounts.
    http://support.microsoft.com/default...b;en-us;307091 recommends to
    contact the software manufacturers...well, most of them don't respond.

    The "Run as..." option doesn't work on all applications like CA AV.

    With respect to AV/A-S applications, only SuperAntiSpyware and Spybot S&D
    responded. I was advised that when scanning with SAS in Administrator
    Account the LUA is included as well. Spybot S&D however recommends to scan
    both accounts individually.

    Ad-Aware, and a2 have yet to respond.

    My resident (Real-Time) Av application (CA Anti-Virus v8.3.0.1 - free
    one-year trial) will not update while in Limited User A/C.
    Error Messages:
    "Security center was unable to successfully update components."
    "The licence validating did not complete successfully: Failed to connect to
    the update server. An error has been detected while trying to make an
    internet connection. Please check your connection settings and try again."

    CA forum is very poorly visited and I don't expect a response.

    I am a careful surfer, don't play any computer games, practice safe-hex and
    my OS & browser (IE7) are 'hardened' considerably. Routine AV scans (incl.
    Multi_AV) never show anything serious. I haven't had a severe virus
    encounter for a very long time.

    What are your experiences and/or recommendations?

    Is it worth the hassle using LUA?

    TIA...........Mel


  2. Re: [OT] Limited User Account (WinXP Pro SP2).

    In "Mel Bourne" writes:

    >For security reasons I created a Limited User Account (LUA) and begin to
    >wonder if the security benefits outweigh the hassles.


    >Most applications are working only with Administrator-level accounts.
    >http://support.microsoft.com/default...b;en-us;307091 recommends to
    >contact the software manufacturers...well, most of them don't respond.


    With Windows XP Pro, all of the ordinary user applications included
    with Windows work perfectly when run by a limited user. Some
    administrative functions, such as creating accounts or installing
    software require Administrator privileges. Just log in as
    Administrator when you need to do those things. Third-party user
    applications should work for a limited user, assuming that they are
    properly designed. Of course, products like firewalls and virus
    scanners that require access to the entire computer will need to
    run as Administrator.

    Yes, it's worth the hassle, especially for users who have no idea
    which operations are safe and which are dangerous. Don't even give
    them the Administrator password.




    --
    -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

  3. Re: [OT] Limited User Account (WinXP Pro SP2).

    Mel Bourne wrote:
    > For security reasons I created a Limited User Account (LUA) and begin
    > to wonder if the security benefits outweigh the hassles.
    >
    > Most applications are working only with Administrator-level accounts.


    Can't confirm that. Most applications I work with run just fine under a
    limited user account, or can at least be configured to do so.

    > http://support.microsoft.com/default...b;en-us;307091
    > recommends to contact the software manufacturers...well, most of them
    > don't respond.


    First ask yourself: would it be a good idea to run the application as a
    limited user? System maintenance tasks and stuff like that, like e.g.
    defragmenting the harddisk, changing the (system-wide) configuration of
    the virus scanner, etc., should only be done by administrative users. If
    it's something like that: log in as an administrative user, do the task,
    then switch back to the limited user. If it's something that can be
    expected to run with limited rights: check the support pages and FAQ of
    the vendor. Maybe they've already documented what to do. Also you can
    try to analyze and fix the problem yourself. I've just updated the
    little HOWTO [1] I wrote about this.

    Contact the vendor only if the above steps didn't solve your problem. If
    the vendor doesn't respond, I suggest to dump their product and switch
    to something that does support LUA.

    > The "Run as..." option doesn't work on all applications like CA AV.


    "Run as" does not solve the problem, because a) the application will be
    running with elevated privileges, which was what you wanted to avoid in
    the first place, and b) an application running interactively with
    elevated priveleges may be subject to so-called shatter attacks.

    [...]
    > What are your experiences and/or recommendations?
    >
    > Is it worth the hassle using LUA?


    It most definitely is.

    [1] http://www.planetcobalt.net/sdb/submission.shtml

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  4. Re: [OT] Limited User Account (WinXP Pro SP2).

    In message , Gary Mills
    writes
    >In "Mel Bourne" writes:
    >
    >>For security reasons I created a Limited User Account (LUA)


    http://www.microsoft.com/technet/pro...ain/luawinxp.m
    spx

    >> and begin to
    >>wonder if the security benefits outweigh the hassles.


    A very good idea, I use them.

    >>Most applications are working only with Administrator-level accounts.
    >>http://support.microsoft.com/default...b;en-us;307091 recommends to
    >>contact the software manufacturers...well, most of them don't respond.

    >
    >With Windows XP Pro, all of the ordinary user applications included
    >with Windows work perfectly when run by a limited user.


    For e.g. double clicking on the clock in the systray does not display
    the clock in a windows, because it does not want you to change the
    clock.
    Also, changing timezone is a quite legitimate thing for a non-admin user
    to want to do.

    > Some
    >administrative functions, such as creating accounts or installing
    >software require Administrator privileges. Just log in as
    >Administrator when you need to do those things.


    I would recommend makemeadmin for that.

    > Third-party user
    >applications should work for a limited user, assuming that they are
    >properly designed.


    > Of course, products like firewalls and virus
    >scanners that require access to the entire computer will need to
    >run as Administrator.


    .... but none the less the user does not need to run as administrator
    while using them.

    >Yes, it's worth the hassle, especially for users who have no idea
    >which operations are safe and which are dangerous. Don't even give
    >them the Administrator password.


    Yes it is worth the hassle.

    http://blogs.msdn.com/aaron_margosis...leOfContents.a
    spx

    Regards
    --
    Dave English Senior Software & Systems Engineer
    Internet Platform Development, Thus plc

  5. Re: [OT] Limited User Account (WinXP Pro SP2).

    In message <51h70iF1kie4jU1@mid.individual.net>, Ansgar -59cobalt-
    Wiechers writes
    >Mel Bourne wrote:
    >> For security reasons I created a Limited User Account (LUA) and begin
    >> to wonder if the security benefits outweigh the hassles.
    >>
    >> Most applications are working only with Administrator-level accounts.

    >
    >Can't confirm that. Most applications I work with run just fine under a
    >limited user account, or can at least be configured to do so.
    >
    >> http://support.microsoft.com/default...b;en-us;307091
    >> recommends to contact the software manufacturers...well, most of them
    >> don't respond.

    >
    >First ask yourself: would it be a good idea to run the application as a
    >limited user? System maintenance tasks and stuff like that, like e.g.
    >defragmenting the harddisk,


    Why?

    Although the command line in XP from Executive software requires admin,
    their full products do not I think.

    The excellent Whitney defrag command line does not require admin, except
    of course to install the driver.

    http://www.flexomizer.com/PermaLink,...-879d-b32145cc
    1957.aspx

    > changing the (system-wide) configuration of
    >the virus scanner, etc., should only be done by administrative users.

    ....
    --
    Dave English Senior Software & Systems Engineer
    Internet Platform Development, Thus plc

  6. Re: [OT] Limited User Account (WinXP Pro SP2).

    Dave English wrote:

    >>With Windows XP Pro, all of the ordinary user applications included
    >>with Windows work perfectly when run by a limited user.

    >
    > For e.g. double clicking on the clock in the systray does not display
    > the clock in a windows, because it does not want you to change the
    > clock.


    Has been fixed in Windows Vista, where is shows a read-only calendar. For
    Windows XP and below, you can create a trivial system control applet that
    launches other programs, f.e. RainLendar.

    > Also, changing timezone is a quite legitimate thing for a non-admin user
    > to want to do.


    Same thing. You can actually change the timezone, the applet is just too
    stupid. Aaron Margosis' Blog discusses a work-around.

    After all, changing the time should also be a legitimate thing - if Windows
    had something like a user-dependent time like many Unix flavors have.

    >>Some administrative functions, such as creating accounts or installing
    >>software require Administrator privileges. Just log in as
    >>Administrator when you need to do those things.

    >
    > I would recommend makemeadmin for that.


    I would strictly disrecommend makemeadmin. You'd be starting to fuddle with
    ownerships and privileges. For the same reason, the classical invokation of
    'runas' is bad.

    Best recommendation would be Fast User Switching or SuperiorSU (for Windows
    2000).

  7. Re: [OT] Limited User Account (WinXP Pro SP2).

    Dave English wrote:

    >>First ask yourself: would it be a good idea to run the application as a
    >>limited user? System maintenance tasks and stuff like that, like e.g.
    >>defragmenting the harddisk,

    >
    > Why?
    >
    > Although the command line in XP from Executive software requires admin,
    > their full products do not I think.


    You consider allowing the user to start performance-critical and
    potentially security-critical maintainance tasks as a feature?

    > The excellent Whitney defrag command line does not require admin, except
    > of course to install the driver.


    Installing a driver for defragmentation? This is crazy. Too good that you
    actually just meant a service, not a driver.

  8. Re: [OT] Limited User Account (WinXP Pro SP2).

    Sebastian Gottschalk wrote:
    > Installing a driver for defragmentation? This is crazy. Too good that you
    > actually just meant a service, not a driver.


    And good, too, that you meant a kernel module, not the driver pattern ;-)

    SCNR,
    VB.
    --
    "Pornography is an abstract phenomenon. It cannot exist without a medium
    to propagate it, and it has very little (if anything at all) to do with sex."
    Tina Lorenz


  9. Re: [OT] Limited User Account (WinXP Pro SP2).

    Volker Birk wrote:

    > Sebastian Gottschalk wrote:
    >> Installing a driver for defragmentation? This is crazy. Too good that you
    >> actually just meant a service, not a driver.

    >
    > And good, too, that you meant a kernel module, not the driver pattern ;-)
    >
    > SCNR,
    > VB.


    Maybe I didn't get the joke, that's why I'm discussing it:

    For defragmentation, you just need to use some FSCTLs. This requires admin
    rights for some, but can be done by any user-mode program. Thus,
    implementing a driver is always superfluos. Implementing a service is no
    necessity either, just good for management. (Beside that, every driver is
    mapped as a service.)

  10. Re: [OT] Limited User Account (WinXP Pro SP2).

    Sebastian Gottschalk wrote:
    > Volker Birk wrote:
    > > Sebastian Gottschalk wrote:
    > >> Installing a driver for defragmentation? This is crazy. Too good that you
    > >> actually just meant a service, not a driver.

    > > And good, too, that you meant a kernel module, not the driver pattern ;-)

    > Maybe I didn't get the joke, that's why I'm discussing it:


    MSFT does not only use "driver" for kernel modules.

    Yours,
    VB.
    --
    "Pornography is an abstract phenomenon. It cannot exist without a medium
    to propagate it, and it has very little (if anything at all) to do with sex."
    Tina Lorenz


  11. Re: [OT] Limited User Account (WinXP Pro SP2).

    Volker Birk wrote:

    > Sebastian Gottschalk wrote:
    >> Volker Birk wrote:
    >>> Sebastian Gottschalk wrote:
    >>>> Installing a driver for defragmentation? This is crazy. Too good that you
    >>>> actually just meant a service, not a driver.
    >>> And good, too, that you meant a kernel module, not the driver pattern ;-)

    >> Maybe I didn't get the joke, that's why I'm discussing it:

    >
    > MSFT does not only use "driver" for kernel modules.


    I still don't get it. No-one ever mentioned if the driver would be
    kernel-mode or user-mode (both would work), I just stated that there's no
    need to have any driver at all, and neither a service (which is what he
    actually meant, as I derived by actually looking at this program).

  12. Re: [OT] Limited User Account (WinXP Pro SP2).

    Dave English wrote:
    > Ansgar -59cobalt- Wiechers writes
    >> Mel Bourne wrote:
    >>> For security reasons I created a Limited User Account (LUA) and
    >>> begin to wonder if the security benefits outweigh the hassles.
    >>>
    >>> Most applications are working only with Administrator-level
    >>> accounts.

    >>
    >> Can't confirm that. Most applications I work with run just fine under
    >> a limited user account, or can at least be configured to do so.
    >>
    >>> http://support.microsoft.com/default...b;en-us;307091
    >>> recommends to contact the software manufacturers...well, most of
    >>> them don't respond.

    >>
    >> First ask yourself: would it be a good idea to run the application as
    >> a limited user? System maintenance tasks and stuff like that, like
    >> e.g. defragmenting the harddisk,

    >
    > Why?


    Because system maintenance is administrative work? Sure, one can build a
    defragmenter that can be used with limited rights, but that'd require a
    either elevation of the user's privileges, or a backend running with
    elevated privileges, both of which might be exploited by malware. Plus,
    I'd prefer to logically separate administrative tasks (especially system
    maintenance) from user tasks.

    The fact that you *can* do something doesn't necessarily imply that you
    *should* be doing it.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

+ Reply to Thread