How safe is a "Limited" XP account? - Windows NT

This is a discussion on How safe is a "Limited" XP account? - Windows NT ; What bad things can happen to me while using a plain vanilla "Limited" Windows XP user account? In the most extreme case, suppose I am totally reckless, and I visit every questionable web site I can find, and click on ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: How safe is a "Limited" XP account?

  1. How safe is a "Limited" XP account?

    What bad things can happen to me while using a plain vanilla
    "Limited" Windows XP user account? In the most extreme case,
    suppose I am totally reckless, and I visit every questionable web
    site I can find, and click on every questionable attachment that
    comes my way. In theory it would still seem that nothing really
    bad can happen, other than having files owned by that account spied
    on and/or altered. In fact it seems reasonable to expect that any
    malware I ran into would -- on finding itself in an unexpected
    non-Administrator environment -- simply fail, so even that sort of
    compromise wouldn't be too likely. But I am just speculating, and
    I'd rather know the facts. So what are the risks?

    One thing I have heard is that IE, being fused to the kernel, always
    runs with full privileges, and is thus always a security risk, even
    in a Limited account. However I always use Mozilla, which I would
    think would take care of that problem. Or does it? Is there maybe
    some way a malicious web page could get to IE through Mozilla?

    And what about Outlook? Does it have the same problem as IE? I
    don't use Outlook either, but I an just trying to understand the
    issues. In general I am interested in both likely and worst case
    scenarios. Any thoughts?
    --
    John Brock
    jbrock@panix.com


  2. Re: How safe is a "Limited" XP account?

    In article ,
    John Brock wrote:
    :What bad things can happen to me while using a plain vanilla
    :"Limited" Windows XP user account? In the most extreme case,
    :suppose I am totally reckless, and I visit every questionable web
    :site I can find, and click on every questionable attachment that
    :comes my way. In theory it would still seem that nothing really
    :bad can happen, other than having files owned by that account spied
    n and/or altered.

    On the other hand, there have, for example, been cases under XP where
    a deliberately malformed graphics file could lead to Bad Things.
    If such a file were loaded in the user account and then you later
    browsed the user account with a different account (such as Administrator)
    then More Bad Things happen.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist

  3. Re: How safe is a "Limited" XP account?

    jbrock@panix.com (John Brock) writes:
    > What bad things can happen to me while using a plain vanilla
    > "Limited" Windows XP user account?


    Everything including execution of "arbitrary code."

    > In the most extreme case,
    > suppose I am totally reckless, and I visit every questionable web
    > site I can find, and click on every questionable attachment that
    > comes my way. In theory it would still seem that nothing really
    > bad can happen, other than having files owned by that account spied
    > on and/or altered. In fact it seems reasonable to expect that any
    > malware I ran into would -- on finding itself in an unexpected
    > non-Administrator environment -- simply fail, so even that sort of
    > compromise wouldn't be too likely. But I am just speculating, and
    > I'd rather know the facts. So what are the risks?


    Search the web for Windows security advisories that include the words
    "local privilege escalation." These indicate "okay i have a local
    (restricted) user account, and this hole gives me administrator
    priv's."

    > One thing I have heard is that IE, being fused to the kernel, always
    > runs with full privileges, and is thus always a security risk, even
    > in a Limited account. However I always use Mozilla, which I would
    > think would take care of that problem. Or does it? Is there maybe
    > some way a malicious web page could get to IE through Mozilla?


    IE is comparatively far more dangerous.

    Unpatched Mozilla can still be a big problem though too. You have to
    keep up on all fronts. Mozilla was also vulnerable to the malformed
    graphic buffer overflow, but its security track record remains far far
    better than IE.

    > And what about Outlook? Does it have the same problem as IE?


    It does too many things by default, yes. There are options that need
    to be disabled there. Try Mozilla Thunderbird for a little more
    insulation, or investigate all the default options you need to modify
    to use Outlook relatively safely.

    > issues. In general I am interested in both likely and worst case
    > scenarios. Any thoughts?


    There are more secure OS's out there.

    What are your goals? What need motivates your questions?

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  4. Re: How safe is a "Limited" XP account?

    Todd H. wrote:
    > Investigate all the default options you need to modify
    > to use Outlook relatively safely.


    There's just the one, and it's five easy clicks -- start, control panel,
    add/remove programs, "Outlook", "Yes I want to completely remove Outlook
    and all its components".



    > What are your goals? What need motivates your questions?


    The need for Ubuntu, from the look.

    --
    http://www.gnu.org/philosophy/right-to-read.html
    Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    "One ring to rule them all, one ring to find them
    One ring to bring them all, and in the darkness bind them."


  5. Re: How safe is a "Limited" XP account?

    In article , Todd H. wrote:

    >jbrock@panix.com (John Brock) writes:


    >> What bad things can happen to me while using a plain vanilla
    >> "Limited" Windows XP user account?


    >> In general I am interested in both likely and worst case
    >> scenarios. Any thoughts?


    >There are more secure OS's out there.
    >
    >What are your goals? What need motivates your questions?


    My motivation is very simple; I use a Limited account on my home
    XP system, and I want to understand how much extra security this
    buys me. I don't rely on it for security, and in fact I am quite
    paranoid about security -- I have a hardware firewall and anti-virus
    software, I have never used IE on this computer except to connect
    to microsoft.com for updates, and I read all my email via telnet.
    So far I seem to have avoided any viruses or spyware. I am well
    aware that there are more secure OS's, and I'm appalled at how
    poorly Windows is designed in terms of security. Still, you process
    words with the computer you've got, and I just want to understand
    the one I've got as well as possible.

    I think my question really breaks down into two parts:

    1) How well does the theoretical security provided by a Limited
    account hold up in practice? I.e., how hard is it in practice to
    "escalate privileges", and how long do bugs which allow this to
    happen go unfixed?

    2) How likely is it that a given piece of malware will be coded to
    try to escalate privileges if it finds itself running on a Limited
    user account, or even function effectively at all in this situation?
    My impression is that most Windows users spend most of their time
    in accounts with Administrator privileges, so maybe most virus
    writers wouldn't consider it worth their effort to write code that
    deals with Limited accounts. Or maybe not. I don't know, hence
    my question.

    I do notice that when I see lists of recommendations for securing
    Windows PCs Limited accounts are often not even mentioned, and I've
    wondered why that is. Maybe it's because some old or poorly designed
    software won't run properly, and because you can't install most
    software. Maybe it's assumed that the typical user can't be trusted
    to understand and use a Limited account. Or maybe it just doesn't
    add as much security as I think it does. Again, my question.
    --
    John Brock
    jbrock@panix.com


  6. Re: How safe is a "Limited" XP account?

    jbrock@panix.com (John Brock) writes:
    > In article , Todd H. wrote:
    >
    > >jbrock@panix.com (John Brock) writes:

    >
    > >> What bad things can happen to me while using a plain vanilla
    > >> "Limited" Windows XP user account?

    >
    > >> In general I am interested in both likely and worst case
    > >> scenarios. Any thoughts?

    >
    > >There are more secure OS's out there.
    > >
    > >What are your goals? What need motivates your questions?

    >
    > My motivation is very simple; I use a Limited account on my home
    > XP system, and I want to understand how much extra security this
    > buys me. I don't rely on it for security, and in fact I am quite
    > paranoid about security -- I have a hardware firewall and anti-virus
    > software, I have never used IE on this computer except to connect
    > to microsoft.com for updates, and I read all my email via telnet.


    Sounds like an excellent set of steps. Well, except the last one
    where I hope you mean ssh instead of telnet. :-)

    > So far I seem to have avoided any viruses or spyware. I am well
    > aware that there are more secure OS's, and I'm appalled at how
    > poorly Windows is designed in terms of security. Still, you process
    > words with the computer you've got, and I just want to understand
    > the one I've got as well as possible.
    >
    > I think my question really breaks down into two parts:
    >
    > 1) How well does the theoretical security provided by a Limited
    > account hold up in practice? I.e., how hard is it in practice to
    > "escalate privileges", and how long do bugs which allow this to
    > happen go unfixed?


    If you're using windows,, using a limited account is definitely better
    than using a full priv account. It's decidedly not as strong as
    using a UNIX user account simply because the security architecture is
    not as robust as *NIX. However, if you're going to be using Windows,
    a limited account is the best you can really do.

    If you would like to take this security isolation one step further,
    however, and still want to use Windows, you might consider running
    Linux as your host operating systems and getting a copy of VMWare
    Workstation for Linux. Then, run Windows as one guest OS inside a
    VMWare virtual machine. You could install two different Windows
    virtual machines actually--one "clean" nad one "dirty" and do risky
    work in one, and trusted work inside the other. If you run a limited
    account inside of there, you get even better protection. With this
    virtula machine/VMWare method, most malware you encounter will at
    least only be contained to that particular virtual machine, and will
    leave the rest of your virtual machines unharmed.

    Malware writers, however, are working on ways to break out of virtual
    machines like this...but thus far, I don't think they're having a lot
    of success.

    > 2) How likely is it that a given piece of malware will be coded to
    > try to escalate privileges if it finds itself running on a Limited
    > user account, or even function effectively at all in this situation?


    Again, it's hard to answer with hard numbers without a lot of
    research, but I'd say that most malware is going after the low hanging
    fruit of a default install where the user had admin priv's already.
    As such, a limited account does buy you due diligence at the very
    least.

    > My impression is that most Windows users spend most of their time
    > in accounts with Administrator privileges, so maybe most virus
    > writers wouldn't consider it worth their effort to write code that
    > deals with Limited accounts. Or maybe not. I don't know, hence
    > my question.


    I'd agree with your take.

    > I do notice that when I see lists of recommendations for securing
    > Windows PCs Limited accounts are often not even mentioned, and I've
    > wondered why that is.


    I think it's perhaps because they're new and unique to XP (at least in
    the parlance "limited account.") Win2k and NT had similar constructs,
    but the roles were something of default user, power user, and
    administrator, and others.

    > Maybe it's because some old or poorly designed software won't run
    > properly, and because you can't install most software. Maybe it's
    > assumed that the typical user can't be trusted to understand and use
    > a Limited account. Or maybe it just doesn't add as much security as
    > I think it does. Again, my question.


    You've brought up a good point about limited, or non-administrative
    accounts. From what I've read, there is a non-trivial amount of
    software out there that doesn't work with them. :-\

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  7. Re: How safe is a "Limited" XP account?

    John Brock wrote:
    > I do notice that when I see lists of recommendations for securing
    > Windows PCs Limited accounts are often not even mentioned, and I've
    > wondered why that is. Maybe it's because some old or poorly designed
    > software won't run properly, and because you can't install most
    > software.


    This probably has more to do with history and habits than the actual
    security. In UNIX limited user accounts is the rule rather than the
    exception. But Windows has a history based upon single user operating
    systems, which has later had functionality added to emulate multi user
    support. Of course, NT was a huge step in the right direction, but software
    designed for NT 3.x/4.0/2000 still had to be designed to also run on Windows
    3.x/9x/ME. So it was easier to assume that the user would run under
    administrative privileges than to make support for limited users under true
    multi user environments.

    Even today all accounts created in XP are administrator accounts by default.
    And worse; Windows happily accepts blank passwords for all users, including
    'administrator'. Even if limited accounts became the norm, it would probably
    be easy to spread a worm that runs itself with administrator privileges
    simply by guessing that the administrator password should be blank.

    > Maybe it's assumed that the typical user can't be trusted
    > to understand and use a Limited account.


    Now, _this_ makes no sense to me. The question should rather be how can a
    typical user be trusted with a _non_-limited account.

    > Or maybe it just doesn't
    > add as much security as I think it does.


    It's not likely to be bulletproof, but it does add security. If the goal is
    ultimate security then limited user accounts is one of several mandatory
    steps.



  8. Re: How safe is a "Limited" XP account?

    John Brock wrote:

    >What bad things can happen to me while using a plain vanilla
    >"Limited" Windows XP user account? In the most extreme case,
    >suppose I am totally reckless, and I visit every questionable web
    >site I can find, and click on every questionable attachment that
    >comes my way. In theory it would still seem that nothing really
    >bad can happen,
    >



    any virus/worm you get will affect the entire machine...
    not just that account
    by setting up a "limited" account you are no safer than your own
    (hopefully good) common sense

  9. Re: How safe is a "Limited" XP account?

    philo writes:

    > John Brock wrote:
    >
    > >What bad things can happen to me while using a plain vanilla
    > >"Limited" Windows XP user account? In the most extreme case,
    > >suppose I am totally reckless, and I visit every questionable web
    > >site I can find, and click on every questionable attachment that
    > >comes my way. In theory it would still seem that nothing really
    > > bad can happen,

    >
    >
    > any virus/worm you get will affect the entire machine...


    > not just that account
    > by setting up a "limited" account you are no safer than your own
    > (hopefully good) common sense



    No, this is not necessarily true. It depends on the vulnerability the
    virus/worm utilizes.

    A virus/worm that runs in user context (such as one an unwitting user
    clicks on and executes via email, or certain buffer overflow exploits
    of programs run in local user context) won't be able to overwrite
    system files or registry keys that a limited user is not authorized to
    modify, and as such, will fail in the general case to infect the
    entire system.

    That's the modicum of additional security that a limited account
    affords ya.

    You would be correct only if speaking about the subset of malware that
    attacks unpatched vulnerabilities of system processes that run with
    system privileges.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  10. Re: How safe is a "Limited" XP account?

    "Todd H." wrote in message
    news:m03bvlliu7.fsf@ripco.com...

    > No, this is not necessarily true. It depends on the vulnerability the
    > virus/worm utilizes.


    Another big "it depends" is the file system. If your XP is installed on the
    NTFS it is very, very, much more secure than if it is installed on a FAT or
    FAT32 filesystem. On FAT32, your limited account can pretty much write any
    file. Not so on NTFS.

    I'm afraid that some posters are right in that most Windows users do their
    day to day work on an administrative account. There seem to be a number of
    applications from major vendors that just plain won't work on a limited
    account, especially on SP2.

    I'm not convinced that XP/SP2 on NTFS by itself is any less secure than
    Linux without SELinux. However, the applications are another matter
    entirely.

    ...



  11. Re: How safe is a "Limited" XP account?

    "xpyttl" writes:

    > "Todd H." wrote in message
    > news:m03bvlliu7.fsf@ripco.com...
    >
    > > No, this is not necessarily true. It depends on the vulnerability the
    > > virus/worm utilizes.

    >
    > Another big "it depends" is the file system. If your XP is installed on the
    > NTFS it is very, very, much more secure than if it is installed on a FAT or
    > FAT32 filesystem. On FAT32, your limited account can pretty much write any
    > file. Not so on NTFS.


    Thank you for bringing this up. I absolutely should've included that
    mention. I've been using NTFS for so many years I tend to forget
    this. :-)

    > I'm not convinced that XP/SP2 on NTFS by itself is any less secure than
    > Linux without SELinux. However, the applications are another matter
    > entirely.


    I won't argue too hard with that. Linux is certainly no OpenBSD
    that's for sure. :-)

    --
    Todd H.
    http://www.toddh.net/

  12. Re: How safe is a "Limited" XP account?

    Todd H. wrote:
    > I won't argue too hard with that. Linux is certainly no OpenBSD
    > that's for sure. :-)


    What's this mean exactly?

    --
    http://www.gnu.org/philosophy/right-to-read.html
    Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    "One ring to rule them all, one ring to find them
    One ring to bring them all, and in the darkness bind them."


  13. Re: How safe is a "Limited" XP account?

    Twisted One writes:

    > Todd H. wrote:
    > > I won't argue too hard with that. Linux is certainly no OpenBSD
    > > that's for sure. :-)

    >
    > What's this mean exactly?


    OpenBSD is regarded by many as one of the most secure OS's out there.

    Neither Linux nor WinXP really come close.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  14. Re: How safe is a "Limited" XP account?

    Todd H. wrote:
    > OpenBSD is regarded by many as one of the most secure OS's out there.
    >
    > Neither Linux nor WinXP really come close.


    How is Linux worse?

    Too bad there are now actually some almost-usable linux distros (ubuntu)
    and no openbsd distros worthy of note. :P

    --
    http://www.gnu.org/philosophy/right-to-read.html
    Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    "One ring to rule them all, one ring to find them
    One ring to bring them all, and in the darkness bind them."


  15. Re: How safe is a "Limited" XP account?

    Twisted One writes:

    > Todd H. wrote:
    > > OpenBSD is regarded by many as one of the most secure OS's out there.
    > > Neither Linux nor WinXP really come close.

    >
    > How is Linux worse?


    No default buffer overflow countermeasures, among other things.
    SE-Linux addresses that I believe http://www.nsa.gov/selinux/ but
    most distro's by default lack much in the way of stack execute
    protection and such goodies that make it much harder for the bad guys
    to exploit programs that are vulnerable to buffer overflows.

    Linux, however is moving toward OpenBSD levels of security-by-default
    faster than Windows seems to be. Windows has a tougher row to hoe
    though because the whole damned architecture was sorta caught by
    surprise that this internet things really caught on, whilst *NIX's
    have lived in a networked world essentially since birth.

    Some more info on Open BSD's goals here:
    http://www.openbsd.org/security.html

    You'll notice their advisory list is a whole lot shorter than either
    Linux (pick any distro) or Windows, but their security architecture in
    OpenBSD has been among the #1 priorities from the inception of the OS
    and code has been extremely thoroughly audited and they have a fairly
    tight knit group of developers trusted with modifications. Linux is
    much more of a "bazaar" approach with a lot more hands in the cookie
    jar.

    Linux fans, on the other hand, argue that there are more security
    tools available for Linux, so Linux has the potential to be awfully
    well secured. Even so, nearly all distros don't come that way by
    default, and most users are far from security experts and lack the
    knowledge to lock them down all that well. In practice, it turns out
    that it's not hard to find Linux boxes that are vulnerable to
    something exploitable due to an administrator not keeping up with
    patches. OpenBSD boxen on the other hand...if there is a
    vulnerability out there, they're a lot harder to exploit on that OS.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/

  16. Re: How safe is a "Limited" XP account?

    Twisted One wrote:
    > Todd H. wrote:
    >> OpenBSD is regarded by many as one of the most secure OS's out
    >> there. Neither Linux nor WinXP really come close.

    >
    > How is Linux worse?


    The basic ideology behind OpenBSD is different than most OSes. Security has
    top priority (even higher than functionality, it may seem at times), and a
    lot of time and manpower is spent debugging source code not only for known
    bugs and vulnerabilites, but even to weed out bad coding which may or may
    not prove to cause problems at some stage.

    There have been similar attempts to produce high security Linux
    distributions, such as Adamantix, Trustix and Hardened Gentoo. Also, I hear
    that Novell SuSe Linux Enterprise Server 9 recently passed the Common
    Criteria Controlled Access Protection Profile/Evaluation Assurance Level 4+,
    which is supposed to be the highest security certification given to any
    current Linux distribution.

    > Too bad there are now actually some almost-usable linux distros
    > (ubuntu) and no openbsd distros worthy of note. :P


    What is your criteria for "usable"? What do you use it for? I have used
    OpenBSD for firewalls and web servers, among other things, and it worked
    fine for me.

    On a side note: There is no such thing as an OpenBSD "distro". The same goes
    for any other BSD. Instead, you have branches and forks. For instance,
    OpenBSD itself is a fork off NetBSD.



  17. Re: How safe is a "Limited" XP account?

    André Gulliksen wrote:
    > What is your criteria for "usable"? What do you use it for? I have used
    > OpenBSD for firewalls and web servers, among other things, and it worked
    > fine for me.


    Usable, as in there's actually a user interface and documentation.
    Trying to accomplish typical desktop tasks on it doesn't feel like
    trying to fix a generator holding a flashlight in your teeth, groping
    about in the dark for your tools while you watch an ominously increasing
    amount of smoke pour out of the darn thing.

    > On a side note: There is no such thing as an OpenBSD "distro". The same goes
    > for any other BSD. Instead, you have branches and forks. For instance,
    > OpenBSD itself is a fork off NetBSD.


    I meant "packaged distributions", however the heck you get it to install
    it. :P

    --
    http://www.gnu.org/philosophy/right-to-read.html
    Palladium? Trusted Computing? DRM? Microsoft? Sauron.
    "One ring to rule them all, one ring to find them
    One ring to bring them all, and in the darkness bind them."


+ Reply to Thread