[OT] Limited User Account (WinXP Pro SP2).

Hello.

For security reasons I created a Limited User Account (LUA) and begin to
wonder if the security benefits outweigh the hassles.

Most applications are working only with Administrator-level accounts.
http://support.microsoft.com/default.aspx?scid=kb;en-us;3070 91 recommends to
contact the software manufacturers...well, most of them don't respond.

The "Run as..." option doesn't work on all applications like CA AV.

With respect to AV/A-S applications, only SuperAntiSpyware and Spybot S&D
responded. I was advised that when scanning with SAS in Administrator
Account the LUA is included as well. Spybot S&D however recommends to scan
both accounts individually.

Ad-Aware, and a2 have yet to respond.

My resident (Real-Time) Av application (CA Anti-Virus v8.3.0.1 - free
one-year trial) will not update while in Limited User A/C.
Error Messages:
"Security center was unable to successfully update components."
"The licence validating did not complete successfully: Failed to connect to
the update server. An error has been detected while trying to make an
internet connection. Please check your connection settings and try again."

CA forum is very poorly visited and I don't expect a response.

I am a careful surfer, don't play any computer games, practice safe-hex and
my OS & browser (IE7) are 'hardened' considerably. Routine AV scans (incl.
Multi_AV) never show anything serious. I haven't had a severe virus
encounter for a very long time.

What are your experiences and/or recommendations?

Is it worth the hassle using LUA?

TIA...........Mel :)

Re: [OT] Limited User Account (WinXP Pro SP2).

In "Mel Bourne" writes:

>For security reasons I created a Limited User Account (LUA) and begin to
>wonder if the security benefits outweigh the hassles.

>Most applications are working only with Administrator-level accounts.
>http://support.microsoft.com/default.aspx?scid=kb;en-us;307 091 recommends to
>contact the software manufacturers...well, most of them don't respond.

With Windows XP Pro, all of the ordinary user applications included
with Windows work perfectly when run by a limited user. Some
administrative functions, such as creating accounts or installing
software require Administrator privileges. Just log in as
Administrator when you need to do those things. Third-party user
applications should work for a limited user, assuming that they are
properly designed. Of course, products like firewalls and virus
scanners that require access to the entire computer will need to
run as Administrator.

Yes, it's worth the hassle, especially for users who have no idea
which operations are safe and which are dangerous. Don't even give
them the Administrator password.




--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

Re: [OT] Limited User Account (WinXP Pro SP2).

Mel Bourne wrote:
> For security reasons I created a Limited User Account (LUA) and begin
> to wonder if the security benefits outweigh the hassles.
>
> Most applications are working only with Administrator-level accounts.

Can't confirm that. Most applications I work with run just fine under a
limited user account, or can at least be configured to do so.

> http://support.microsoft.com/default.aspx?scid=kb;en-us;3070 91
> recommends to contact the software manufacturers...well, most of them
> don't respond.

First ask yourself: would it be a good idea to run the application as a
limited user? System maintenance tasks and stuff like that, like e.g.
defragmenting the harddisk, changing the (system-wide) configuration of
the virus scanner, etc., should only be done by administrative users. If
it's something like that: log in as an administrative user, do the task,
then switch back to the limited user. If it's something that can be
expected to run with limited rights: check the support pages and FAQ of
the vendor. Maybe they've already documented what to do. Also you can
try to analyze and fix the problem yourself. I've just updated the
little HOWTO [1] I wrote about this.

Contact the vendor only if the above steps didn't solve your problem. If
the vendor doesn't respond, I suggest to dump their product and switch
to something that does support LUA.

> The "Run as..." option doesn't work on all applications like CA AV.

"Run as" does not solve the problem, because a) the application will be
running with elevated privileges, which was what you wanted to avoid in
the first place, and b) an application running interactively with
elevated priveleges may be subject to so-called shatter attacks.

[...]
> What are your experiences and/or recommendations?
>
> Is it worth the hassle using LUA?

It most definitely is.

[1] http://www.planetcobalt.net/sdb/submission.shtml

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: [OT] Limited User Account (WinXP Pro SP2).

In message , Gary Mills
writes
>In "Mel Bourne" writes:
>
>>For security reasons I created a Limited User Account (LUA)

http://www.microsoft.com/technet/prodtechnol/winxppro/mainta in/luawinxp.m
spx

>> and begin to
>>wonder if the security benefits outweigh the hassles.

A very good idea, I use them.

>>Most applications are working only with Administrator-level accounts.
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;30 7091 recommends to
>>contact the software manufacturers...well, most of them don't respond.
>
>With Windows XP Pro, all of the ordinary user applications included
>with Windows work perfectly when run by a limited user.

For e.g. double clicking on the clock in the systray does not display
the clock in a windows, because it does not want you to change the
clock.
Also, changing timezone is a quite legitimate thing for a non-admin user
to want to do.

> Some
>administrative functions, such as creating accounts or installing
>software require Administrator privileges. Just log in as
>Administrator when you need to do those things.

I would recommend makemeadmin for that.

> Third-party user
>applications should work for a limited user, assuming that they are
>properly designed.

> Of course, products like firewalls and virus
>scanners that require access to the entire computer will need to
>run as Administrator.

.... but none the less the user does not need to run as administrator
while using them.

>Yes, it's worth the hassle, especially for users who have no idea
>which operations are safe and which are dangerous. Don't even give
>them the Administrator password.

Yes it is worth the hassle.

http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/Tabl eOfContents.a
spx

Regards
--
Dave English Senior Software & Systems Engineer
Internet Platform Development, Thus plc

Re: [OT] Limited User Account (WinXP Pro SP2).

In message <51h70iF1kie4jU1@mid.individual.net>, Ansgar -59cobalt-
Wiechers writes
>Mel Bourne wrote:
>> For security reasons I created a Limited User Account (LUA) and begin
>> to wonder if the security benefits outweigh the hassles.
>>
>> Most applications are working only with Administrator-level accounts.
>
>Can't confirm that. Most applications I work with run just fine under a
>limited user account, or can at least be configured to do so.
>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;3070 91
>> recommends to contact the software manufacturers...well, most of them
>> don't respond.
>
>First ask yourself: would it be a good idea to run the application as a
>limited user? System maintenance tasks and stuff like that, like e.g.
>defragmenting the harddisk,

Why?

Although the command line in XP from Executive software requires admin,
their full products do not I think.

The excellent Whitney defrag command line does not require admin, except
of course to install the driver.

http://www.flexomizer.com/PermaLink,guid,ce99367e-158c-487a- 879d-b32145cc
1957.aspx

> changing the (system-wide) configuration of
>the virus scanner, etc., should only be done by administrative users.
....
--
Dave English Senior Software & Systems Engineer
Internet Platform Development, Thus plc

Re: [OT] Limited User Account (WinXP Pro SP2).

Sebastian Gottschalk wrote:
> Installing a driver for defragmentation? This is crazy. Too good that you
> actually just meant a service, not a driver.

And good, too, that you meant a kernel module, not the driver pattern ;-)

SCNR,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: [OT] Limited User Account (WinXP Pro SP2).

Post removed (X-No-Archive: yes)

Re: [OT] Limited User Account (WinXP Pro SP2).

Post removed (X-No-Archive: yes)

Re: [OT] Limited User Account (WinXP Pro SP2).

Sebastian Gottschalk wrote:
> Volker Birk wrote:
> > Sebastian Gottschalk wrote:
> >> Installing a driver for defragmentation? This is crazy. Too good that you
> >> actually just meant a service, not a driver.
> > And good, too, that you meant a kernel module, not the driver pattern ;-)
> Maybe I didn't get the joke, that's why I'm discussing it:

MSFT does not only use "driver" for kernel modules.

Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz

Re: [OT] Limited User Account (WinXP Pro SP2).

Post removed (X-No-Archive: yes)

Re: [OT] Limited User Account (WinXP Pro SP2).

Post removed (X-No-Archive: yes)

Re: [OT] Limited User Account (WinXP Pro SP2).

Dave English wrote:
> Ansgar -59cobalt- Wiechers writes
>> Mel Bourne wrote:
>>> For security reasons I created a Limited User Account (LUA) and
>>> begin to wonder if the security benefits outweigh the hassles.
>>>
>>> Most applications are working only with Administrator-level
>>> accounts.
>>
>> Can't confirm that. Most applications I work with run just fine under
>> a limited user account, or can at least be configured to do so.
>>
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;3070 91
>>> recommends to contact the software manufacturers...well, most of
>>> them don't respond.
>>
>> First ask yourself: would it be a good idea to run the application as
>> a limited user? System maintenance tasks and stuff like that, like
>> e.g. defragmenting the harddisk,
>
> Why?

Because system maintenance is administrative work? Sure, one can build a
defragmenter that can be used with limited rights, but that'd require a
either elevation of the user's privileges, or a backend running with
elevated privileges, both of which might be exploited by malware. Plus,
I'd prefer to logically separate administrative tasks (especially system
maintenance) from user tasks.

The fact that you *can* do something doesn't necessarily imply that you
*should* be doing it.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich