Thread: Is non-admin logon worth it?
View Single Post
  #5  
Old March 26th 10, 08:05 PM posted to microsoft.public.windowsxp.security_admin
Anteaus
external usenet poster
  
Posts: 1,330
Default Is non-admin logon worth it?
IMLI, non-admin works for sites that have onsite IT staff to handle updates,
etc. For other sites it is too problematic.

There is also no certainty that limited-user working will block malware from
running. In principle, malware could still pinch information belonging to the
logged-on user, such as the addressbook. If the user can access it, so can a
malware process running in that account. It WILL limit the damage that
malware can do, though, and will generally prevent malware from becoming
system-resident.

As an additional (or alternative) protection you might like to look at:

http://sourceforge.net/projects/softwarepolicy

This takes the opposite approach to user restrictions, namely of preventing
software from running from unauthorized locations. Provided the blocked
locations include the temp and download folders, this is pretty effective at
stopping malicious downloads, etc. from launching.

There is also the option of running the most vulnerable apps such as
browsers as a limited user:

http://www.sysint.no/nedlasting/StripMyRights.htm

A combination of these two gives pretty-good protection against malware, and
with very few nags. I run both, and only have to turn the policy off if doing
something major. I can still change the time, display resolution, etc without
nags popping-up, and without the need to go full-admin. But if I
accidentally double-click an executable on a CDR or USB key... nothing
happens. Which is the way I like it.

When online, if the user-permissions of the browser allow an executable to
be downloaded to a folder, the software-policy forbids it from being launched
from that folder. Since processes spawned from the browser have the same
credentials as the browser, this mostly applies to plugins too. (Though you
should possibly be aware of quicktime services, etc which may be running as
an elevated user. Best answer is to remove these, they're not needed anyway.)

If the executable is a legitimate install, you either turn the policy off
while installing, or move it to another folder.

Hopefully the next version of Simple Software Policy will include both
functions, so only one app is needed to cover both aspects.


"njem" wrote:

I'm trying to move workstaions in our office to non-admin logons for
better virus protection. Man, what a pain. The complications seem to
be unending. So now I want to verify that it's even worth it. Who
understands how viruses infect well enough to really know (not just
have heard) that not having an admin logon as the normal user logon
actually makes it harder for viruses? None of my stations are logged
on as "Administrator" just as some user that is an admin. And it's a
mix of XP and W7 stations and I _think_ that makes a difference. I
have a vauge idea that under XP if the user is an admin they, or a
virus, can do pretty much anything with no need to give permission. So
maybe on an XP station it's worse. On a W7 station even if they are an
admin level user (and UAC is at default level) you'll get an ask
dialog if a virus wants to install something, I think. But would a
virus infection really trigger a "you don't have permission" message
if on XP a user was not an admin? Would it trigger a UAC confirmation
box in W7? Or do they manage to bypass all that? (I know if a scam can
trick a user into clicking okay all bets are off.)

Thanks
.
Ads