If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Using Same Account as both Admin and Limited User
Hi,
Is there any reason I shouldn't use an account as an Administrator to install programs, and do other things that require Admin privileges, and downgrade that same account to Limited User for every-day web surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission trouble that comes from a LUA running programs installed a another account. If this isn't the way to do it, how else can it be done? I'm using XP Home (SP3). Thanks for any advice. Cordially, Walt |
Ads |
#2
|
|||
|
|||
Using Same Account as both Admin and Limited User
Walter Mingle wrote:
Hi, Is there any reason I shouldn't use an account as an Administrator to install programs, and do other things that require Admin privileges, and downgrade that same account to Limited User for every-day web surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission trouble that comes from a LUA running programs installed a another account. If this isn't the way to do it, how else can it be done? I'm using XP Home (SP3). Thanks for any advice. Cordially, Walt Hello Walt: This is a basic computer security percept that isn't easy for some to grasp or for others to practice. The time you will require actual administrative privileges is very small when compared to all other chores you do with your system. By forgetting to return to a less privileged user mode, from Admin, one lays the system open to well known security risks. For the basic safety of your system, use the admin account for as short a time as is needed to tend to security and system related chores. When those chores are done, return to a less privileged user account. Avoid giving user accounts more privilege then needed. Congrats at being at SP3! Here's hoping all your other security is excellent. Pete -- 1PW @?6A62?FEH9E=6o2@=]4@ [r4o7t] |
#3
|
|||
|
|||
Using Same Account as both Admin and Limited User
On Wed, 15 Jul 2009 11:46:36 -0700, 1PW
wrote: snip By forgetting to return to a less privileged user mode, from Admin, one lays the system open to well known security risks. For the basic safety of your system, use the admin account for as short a time as is needed to tend to security and system related chores. When those chores are done, return to a less privileged user account. Avoid giving user accounts more privilege then needed. Hi Pete, I think I understand the security precepts you mention, and I agree with them - that's why I'm interested. What I'm really asking: is there any technical reason why I should stick with separate Admin and Limited accounts, rather than changing one single account back and forth as needed? In other words, does the mere act of upgrading a limited account to Admin, and then returning it back to limited status alter the permissions that a limited account should have, as you mentioned above? I'm not technically knowledgeable enough to know the answer. Congrats at being at SP3! Here's hoping all your other security is excellent. NAT router, Windows firewall, BitDefender and Safe Hex g. Pete Thanks, Pete. Walt |
#4
|
|||
|
|||
Using Same Account as both Admin and Limited User
It almost always is better to simply use one account for administrator only
activity and then another regular account for everyday use. That way you are much less likely to forget to demote your regular account if you had elevated it to administrator access because the account you use for administrator access will have an obviously different user profile with different desktop, favorites, etc. Steve "Walter Mingle" wrote in message ... Hi, Is there any reason I shouldn't use an account as an Administrator to install programs, and do other things that require Admin privileges, and downgrade that same account to Limited User for every-day web surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission trouble that comes from a LUA running programs installed a another account. If this isn't the way to do it, how else can it be done? I'm using XP Home (SP3). Thanks for any advice. Cordially, Walt |
#5
|
|||
|
|||
Using Same Account as both Admin and Limited User
Walter Mingle wrote:
Is there any reason I shouldn't use an account as an Administrator to install programs, and do other things that require Admin privileges, and downgrade that same account to Limited User for every-day web surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission trouble that comes from a LUA running programs installed a another account. If this isn't the way to do it, how else can it be done? I'm using XP Home (SP3). The Administrator account should never be touched except in case of emergency. Create a new alternate admin account that you use for installing software, creating user accounts, and other admin duties. Make your own account a limited or power account. You don't want to end up with a corrupted Administrator profile and have it as your only admin-level account that is no longer usable (a corrupted can be fixed but requires some work). You could also use the alternate admin account as a backup and use the Administrator account as your regular admin- level account; however, most recovery instructions will assume you are using the Administrator account and you could forget what is the name of the alternate admin account if you use it rarely. You can either logoff your own limited account and logon under the alternate admin account, or you can use Fast User Switching to flip between the two. For Internet-facing applications, you can run them under a LUA (limited user account) token which removes the admin privileges from them. They run with the same reduced privileges as when you run them after logging under a limited account. You can use DropMyRights. I use SysInternals' psexec to run a program under a LUA token. TallEmu's OnlineArmor has its RunSafer attribute that you can assign to applications to run them under a LUA token; however, I ran into some personal dislikes with OA (see my posts in their forums) and decided to stop using it, but periodically I revisit the product to see if they fixed my problems with it because I really like logging under an admin account but have some programs always run under a LUA token (you can easily use their tray icon to temporarily disable their Program Guard when you need, say, the web browser to be unlimited, like when using the Windows Update site). |
#6
|
|||
|
|||
Using Same Account as both Admin and Limited User
Walter Mingle wrote:
On Wed, 15 Jul 2009 11:46:36 -0700, 1PW wrote: snip By forgetting to return to a less privileged user mode, from Admin, one lays the system open to well known security risks. For the basic safety of your system, use the admin account for as short a time as is needed to tend to security and system related chores. When those chores are done, return to a less privileged user account. Avoid giving user accounts more privilege then needed. Hi Pete, I think I understand the security precepts you mention, and I agree with them - that's why I'm interested. What I'm really asking: is there any technical reason why I should stick with separate Admin and Limited accounts, rather than changing one single account back and forth as needed? In other words, does the mere act of upgrading a limited account to Admin, and then returning it back to limited status alter the permissions that a limited account should have, as you mentioned above? I'm not technically knowledgeable enough to know the answer. Congrats at being at SP3! Here's hoping all your other security is excellent. NAT router, Windows firewall, BitDefender and Safe Hex g. Pete Thanks, Pete. Walt Hello Walt: Steve's post is spot on. Words to live by. Regards, Pete -- 1PW @?6A62?FEH9E=6o2@=]4@ [r4o7t] |
#7
|
|||
|
|||
Using Same Account as both Admin and Limited User
On Wed, 15 Jul 2009 21:08:12 -0500, VanguardLH wrote:
The Administrator account should never be touched except in case of emergency. Create a new alternate admin account that you use for installing software, creating user accounts, and other admin duties. Make your own account a limited or power account. You don't want to end up with a corrupted Administrator profile and have it as your only admin-level account that is no longer usable (a corrupted can be fixed but requires some work). You could also use the alternate admin account snip rest Ok. Nobody likes my idea of switching the same account back and forth between elevated and limited as needed, so I'll give up on that idea. I wasn't planning on using the real Administrator account (the one that lives in Safe Mode in XP-Home) - I would have used a regular user account with admin privileges for that. Many thanks to all who answered - I *really* appreciate the time you folks took. Sincerely, Walt |
#8
|
|||
|
|||
Using Same Account as both Admin and Limited User
Look for a script callled MakeMeAdmin. BTW, I have long thought that what you say is correct. The lack of understanding, if any, lies in people who insist on applying 1960's shared-access mainframe principles to a personal computer. What is actually needed on a one-per-desk computer is a way to prevent access to system files when in 'normal mode' so as to offer better security against malware, and to allow such when in 'maintenance mode.' What happens instead is that all system configuration is done under an entirely different collection of settings, and any changes to the settings are thrown-away when returning to normal mode. This causes extreme awkwardness (in fact it means that most apps have to be configured twice-over) and is the main reason most people don't run as a limited user. As Zaphod Beeblebox would point out, two heads which constantly disagree are not necessarily an advantage over one. "Walter Mingle" wrote: Hi, Is there any reason I shouldn't use an account as an Administrator to install programs, and do other things that require Admin privileges, and downgrade that same account to Limited User for every-day web surfing, e-mail, newsgroups, etc.? I'm trying to avoid the permission trouble that comes from a LUA running programs installed a another account. If this isn't the way to do it, how else can it be done? I'm using XP Home (SP3). Thanks for any advice. Cordially, Walt |
#9
|
|||
|
|||
Using Same Account as both Admin and Limited User
Hi Anteaus, and thanks for replying.
On Sat, 18 Jul 2009 11:34:01 -0700, Anteaus wrote: Look for a script callled MakeMeAdmin. I don't think I want to make it too easy to switch the account back and forth between LUA and Admin rights. There's no time pressure to produce, so I'd want to do it deliberately (in the sense of 'not spur-of-the-moment'), with plenty of thought involved. BTW, I have long thought that what you say is correct. The lack of understanding, if any, lies in people who insist on applying 1960's shared-access mainframe principles to a personal computer. Well, I do buy into the whole security thing: run as a LUA account, only use Admin rights when absolutely necessary, make it tough - or, more correctly, not as easy - for the bad guys to mess with you. Practice safe hex. I believe in that, just like the folks who replied to me earlier do, and they're right - you risk getting taken to the cleaners if you play fast and loose. What seemed to concern them the most was that I would forget to switch back to LU mode without some sort of visual reminder of where I was. I make no claim about having a mind like an elephant, but if said pachyderm were to find itself stuck with a human-type mind, I submit it could do worse than mine g. What is actually needed on a one-per-desk computer is a way to prevent access to system files when in 'normal mode' so as to offer better security against malware, and to allow such when in 'maintenance mode.' What happens instead is that all system configuration is done under an entirely different collection of settings, and any changes to the settings are thrown-away when returning to normal mode. This causes extreme awkwardness (in fact it means that most apps have to be configured twice-over) and is the main reason most people don't run as a limited user. I believe the two preceding paragraphs to be correct; in fact, it is that exact scenario that has caused me the most trouble in XP, and I've been surprised that this way of handling it hasn't gotten more air time, so to speak. I've tried it, carefully, on two or three occasions, and it seemed to work - at least, nothing blew up. So, I'll keep looking for technical reasons to avoid this method, but I won't keep looking too much longer. It feels too "right" to not make use of, barring good reasons not to. Cordially, Walt |
#10
|
|||
|
|||
Using Same Account as both Admin and Limited User
Anteaus wrote:
What is actually needed on a one-per-desk computer is a way to prevent access to system files when in 'normal mode' so as to offer better security against malware, and to allow such when in 'maintenance mode.' What happens instead is that all system configuration is done under an entirely different collection of settings, and any changes to the settings are thrown-away when returning to normal mode. This causes extreme awkwardness (in fact it means that most apps have to be configured twice-over) and is the main reason most people don't run as a limited user. Well, that's why Microsoft made Windows Vista. Uh, wait... You can do several useful administrative things from a limited user desktop with right-click "Run As..." to select your administrator account. Other things you can't do at all, and some you can do by using "Run As..." in an indirect way. I think that's a way to run hard disk maintenance tools, for instance - through "Computer Management". But Windows Explorer, and "Windows Update" inside Internet Explorer, seem to be out. Administrator is always present and active in your computer but may not be talking to you. On the other hand, "Ordinary user" could be compromised while administrator is not - or so we're told. And yet frequently we hear of a Windows Update that stops a malicious exploit that invades as "Ordinary user" and then escalates to administrator. Which is not even needed if /you/ escalate "Ordinary user" to administrator status. I'm sure there are exploits that just assume that, like very many users even today, the victim is an administrator. As it happens, I'm looking for advice on securing an XP Home netbook I just got. Is there a good FAQ? Let's say my administrator account is named "Arthur" and the everyday user is named "Galahad" - although that's not leading anywhere. Now for instance there's a "real" Administrator that only works in safe mode, right? Apparently with no password as default? On the WWW I can find people telling me to rename /that/ administrator, delete it, change the password. Does any of that stuff matter if the account isn't accessible except for explicitly invoked mainenance? Also, I've apparently been silently but legally supplied with Norton Internet Security 2008 on hard disc, but not configured. But I favour F-Secure's products, and I want to upgrade protection on other systems I own, too. Also, my employer uses F-Secure. Still, I have this one copy of Norton for free - temporarily, I expect, a limited-time subscription. http://voices.washingtonpost.com/securityfix/2009/07/ update_for_norton_internet_sec.html (Brian Krebs) repeats but disagrees with criticism: "NIS has earned a bad rap over the years for being a slow, resource-hogging beast of an anti-virus program, but when I trialed the program for a few months, I found NIS2009 to be very fast and unobtrusive." He doesn't mention it being hell to remove from a system, which I've also heard. So I guess it could be (1) best avoided or (2) too late, since it's kind of there. |
Thread Tools | |
Display Modes | |
|
|