If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Unable to change passwords or delete user accounts
have you ever try it in safe mode ???
|
Ads |
#2
|
|||
|
|||
User Accounts
you can not delete the guest account only disable it (done by default) or rename it
|
#3
|
|||
|
|||
User Accounts
Hey James, I'm new around here, and am also the only user of my PC, but
after a while, I realized that having multiple user accounts is very useful. Here are the multiple users I set up, and am glad I did. Obviously an Administrator account is needed for Windows Updates, installing new software, etc. Rename it to something else though, because it is too easily guessed. Other than Windows Updates, I never use the internet, when logged on the Administrator account, because any spyware/crippleware that gets in has unlimited ability to damage your installation, if you're logged in as Administrator. For surfing the internet, I set up a different account. My internet account has no permission to access critical folders such as Program Files, or Windows, except Read/Execute, because that's how I set up the folder permissions for the internet account. All attempts by worms/viruses/spyware to change the registry or Windows program files have failed. I know there have been attempts and I know they have failed, because I set up auditing, and I can see the attempts/failures in the Event Log. I never use this Internet account for working with private family records, because hackers might steal and/or corrupt the private data. So, I set up a different account for working with private family records. This account does have create/modify/delete privileges to the folder named Program Files, but does not have create/modify/delete privileges to the Windows folder, where the registry and system files are stored. I don't want to store private family records in the Administrator account, because the Administrator account must sometime access the internet for Windows Updates. Bottom line is I really am thankful for having different user accounts with different levels of permissions for different activities. To answer your other questions, don't delete "All Users" or "Default User". Default User is used as the basis for creating new accounts. I don't know what "Owner" is. "James P." wrote in message ... I'm frustrated by XP Home's User Accounts! MS decided that every computer has multiple users and needs seperate settings management ... but I'm the only user on my system so why do I need multiple user support? The installation process should have an option to eliminate support for multiple users. The XP Home installation created folders for "All Users", "Default User", "Owner" and one using my name ... each has many sub-folders that essentially duplicate those of the All Users folder. What a waste of my HDD space and useless entries in the already bloated Registry! I'm familiar with the "All Users" folder concept from previous Windows versions but can anyone tell me who, what or why I have a "Default User" and "Owner" folders? Can these "mystery users" be removed from my system and if so, how? Can I delete the "Guest" User Account install created? |
#4
|
|||
|
|||
User Accounts
Any idea what the "Default User" and "Owner" folders are for? Can these "mystery users" (and their folders) be removed from my system and if so, how?
|
#5
|
|||
|
|||
User Accounts
Hello JW,
Thanks for the details on how your using your system and user accounts. I'm confused by something you said about the Administrator account ... what did you mean about needing to rename it ("Rename it to something else though, because it is too easily guess ed.")? What specifically can be "guessed" and by whom? If you only list one user during XP Home's installation it makes that primary acct an administrator with the user's name ... I'm guessing you changed that acct to "limited" and created a new administrator acct? So how many accts are you currently using? Based on your post I'm guessing at least 4 user accts: Admin (hardware & software installs) Limited (web surfing) Limited (productivity computing) Guest My computer usage is very simple and straight-forward ... 70% emailing, 20% web, 10% productivity. I think that all that switching between user accounts would drive me nuts! |
#6
|
|||
|
|||
User Accounts
Don't change your Admin account to Limited, if it's your only Admin account.
(I think XP will not allow it anyway.) I use XPpro, which automatically sets up an account named Administrator. If another name is listed during installation, it will be a second account with Admin privileges. I don't know if it works this way in XPhome. From what you're telling me, XPhome does not automatically name it Administrator, so since it's not Administrator, you have no need to rename it. In XPpro, it's easy to rename the Administrator account, because there is an option in Security Policies (secpol.msc). I think it can also be done quickly in XPhome, by typing Control Userpasswords2 in a command prompt window, but I've never tried this. You might want to try it, just to see if you have another account named Administrator. I've heard advice against using names and passwords that can be easily guessed, because even if you're using a Limited account, a Trojan or hacker might try to start a program with Admin privileges, by using the Runas command, and trying a common ID/password (e.g. Administrator/God). I have 4 accounts total, just as you described them. Two were built during installation - Administrator and Guest. Guest is disabled. I built the other two Limited accounts later. Then I changed the folder permissions on \Program Files and \Windows to allow only Read/Execute permission for the Users group (which includes the Limited accounts). Now Limited accounts cannot monkey with the system files and registry in the \Windows folder. This arrangement also prevents Trojans and hackers from installing spyware/crippleware in the \Program Files and \Windows folder, but it doesn't stop everything. There is plenty of other vermin on the internet. Without installing themselves on disk, mobile code (e.g. Javascript, VBscript, ActiveX), Trojans, worms and Zombies can still run in memory (suffocating system resources), steal Email addresses and mail themselves out again, masquerading as messages from you. Cookies can still spy on your surfing habits, because they are installed in your \Documents and Settings folder. (Don't go monkey with permissions on the \Documents and Settings folder.) That's why it is still so very important to install anti-spyware, anti-virus software, and a 2-way firewall. (Don't rely solely on the one-way, intrusion-detection feature built into XP - Internet Connection Firewall.) Whenever I work with private family records using the second Limited account, I modify permissions for only this account (not the User group), if I get any Access Denied errors trying to use the \Program Files folder. If this gets to be burdensome, I'll make my life easier, by changing the second Limited account to become a member of the Power Users group, instead of the Users group. I don't think this can be done in XPhome normally, but I've read in some other postings, that the Windows-2000 style interface to folder permissions is accessible by rebooting in Safe Mode. In XPpro, one Limited account cannot view files in other Limited accounts. I don't know if it works this way in XPhome. Would you do me a favor ? When you set up 2 Limited accounts, build some files in both, see if one Limited account can view files in the other Limited account, and let me know back here. If for some reason, we lose this conversation thread, and don't link up again, then note that clicking on the box labeled "Make This Folder Private" will prevent other accounts, including the Administrator, from viewing documents stored within. If you don't see this check box on folder properties, then toggle the check box labeled "Use Simple File Sharing" in Folder Options. "James P." wrote in message ... Hello JW, Thanks for the details on how your using your system and user accounts. I'm confused by something you said about the Administrator account ... what did you mean about needing to rename it ("Rename it to something else though, because it is too easily guessed.")? What specifically can be "guessed" and by whom? If you only list one user during XP Home's installation it makes that primary acct an administrator with the user's name ... I'm guessing you changed that acct to "limited" and created a new administrator acct? So how many accts are you currently using? Based on your post I'm guessing at least 4 user accts: Admin (hardware & software installs) Limited (web surfing) Limited (productivity computing) Guest My computer usage is very simple and straight-forward ... 70% emailing, 20% web, 10% productivity. I think that all that switching between user accounts would drive me nuts! |
#7
|
|||
|
|||
User Accounts
On the other hand, I'm not sure if XPhome has a check box labeled "Use
Simple File Sharing". "JW" wrote in message ... Don't change your Admin account to Limited, if it's your only Admin account. (I think XP will not allow it anyway.) I use XPpro, which automatically sets up an account named Administrator. If another name is listed during installation, it will be a second account with Admin privileges. I don't know if it works this way in XPhome. From what you're telling me, XPhome does not automatically name it Administrator, so since it's not Administrator, you have no need to rename it. In XPpro, it's easy to rename the Administrator account, because there is an option in Security Policies (secpol.msc). I think it can also be done quickly in XPhome, by typing Control Userpasswords2 in a command prompt window, but I've never tried this. You might want to try it, just to see if you have another account named Administrator. I've heard advice against using names and passwords that can be easily guessed, because even if you're using a Limited account, a Trojan or hacker might try to start a program with Admin privileges, by using the Runas command, and trying a common ID/password (e.g. Administrator/God). I have 4 accounts total, just as you described them. Two were built during installation - Administrator and Guest. Guest is disabled. I built the other two Limited accounts later. Then I changed the folder permissions on \Program Files and \Windows to allow only Read/Execute permission for the Users group (which includes the Limited accounts). Now Limited accounts cannot monkey with the system files and registry in the \Windows folder. This arrangement also prevents Trojans and hackers from installing spyware/crippleware in the \Program Files and \Windows folder, but it doesn't stop everything. There is plenty of other vermin on the internet. Without installing themselves on disk, mobile code (e.g. Javascript, VBscript, ActiveX), Trojans, worms and Zombies can still run in memory (suffocating system resources), steal Email addresses and mail themselves out again, masquerading as messages from you. Cookies can still spy on your surfing habits, because they are installed in your \Documents and Settings folder. (Don't go monkey with permissions on the \Documents and Settings folder.) That's why it is still so very important to install anti-spyware, anti-virus software, and a 2-way firewall. (Don't rely solely on the one-way, intrusion-detection feature built into XP - Internet Connection Firewall.) Whenever I work with private family records using the second Limited account, I modify permissions for only this account (not the User group), if I get any Access Denied errors trying to use the \Program Files folder. If this gets to be burdensome, I'll make my life easier, by changing the second Limited account to become a member of the Power Users group, instead of the Users group. I don't think this can be done in XPhome normally, but I've read in some other postings, that the Windows-2000 style interface to folder permissions is accessible by rebooting in Safe Mode. In XPpro, one Limited account cannot view files in other Limited accounts. I don't know if it works this way in XPhome. Would you do me a favor ? When you set up 2 Limited accounts, build some files in both, see if one Limited account can view files in the other Limited account, and let me know back here. If for some reason, we lose this conversation thread, and don't link up again, then note that clicking on the box labeled "Make This Folder Private" will prevent other accounts, including the Administrator, from viewing documents stored within. If you don't see this check box on folder properties, then toggle the check box labeled "Use Simple File Sharing" in Folder Options. "James P." wrote in message ... Hello JW, Thanks for the details on how your using your system and user accounts. I'm confused by something you said about the Administrator account ... what did you mean about needing to rename it ("Rename it to something else though, because it is too easily guessed.")? What specifically can be "guessed" and by whom? If you only list one user during XP Home's installation it makes that primary acct an administrator with the user's name ... I'm guessing you changed that acct to "limited" and created a new administrator acct? So how many accts are you currently using? Based on your post I'm guessing at least 4 user accts: Admin (hardware & software installs) Limited (web surfing) Limited (productivity computing) Guest My computer usage is very simple and straight-forward ... 70% emailing, 20% web, 10% productivity. I think that all that switching between user accounts would drive me nuts! |
#8
|
|||
|
|||
User Accounts
On Fri, 28 May 2004 10:34:49 -0500, "JW"
Hey James, I'm new around here, and am also the only user of my PC, but after a while, I realized that having multiple user accounts is very useful. Here are the multiple users I set up, and am glad I did. Obviously an Administrator account is needed for Windows Updates, installing new software, etc. Rename it to something else though, because it is too easily guessed. Other than Windows Updates, I never use the internet, when logged on the Administrator account, because any spyware/crippleware that gets in has unlimited ability to damage your installation, if you're logged in as Administrator. That's the theory, and applying this theory is one way to reduce risk exposure. It's not 100% effective though, given that there are many ways to escalate beyond intended account rights - user accounts become meaningless if malware drills below this level of abstraction. There are other ways to reduce risk exposure, which aren't 100% effective either. Unfortunately, adopting user accounts as your strategy can render these other methods difficult or impossible to use, forcing you to choose one or other of these partially-effective strategies. This is due to limitations in the way user accounts are currently managed in XP. After evaluating the risk/benefits of each, I decided that multiple user accounts are more hassle than they are worth. Instead, I use a single full admin account that is set up properly. If I could prevent the spawning of new user accounts, I'd be that much happier. There are three basic problems with user accounts in XP: 1) You can't pre-set the template from which new accounts are spawned Safety strategies that involve settings and non-default locations will fail when new accounts are spawned that fall back to MS duhfaults; the only current solution is to avoid spawning new accounts, or make sure that new accounts are manually set up as soon as they are created. At this point, folks will quote an MS knowledge base article that outlines how to set up the "default user" account so that new accounts that are derived from this will start off the way you want them. The process involves creating an account with non-admin rights and then copying everything other than the registry hives to the "default user" account. Trouble is, no registry means no settings; see also (2). 2) Settings don't "stick" when account rights are reduced In XP Home, I find that a number of settings fall back to MS defaults if the rights of the account are reduced below full admin status. For example, file name extensions are hidden, full paths are not shown, etc. So whatever safety benefits I gain by limiting account rights have to be offset against the safety benefits I lose. 3) You can't easily manage multiple user account settings This applies to maintaining settings in general, but has particular significance when tackling malware that integrates itself via per-account settings. For example, running Ad-Aware to clean up commercial malware may fail to clean up user accounts other than the one it is run from, requiring the process to be repeated for each account. When an account can't be accessed (password unknown, or settings are held remotely), the system can't be cleaned up. To answer your other questions, don't delete "All Users" or "Default User". Default User is used as the basis for creating new accounts. I don't know what "Owner" is. Owner is prolly the user account as created by the system builder when Windows XP was installed. -------------------- ----- ---- --- -- - - - - No, perfection is not an entrance requirement. We'll settle for integrity and humility -------------------- ----- ---- --- -- - - - - |
#9
|
|||
|
|||
User Accounts
Cquirke, thanks for including your experience in this thread. While very
valuable indeed, the meaning was sometimes over my head and hard to grasp. Hope you're still watching this, so you can clear some things up for me. Millions of other XP users like me are trying hard to understand and use every tool and feature in XP to lock down security as best as is possible. Your input would be greatly appreciated. While I understand the terms "many ways to escalate beyond intended account rights" and "malware drills below this level of abstraction", the method escapes me. (How it is done would help lead to an understand of how to inhibit it.) Millions of us newcomers are thinking that folder permissions in XP security is not ambiguous or equivocal. E.g. Deny permission to UserA does not mean UserA is sometimes denied access but sometimes can drill through it. E.g. If UserB does not have the right to Take Ownership, then UserB cannot figure out a loophole to Take Ownership. In order to move toward an understanding of how to better secure our systems, how exactly does "malware drill below this level of abstraction" (which I believe refers to folder/file permission granted or denied to a user account) ? How does malware "escalate beyond intended account rights" (which I believe refers to folder/file permission granted or denied to a user account, as opposed to the textbook meaning of user rights such as the Administrator's right to allow Logon Through Terminal Services) ? What exactly are "these other ways to reduce risk exposure" which are "rendered difficult or impossible to use", when employing user accounts (i.e. folder permissions) as a security strategy. Regarding the single Admin account that you use, what exactly does "set-up properly" mean ? Some examples or specifics would be helpful in transforming your words into tangible steps leading to operational weaponry. While I certainly agree that (3) "multiple user accounts are not easily managed", and (2) settings do not stay the same when user account rights are changed, these (2 and 3) are not reworked on a daily or weekly basis. In most cases, once it's done (e.g. user account settings), they are not done again for a very long, long time. The item that worries me most is #1. How do new user accounts get spawned, and who spawns them ? Who has the right ? Can a Limited user account spawn new user accounts ? Can a process spawn new user accounts, if it is launched by a Limited user account ? How can this spawning be stopped ? An understanding of these lingering questions would help millions like me defend ourselves better. Some examples or specifics would be helpful in transforming your words into tangible steps leading to operational weaponry. E.g. other than the standard suite of defenses used by 99% of us home users (anti-virus, anti-spyware, firewall, folder/account permissions), what additional tools and tactics would you use to help defend a standalone PC ? After all, as in life, it's not the 98% preparedness that hurts us, it's the 2% unpreparedness that hurts. Again, we greatly appreciate your experience/expertise, and thank you in advance. "cquirke (MVP Win9x)" wrote in message ... On Fri, 28 May 2004 10:34:49 -0500, "JW" Hey James, I'm new around here, and am also the only user of my PC, but after a while, I realized that having multiple user accounts is very useful. Here are the multiple users I set up, and am glad I did. Obviously an Administrator account is needed for Windows Updates, installing new software, etc. Rename it to something else though, because it is too easily guessed. Other than Windows Updates, I never use the internet, when logged on the Administrator account, because any spyware/crippleware that gets in has unlimited ability to damage your installation, if you're logged in as Administrator. That's the theory, and applying this theory is one way to reduce risk exposure. It's not 100% effective though, given that there are many ways to escalate beyond intended account rights - user accounts become meaningless if malware drills below this level of abstraction. There are other ways to reduce risk exposure, which aren't 100% effective either. Unfortunately, adopting user accounts as your strategy can render these other methods difficult or impossible to use, forcing you to choose one or other of these partially-effective strategies. This is due to limitations in the way user accounts are currently managed in XP. After evaluating the risk/benefits of each, I decided that multiple user accounts are more hassle than they are worth. Instead, I use a single full admin account that is set up properly. If I could prevent the spawning of new user accounts, I'd be that much happier. There are three basic problems with user accounts in XP: 1) You can't pre-set the template from which new accounts are spawned Safety strategies that involve settings and non-default locations will fail when new accounts are spawned that fall back to MS duhfaults; the only current solution is to avoid spawning new accounts, or make sure that new accounts are manually set up as soon as they are created. At this point, folks will quote an MS knowledge base article that outlines how to set up the "default user" account so that new accounts that are derived from this will start off the way you want them. The process involves creating an account with non-admin rights and then copying everything other than the registry hives to the "default user" account. Trouble is, no registry means no settings; see also (2). 2) Settings don't "stick" when account rights are reduced In XP Home, I find that a number of settings fall back to MS defaults if the rights of the account are reduced below full admin status. For example, file name extensions are hidden, full paths are not shown, etc. So whatever safety benefits I gain by limiting account rights have to be offset against the safety benefits I lose. 3) You can't easily manage multiple user account settings This applies to maintaining settings in general, but has particular significance when tackling malware that integrates itself via per-account settings. For example, running Ad-Aware to clean up commercial malware may fail to clean up user accounts other than the one it is run from, requiring the process to be repeated for each account. When an account can't be accessed (password unknown, or settings are held remotely), the system can't be cleaned up. To answer your other questions, don't delete "All Users" or "Default User". Default User is used as the basis for creating new accounts. I don't know what "Owner" is. Owner is prolly the user account as created by the system builder when Windows XP was installed. -------------------- ----- ---- --- -- - - - - No, perfection is not an entrance requirement. We'll settle for integrity and humility -------------------- ----- ---- --- -- - - - - |
#10
|
|||
|
|||
User Accounts
On Sat, 29 May 2004 12:44:19 -0500, "JW"
Cquirke, thanks for including your experience in this thread. While very valuable indeed, the meaning was sometimes over my head and hard to grasp. When that happens, quote back the sticky bits and I'll try to explain them in more detail. Top-posting may make it more difficult for me to know which bits are sticky, though, especially if you don't trim out the parts of the quoted material you don't need more details on. Hope you're still watching this, Yep - I tend to hang on to the threads I enter, so as long as you don't start a new thread, I should still be there Millions of other XP users like me are trying hard to understand and use every tool and feature in XP to lock down security as best as is possible. I'm one of those users too :-) While I understand the terms "many ways to escalate beyond intended account rights" and "malware drills below this level of abstraction", the method escapes me. (How it is done would help lead to an understand of how to inhibit it.) It's not useful to enumerate the ways, because to do so presupposes new ways will not be discovered. Instead, you can predict what will happen just by looking at this conceptually. Human activities have an inescapable error factor. If I ask you to do something utterly menial, such as write the letter R on paper 10000 times, you will make some mistakes. Read this post and you will see typos, and that's in English, my first language, not (say) C++ The more complex a system is, the more likely there will be errors - in fact, with modern software, this tends to inevitability. This makes computers interesting, in that they beging to act non-deterministically. A practical consequence is that one should not assume any slab of code will always work properly, and thus the more code that is exposed to the "outside", the higher the risk of exploit. It doesn't matter what the code is, or how it's intended to work. Good system design would simply remove dangerous functionalities that none of that system's users intend to use, and rely on weaker risk managements (passwords, security zones, account rights) only where functionalities are to be used, but only in certain contexts. If you have to rely on a weaker risk management strategy, such as passwords etc., then this is most effective when the surface exposed to the "outside" (the "fronteir", in other words) is small. The worst scenario is where these risk filtering measures are expected to operate throught the interior of the system - there's such a large surface area of code exposed, that breakthroughs are inevitable. Breakthroughts would fall into these categories: - spoofing a more powerful context (cracking pwds, etc.) - breaking through into a more powerful context - drilling beneath that entire layer of abstraction Millions of us newcomers are thinking that folder permissions in XP security is not ambiguous or equivocal. E.g. Deny permission to UserA does not mean UserA is sometimes denied access but sometimes can drill through it. Yep. But take Witty as an example; this drills into a defect in Black Ice Defender (a third-party firewall) and thus attains raw Ring 0 access to the system. At that far lower level of abstraction, concepts such as "user", "permissions" or even "file system" simply don't exist. The downside for Witty is that while it's operating at this low level, it would have to construct by hand an awareness of the file system in order to find and read files - but if all it wants to do is trash stuff, it can (and does) simply write to raw disk. The take-home messages here a - no security measure is 100% effective - therefore *any* measure is useful if downside is small enough - therefore also, plan what to do *when* defences are breached In order to move toward an understanding of how to better secure our systems, how exactly does "malware drill below this level of abstraction" In the case of Witty, it finds an opportunity presented by bad coding to position its code such that Black Ice Defender will run it. From that moment on, it's indivisible from Black Ice Defender as far as the OS is concerned, and it can do whatever that app can do. There are other ways where context is lost. For example, consider security zones such as Internet Zone, My Computer Zone, etc. If a 3rd-party email app passes HTML "message text" to the OS to render as a Temp file, the chances are high that the OS will process that temp file as per My Computer (anything goes) zone. If you read the various security alerts, you will see that many of these go about loss of context, or an escalation from one context to another more powerful one. How does malware "escalate beyond intended account rights" As above. Malware opportunities arise in three ways: - social engineering - bad design - bad code Patches go about bad code, but often the bad code is just a wart on the back of a bad design, and you'd prefer to rip out the entire bad design as your risk management strategy. For example, one security alert describes a defect where scripts within cookies are processed in "My Computer" security zone, rather than the intended "Internet Zone". As far as MS is concerned, that's an example of bad code. As far as I'm concerned, that's an example of bad design - what the hell is the OS running scripts in cookies for, anyway? - and the patch does NOT address the *design* issue. What exactly are "these other ways to reduce risk exposure" which are "rendered difficult or impossible to use", when employing user accounts (i.e. folder permissions) as a security strategy. Regarding the single Admin account that you use, what exactly does "set-up properly" mean ? My starting point is this: - what I don't intend to risk, I wall out - what some may need to risk, I differentiate (pwd, etc.) - what I may need to risk, I evaluate first - what I decide to risk, I av-scan first So antivirus is the "goalie of last resort" in this chain. In order to evaluate risk, I need decent info; I need to know exactly where I am in the namespace ("show full paths"), know that I am looking at everything that is there ("do not hide system or hidden files") and am presented with information about the type of files I am looking at ("do not hide file name extensions"). If I limit an account in XP Home, it falls back to hiding paths, hidden files, and file name extensions. Dangerous! While I certainly agree that (3) "multiple user accounts are not easily managed", and (2) settings do not stay the same when user account rights are changed, these (2 and 3) are not reworked on a daily or weekly basis. In most cases, once it's done (e.g. user account settings), they are not done again for a very long, long time. You misunderstand me. When you drop an account from Admin rights in XP Home, whatever settings you have already made revert to MS duhfaults, and you cannot change them back. Else it would be a nuisance rather than a crisis; you'd just change to Admin, apply settings, and change back again, whenever you needed to change settings that lower rights render inaccessible. The item that worries me most is #1. How do new user accounts get spawned, and who spawns them ? Who has the right ? You (for human and bot values of "you") need admin rights to spawn new accounts, and this can be done via keyboard and mouse, or programatically. When this is done, the new account starts off as per "Default user", within the additional limitations I've mentioned if the account has less than admin rights. Can a Limited user account spawn new user accounts ? Not directly, AFAIK. Can a process spawn new user accounts, if it is launched by a Limited user account ? Once it transcends the limited user rights, yes. For a cluefull hacker or malware, it's a game of "Simon Says", that's all. How can this spawning be stopped ? No front door I can think of, other than to create a "default user" account that's so broken any new accounts created from it won't work. An understanding of these lingering questions would help millions like me defend ourselves better. Some examples or specifics would be helpful in transforming your words into tangible steps leading to operational weaponry. Those are the skills I'm trying to build also. I'm relatively new to NT, coming from a background in Win9x (that's what I was awarded MVP in) and I read the XP newsgroups to learn more than to post. E.g. other than the standard suite of defenses used by 99% of us home users (anti-virus, anti-spyware, firewall, folder/account permissions), what additional tools and tactics would you use to help defend a standalone PC ? My approach is: - what I don't intend to risk, I wall out - keep code patched up to date - kill off admin shares - kill off WSH (as I don't use it) - wall out BHOs (I don't use them either) - set MSware email to fake settings (I use Eudora) - use FATxx instead of NTFS (controversial) - avoid multiple user accounts - disable remote desktop invites - block \Autorun.inf processing on HD volumes - use Classic view (less Desktop.ini risk exposure) - never full-share C:\ or any part of startup axis - keep File and Print Sharing off Internet connection - keep the firewall on - what some may need to risk, I differentiate (pwd, etc.) - as single user, nothing falls into this category - I'd pretend to be a "limited" user if accounts didn't suck++ - what I may need to risk, I evaluate first - I avoid any auto-running facilities - improve the information that the OS presents to me - keep myself up to date reading malware descs, etc. - what I decide to risk, I av-scan first - use email app that breaks out attachments on arrival - keep incoming material out of data set in "suspect" subtree - run one resident av and keep it up to date - use additional non-resident av for on-demand and formal use - update and use on-demand scanners for commercial malware - make sure I can maintain system in event of disaster - avoid NTFS until a suitable maintenance OS and formal av exists - avoid NTFS until a suitable data recovery tools exist - enable Recovery Console to be more effective - use a DOS mode as an alternate boot environment - have an alternate web browser on hand - find and build skills with maintenance tools - automate backups (another *long* story, that!) Links: http://cquirke.mvps.org/whatmos.htm http://cquirke.mvps.org/ntfs.htm http://cquirke.mvps.org/9x/safe2000.htm (dated but useful) http://cquirke.mvps.org/9x/malware.htm (dated but useful) http://cquirke.mvps.org/9x/riskfix.htm (Win9x-orientated) http://cquirke.mvps.org/9x/eudwhy.htm (why I use Eudora email) -------------------- ----- ---- --- -- - - - - No, perfection is not an entrance requirement. We'll settle for integrity and humility -------------------- ----- ---- --- -- - - - - |
#11
|
|||
|
|||
User Accounts
Amazing. Reading your response was like finding a box half buried in the
sand, opening it, and seeing a pirate's treasure. While I understand it, I was amazed at some enemy tactics I never knew about before. E.g. using bad code in cookies or a firewall to use the program (e.g. Black Ice) to attack the OS, as opposed to directly attacking a weakness in the OS. Makes perfect sense though. It really made me realize that the more filtering programs a person uses, the greater the possibility that one of these well-intended programs will compromise the OS. In other words, every anti-virus, anti-spyware, cookie-filter, and firewall program exposed to the outside world, is another target the enemy will try to manipulate to betray the trust of the OS, in order to attack system files/folders. Even more reason, it seems, to isolate what runs in memory, from what's stored on disk. Maybe absolute safety can only be attained by a diskless internet appliance. But then, many web sites that use ActiveX components or require persistent cookies wouldn't work at all. From a conceptual perspective (high altitude view), I really like the approach of making the hard disk as completely off limits as possible to the account that surfs the web, and confining everything that comes down the wire to run only in memory, to the greatest degree possible, conceptually speaking. Alas, even though that will never ensure total protection for OS system folders, from everything I've seen, it should be one of many strong layers of protection we use in our defense. Like laminating several layers of composite material is stronger than a single layer of strong material. In the real world though, in order to enjoy many web sites that have forfeited safer tools, in order to employ riskier tools that "enhance our experience", opening up a folder on disk is unavoidable for the web user account. Which is why we still need all those other layers of defense (anti-virus, anti-spyware, firewall, etc.). I must say it is sad to see (IMHO) that folder permissions is rarely mentioned as a tool/tactic in newsgroup advice, alongside the top 3 (anti-virus, anti-spyware, firewall). Especially since folder permissions has less downside risk than filtering programs (anti-virus, anti-spyware, firewall) to the danger of being modified or manipulated by enemy forces. "cquirke (MVP Win9x)" wrote in message ... On Sat, 29 May 2004 12:44:19 -0500, "JW" Cquirke, thanks for including your experience in this thread. While very valuable indeed, the meaning was sometimes over my head and hard to grasp. When that happens, quote back the sticky bits and I'll try to explain them in more detail. Top-posting may make it more difficult for me to know which bits are sticky, though, especially if you don't trim out the parts of the quoted material you don't need more details on. Hope you're still watching this, Yep - I tend to hang on to the threads I enter, so as long as you don't start a new thread, I should still be there Millions of other XP users like me are trying hard to understand and use every tool and feature in XP to lock down security as best as is possible. I'm one of those users too :-) While I understand the terms "many ways to escalate beyond intended account rights" and "malware drills below this level of abstraction", the method escapes me. (How it is done would help lead to an understand of how to inhibit it.) It's not useful to enumerate the ways, because to do so presupposes new ways will not be discovered. Instead, you can predict what will happen just by looking at this conceptually. Human activities have an inescapable error factor. If I ask you to do something utterly menial, such as write the letter R on paper 10000 times, you will make some mistakes. Read this post and you will see typos, and that's in English, my first language, not (say) C++ The more complex a system is, the more likely there will be errors - in fact, with modern software, this tends to inevitability. This makes computers interesting, in that they beging to act non-deterministically. A practical consequence is that one should not assume any slab of code will always work properly, and thus the more code that is exposed to the "outside", the higher the risk of exploit. It doesn't matter what the code is, or how it's intended to work. Good system design would simply remove dangerous functionalities that none of that system's users intend to use, and rely on weaker risk managements (passwords, security zones, account rights) only where functionalities are to be used, but only in certain contexts. If you have to rely on a weaker risk management strategy, such as passwords etc., then this is most effective when the surface exposed to the "outside" (the "fronteir", in other words) is small. The worst scenario is where these risk filtering measures are expected to operate throught the interior of the system - there's such a large surface area of code exposed, that breakthroughs are inevitable. Breakthroughts would fall into these categories: - spoofing a more powerful context (cracking pwds, etc.) - breaking through into a more powerful context - drilling beneath that entire layer of abstraction Millions of us newcomers are thinking that folder permissions in XP security is not ambiguous or equivocal. E.g. Deny permission to UserA does not mean UserA is sometimes denied access but sometimes can drill through it. Yep. But take Witty as an example; this drills into a defect in Black Ice Defender (a third-party firewall) and thus attains raw Ring 0 access to the system. At that far lower level of abstraction, concepts such as "user", "permissions" or even "file system" simply don't exist. The downside for Witty is that while it's operating at this low level, it would have to construct by hand an awareness of the file system in order to find and read files - but if all it wants to do is trash stuff, it can (and does) simply write to raw disk. The take-home messages here a - no security measure is 100% effective - therefore *any* measure is useful if downside is small enough - therefore also, plan what to do *when* defences are breached In order to move toward an understanding of how to better secure our systems, how exactly does "malware drill below this level of abstraction" In the case of Witty, it finds an opportunity presented by bad coding to position its code such that Black Ice Defender will run it. From that moment on, it's indivisible from Black Ice Defender as far as the OS is concerned, and it can do whatever that app can do. There are other ways where context is lost. For example, consider security zones such as Internet Zone, My Computer Zone, etc. If a 3rd-party email app passes HTML "message text" to the OS to render as a Temp file, the chances are high that the OS will process that temp file as per My Computer (anything goes) zone. If you read the various security alerts, you will see that many of these go about loss of context, or an escalation from one context to another more powerful one. How does malware "escalate beyond intended account rights" As above. Malware opportunities arise in three ways: - social engineering - bad design - bad code Patches go about bad code, but often the bad code is just a wart on the back of a bad design, and you'd prefer to rip out the entire bad design as your risk management strategy. For example, one security alert describes a defect where scripts within cookies are processed in "My Computer" security zone, rather than the intended "Internet Zone". As far as MS is concerned, that's an example of bad code. As far as I'm concerned, that's an example of bad design - what the hell is the OS running scripts in cookies for, anyway? - and the patch does NOT address the *design* issue. What exactly are "these other ways to reduce risk exposure" which are "rendered difficult or impossible to use", when employing user accounts (i.e. folder permissions) as a security strategy. Regarding the single Admin account that you use, what exactly does "set-up properly" mean ? My starting point is this: - what I don't intend to risk, I wall out - what some may need to risk, I differentiate (pwd, etc.) - what I may need to risk, I evaluate first - what I decide to risk, I av-scan first So antivirus is the "goalie of last resort" in this chain. In order to evaluate risk, I need decent info; I need to know exactly where I am in the namespace ("show full paths"), know that I am looking at everything that is there ("do not hide system or hidden files") and am presented with information about the type of files I am looking at ("do not hide file name extensions"). If I limit an account in XP Home, it falls back to hiding paths, hidden files, and file name extensions. Dangerous! While I certainly agree that (3) "multiple user accounts are not easily managed", and (2) settings do not stay the same when user account rights are changed, these (2 and 3) are not reworked on a daily or weekly basis. In most cases, once it's done (e.g. user account settings), they are not done again for a very long, long time. You misunderstand me. When you drop an account from Admin rights in XP Home, whatever settings you have already made revert to MS duhfaults, and you cannot change them back. Else it would be a nuisance rather than a crisis; you'd just change to Admin, apply settings, and change back again, whenever you needed to change settings that lower rights render inaccessible. The item that worries me most is #1. How do new user accounts get spawned, and who spawns them ? Who has the right ? You (for human and bot values of "you") need admin rights to spawn new accounts, and this can be done via keyboard and mouse, or programatically. When this is done, the new account starts off as per "Default user", within the additional limitations I've mentioned if the account has less than admin rights. Can a Limited user account spawn new user accounts ? Not directly, AFAIK. Can a process spawn new user accounts, if it is launched by a Limited user account ? Once it transcends the limited user rights, yes. For a cluefull hacker or malware, it's a game of "Simon Says", that's all. How can this spawning be stopped ? No front door I can think of, other than to create a "default user" account that's so broken any new accounts created from it won't work. An understanding of these lingering questions would help millions like me defend ourselves better. Some examples or specifics would be helpful in transforming your words into tangible steps leading to operational weaponry. Those are the skills I'm trying to build also. I'm relatively new to NT, coming from a background in Win9x (that's what I was awarded MVP in) and I read the XP newsgroups to learn more than to post. E.g. other than the standard suite of defenses used by 99% of us home users (anti-virus, anti-spyware, firewall, folder/account permissions), what additional tools and tactics would you use to help defend a standalone PC ? My approach is: - what I don't intend to risk, I wall out - keep code patched up to date - kill off admin shares - kill off WSH (as I don't use it) - wall out BHOs (I don't use them either) - set MSware email to fake settings (I use Eudora) - use FATxx instead of NTFS (controversial) - avoid multiple user accounts - disable remote desktop invites - block \Autorun.inf processing on HD volumes - use Classic view (less Desktop.ini risk exposure) - never full-share C:\ or any part of startup axis - keep File and Print Sharing off Internet connection - keep the firewall on - what some may need to risk, I differentiate (pwd, etc.) - as single user, nothing falls into this category - I'd pretend to be a "limited" user if accounts didn't suck++ - what I may need to risk, I evaluate first - I avoid any auto-running facilities - improve the information that the OS presents to me - keep myself up to date reading malware descs, etc. - what I decide to risk, I av-scan first - use email app that breaks out attachments on arrival - keep incoming material out of data set in "suspect" subtree - run one resident av and keep it up to date - use additional non-resident av for on-demand and formal use - update and use on-demand scanners for commercial malware - make sure I can maintain system in event of disaster - avoid NTFS until a suitable maintenance OS and formal av exists - avoid NTFS until a suitable data recovery tools exist - enable Recovery Console to be more effective - use a DOS mode as an alternate boot environment - have an alternate web browser on hand - find and build skills with maintenance tools - automate backups (another *long* story, that!) Links: http://cquirke.mvps.org/whatmos.htm http://cquirke.mvps.org/ntfs.htm http://cquirke.mvps.org/9x/safe2000.htm (dated but useful) http://cquirke.mvps.org/9x/malware.htm (dated but useful) http://cquirke.mvps.org/9x/riskfix.htm (Win9x-orientated) http://cquirke.mvps.org/9x/eudwhy.htm (why I use Eudora email) -------------------- ----- ---- --- -- - - - - No, perfection is not an entrance requirement. We'll settle for integrity and humility -------------------- ----- ---- --- -- - - - - |
#12
|
|||
|
|||
User Accounts
Wanted to say thanks again for all the advice.
While I still like the idea of a separate user account, used only for surfing the web, barred from all folders on the hard disk, except those in the user profile (My Documents, Favorites, Settings, etc.), by using folder permissions in XPpro, which are more flexible than in XPhome, I learned so much from your response, that I will add to my arsenal. These include - killing off admin shares - killing off WSH - walling out BHOs - setting MSware email to fake settings - disable remote desktop - block \Autorun.inf processing on HD volumes - use Classic view (less Desktop.ini risk exposure) - never full-share C:\ or any part of startup axis - disable File and Printer Sharing - keep the firewall on |
Thread Tools | |
Display Modes | |
|
|