Unable to change passwords or delete user accounts

have you ever try it in safe mode ???

you can not delete the guest account only disable it (done by default) or rename it

Hey James, I'm new around here, and am also the only user of my PC, but
after a while, I realized that having multiple user accounts is very useful.
Here are the multiple users I set up, and am glad I did. Obviously an
Administrator account is needed for Windows Updates, installing new
software, etc. Rename it to something else though, because it is too easily
guessed. Other than Windows Updates, I never use the internet, when logged
on the Administrator account, because any spyware/crippleware that gets in
has unlimited ability to damage your installation, if you're logged in as
Administrator.

For surfing the internet, I set up a different account. My internet account
has no permission to access critical folders such as Program Files, or
Windows, except Read/Execute, because that's how I set up the folder
permissions for the internet account. All attempts by worms/viruses/spyware
to change the registry or Windows program files have failed. I know there
have been attempts and I know they have failed, because I set up auditing,
and I can see the attempts/failures in the Event Log.

I never use this Internet account for working with private family records,
because hackers might steal and/or corrupt the private data. So, I set up a
different account for working with private family records. This account
does have create/modify/delete privileges to the folder named Program Files,
but does not have create/modify/delete privileges to the Windows folder,
where the registry and system files are stored. I don't want to store
private family records in the Administrator account, because the
Administrator account must sometime access the internet for Windows Updates.

Bottom line is I really am thankful for having different user accounts with
different levels of permissions for different activities.

To answer your other questions, don't delete "All Users" or "Default User".
Default User is used as the basis for creating new accounts. I don't know
what "Owner" is.

"James P." wrote in message
...
I'm frustrated by XP Home's User Accounts! MS decided that every computer
has multiple users and needs seperate settings management ... but I'm the
only user on my system so why do I need multiple user support? The
installation process should have an option to eliminate support for multiple
users.

The XP Home installation created folders for "All Users", "Default User",
"Owner" and one using my name ... each has many sub-folders that essentially
duplicate those of the All Users folder. What a waste of my HDD space and
useless entries in the already bloated Registry! I'm familiar with the "All
Users" folder concept from previous Windows versions but can anyone tell me
who, what or why I have a "Default User" and "Owner" folders? Can these
"mystery users" be removed from my system and if so, how?

Can I delete the "Guest" User Account install created?

Any idea what the "Default User" and "Owner" folders are for? Can these "mystery users" (and their folders) be removed from my system and if so, how?

Hello JW,
Thanks for the details on how your using your system and user accounts. I'm confused by something you said about the Administrator account ... what did you mean about needing to rename it ("Rename it to something else though, because it is too easily guess
ed.")? What specifically can be "guessed" and by whom?

If you only list one user during XP Home's installation it makes that primary acct an administrator with the user's name ... I'm guessing you changed that acct to "limited" and created a new administrator acct? So how many accts are you currently using?

Based on your post I'm guessing at least 4 user accts:
Admin (hardware & software installs)
Limited (web surfing)
Limited (productivity computing)
Guest

My computer usage is very simple and straight-forward ... 70% emailing, 20% web, 10% productivity. I think that all that switching between user accounts would drive me nuts!

Don't change your Admin account to Limited, if it's your only Admin account.
(I think XP will not allow it anyway.) I use XPpro, which automatically
sets up an account named Administrator. If another name is listed during
installation, it will be a second account with Admin privileges. I don't
know if it works this way in XPhome. From what you're telling me, XPhome
does not automatically name it Administrator, so since it's not
Administrator, you have no need to rename it. In XPpro, it's easy to rename
the Administrator account, because there is an option in Security Policies
(secpol.msc). I think it can also be done quickly in XPhome, by typing
Control Userpasswords2 in a command prompt window, but I've never tried
this. You might want to try it, just to see if you have another account
named Administrator.

I've heard advice against using names and passwords that can be easily
guessed, because even if you're using a Limited account, a Trojan or hacker
might try to start a program with Admin privileges, by using the Runas
command, and trying a common ID/password (e.g. Administrator/God). I have 4
accounts total, just as you described them. Two were built during
installation - Administrator and Guest. Guest is disabled. I built the
other two Limited accounts later. Then I changed the folder permissions on
\Program Files and \Windows to allow only Read/Execute permission for the
Users group (which includes the Limited accounts). Now Limited accounts
cannot monkey with the system files and registry in the \Windows folder.
This arrangement also prevents Trojans and hackers from installing
spyware/crippleware in the \Program Files and \Windows folder, but it
doesn't stop everything. There is plenty of other vermin on the internet.

Without installing themselves on disk, mobile code (e.g. Javascript,
VBscript, ActiveX), Trojans, worms and Zombies can still run in memory
(suffocating system resources), steal Email addresses and mail themselves
out again, masquerading as messages from you. Cookies can still spy on your
surfing habits, because they are installed in your \Documents and Settings
folder. (Don't go monkey with permissions on the \Documents and Settings
folder.) That's why it is still so very important to install anti-spyware,
anti-virus software, and a 2-way firewall. (Don't rely solely on the
one-way, intrusion-detection feature built into XP - Internet Connection
Firewall.)

Whenever I work with private family records using the second Limited
account, I modify permissions for only this account (not the User group), if
I get any Access Denied errors trying to use the \Program Files folder. If
this gets to be burdensome, I'll make my life easier, by changing the second
Limited account to become a member of the Power Users group, instead of the
Users group. I don't think this can be done in XPhome normally, but I've
read in some other postings, that the Windows-2000 style interface to folder
permissions is accessible by rebooting in Safe Mode.

In XPpro, one Limited account cannot view files in other Limited accounts.
I don't know if it works this way in XPhome. Would you do me a favor ?
When you set up 2 Limited accounts, build some files in both, see if one
Limited account can view files in the other Limited account, and let me know
back here. If for some reason, we lose this conversation thread, and don't
link up again, then note that clicking on the box labeled "Make This Folder
Private" will prevent other accounts, including the Administrator, from
viewing documents stored within. If you don't see this check box on folder
properties, then toggle the check box labeled "Use Simple File Sharing" in
Folder Options.


"James P." wrote in message
...
Hello JW,
Thanks for the details on how your using your system and user accounts. I'm
confused by something you said about the Administrator account ... what did
you mean about needing to rename it ("Rename it to something else though,
because it is too easily guessed.")? What specifically can be "guessed" and
by whom?

If you only list one user during XP Home's installation it makes that
primary acct an administrator with the user's name ... I'm guessing you
changed that acct to "limited" and created a new administrator acct? So how
many accts are you currently using?

Based on your post I'm guessing at least 4 user accts:
Admin (hardware & software installs)
Limited (web surfing)
Limited (productivity computing)
Guest

My computer usage is very simple and straight-forward ... 70% emailing, 20%
web, 10% productivity. I think that all that switching between user accounts
would drive me nuts!

On the other hand, I'm not sure if XPhome has a check box labeled "Use
Simple File Sharing".

"JW" wrote in message
...
Don't change your Admin account to Limited, if it's your only Admin account.
(I think XP will not allow it anyway.) I use XPpro, which automatically
sets up an account named Administrator. If another name is listed during
installation, it will be a second account with Admin privileges. I don't
know if it works this way in XPhome. From what you're telling me, XPhome
does not automatically name it Administrator, so since it's not
Administrator, you have no need to rename it. In XPpro, it's easy to rename
the Administrator account, because there is an option in Security Policies
(secpol.msc). I think it can also be done quickly in XPhome, by typing
Control Userpasswords2 in a command prompt window, but I've never tried
this. You might want to try it, just to see if you have another account
named Administrator.

I've heard advice against using names and passwords that can be easily
guessed, because even if you're using a Limited account, a Trojan or hacker
might try to start a program with Admin privileges, by using the Runas
command, and trying a common ID/password (e.g. Administrator/God). I have 4
accounts total, just as you described them. Two were built during
installation - Administrator and Guest. Guest is disabled. I built the
other two Limited accounts later. Then I changed the folder permissions on
\Program Files and \Windows to allow only Read/Execute permission for the
Users group (which includes the Limited accounts). Now Limited accounts
cannot monkey with the system files and registry in the \Windows folder.
This arrangement also prevents Trojans and hackers from installing
spyware/crippleware in the \Program Files and \Windows folder, but it
doesn't stop everything. There is plenty of other vermin on the internet.

Without installing themselves on disk, mobile code (e.g. Javascript,
VBscript, ActiveX), Trojans, worms and Zombies can still run in memory
(suffocating system resources), steal Email addresses and mail themselves
out again, masquerading as messages from you. Cookies can still spy on your
surfing habits, because they are installed in your \Documents and Settings
folder. (Don't go monkey with permissions on the \Documents and Settings
folder.) That's why it is still so very important to install anti-spyware,
anti-virus software, and a 2-way firewall. (Don't rely solely on the
one-way, intrusion-detection feature built into XP - Internet Connection
Firewall.)

Whenever I work with private family records using the second Limited
account, I modify permissions for only this account (not the User group), if
I get any Access Denied errors trying to use the \Program Files folder. If
this gets to be burdensome, I'll make my life easier, by changing the second
Limited account to become a member of the Power Users group, instead of the
Users group. I don't think this can be done in XPhome normally, but I've
read in some other postings, that the Windows-2000 style interface to folder
permissions is accessible by rebooting in Safe Mode.

In XPpro, one Limited account cannot view files in other Limited accounts.
I don't know if it works this way in XPhome. Would you do me a favor ?
When you set up 2 Limited accounts, build some files in both, see if one
Limited account can view files in the other Limited account, and let me know
back here. If for some reason, we lose this conversation thread, and don't
link up again, then note that clicking on the box labeled "Make This Folder
Private" will prevent other accounts, including the Administrator, from
viewing documents stored within. If you don't see this check box on folder
properties, then toggle the check box labeled "Use Simple File Sharing" in
Folder Options.


"James P." wrote in message
...
Hello JW,
Thanks for the details on how your using your system and user accounts. I'm
confused by something you said about the Administrator account ... what did
you mean about needing to rename it ("Rename it to something else though,
because it is too easily guessed.")? What specifically can be "guessed" and
by whom?

If you only list one user during XP Home's installation it makes that
primary acct an administrator with the user's name ... I'm guessing you
changed that acct to "limited" and created a new administrator acct? So how
many accts are you currently using?

Based on your post I'm guessing at least 4 user accts:
Admin (hardware & software installs)
Limited (web surfing)
Limited (productivity computing)
Guest

My computer usage is very simple and straight-forward ... 70% emailing, 20%
web, 10% productivity. I think that all that switching between user accounts
would drive me nuts!

On Fri, 28 May 2004 10:34:49 -0500, "JW"

Hey James, I'm new around here, and am also the only user of my PC, but
after a while, I realized that having multiple user accounts is very useful.
Here are the multiple users I set up, and am glad I did. Obviously an
Administrator account is needed for Windows Updates, installing new
software, etc. Rename it to something else though, because it is too easily
guessed. Other than Windows Updates, I never use the internet, when logged
on the Administrator account, because any spyware/crippleware that gets in
has unlimited ability to damage your installation, if you're logged in as
Administrator.

That's the theory, and applying this theory is one way to reduce risk
exposure. It's not 100% effective though, given that there are many
ways to escalate beyond intended account rights - user accounts become
meaningless if malware drills below this level of abstraction.

There are other ways to reduce risk exposure, which aren't 100%
effective either. Unfortunately, adopting user accounts as your
strategy can render these other methods difficult or impossible to
use, forcing you to choose one or other of these partially-effective
strategies. This is due to limitations in the way user accounts are
currently managed in XP.

After evaluating the risk/benefits of each, I decided that multiple
user accounts are more hassle than they are worth. Instead, I use a
single full admin account that is set up properly. If I could prevent
the spawning of new user accounts, I'd be that much happier.

There are three basic problems with user accounts in XP:

1) You can't pre-set the template from which new accounts are spawned

Safety strategies that involve settings and non-default locations will
fail when new accounts are spawned that fall back to MS duhfaults; the
only current solution is to avoid spawning new accounts, or make sure
that new accounts are manually set up as soon as they are created.

At this point, folks will quote an MS knowledge base article that
outlines how to set up the "default user" account so that new accounts
that are derived from this will start off the way you want them. The
process involves creating an account with non-admin rights and then
copying everything other than the registry hives to the "default user"
account. Trouble is, no registry means no settings; see also (2).

2) Settings don't "stick" when account rights are reduced

In XP Home, I find that a number of settings fall back to MS defaults
if the rights of the account are reduced below full admin status. For
example, file name extensions are hidden, full paths are not shown,
etc. So whatever safety benefits I gain by limiting account rights
have to be offset against the safety benefits I lose.

3) You can't easily manage multiple user account settings

This applies to maintaining settings in general, but has particular
significance when tackling malware that integrates itself via
per-account settings. For example, running Ad-Aware to clean up
commercial malware may fail to clean up user accounts other than the
one it is run from, requiring the process to be repeated for each
account. When an account can't be accessed (password unknown, or
settings are held remotely), the system can't be cleaned up.

To answer your other questions, don't delete "All Users" or "Default User".
Default User is used as the basis for creating new accounts. I don't know
what "Owner" is.

Owner is prolly the user account as created by the system builder when
Windows XP was installed.



-------------------- ----- ---- --- -- - - - -
No, perfection is not an entrance requirement.
We'll settle for integrity and humility
-------------------- ----- ---- --- -- - - - -

Cquirke, thanks for including your experience in this thread. While very
valuable indeed, the meaning was sometimes over my head and hard to grasp.
Hope you're still watching this, so you can clear some things up for me.
Millions of other XP users like me are trying hard to understand and use
every tool and feature in XP to lock down security as best as is possible.
Your input would be greatly appreciated.

While I understand the terms "many ways to escalate beyond intended account
rights" and "malware drills below this level of abstraction", the method
escapes me. (How it is done would help lead to an understand of how to
inhibit it.) Millions of us newcomers are thinking that folder permissions
in XP security is not ambiguous or equivocal. E.g. Deny permission to UserA
does not mean UserA is sometimes denied access but sometimes can drill
through it. E.g. If UserB does not have the right to Take Ownership, then
UserB cannot figure out a loophole to Take Ownership.

In order to move toward an understanding of how to better secure our
systems, how exactly does "malware drill below this level of abstraction"
(which I believe refers to folder/file permission granted or denied to a
user account) ? How does malware "escalate beyond intended account rights"
(which I believe refers to folder/file permission granted or denied to a
user account, as opposed to the textbook meaning of user rights such as the
Administrator's right to allow Logon Through Terminal Services) ?

What exactly are "these other ways to reduce risk exposure" which are
"rendered difficult or impossible to use", when employing user accounts
(i.e. folder permissions) as a security strategy. Regarding the single
Admin account that you use, what exactly does "set-up properly" mean ? Some
examples or specifics would be helpful in transforming your words into
tangible steps leading to operational weaponry.

While I certainly agree that (3) "multiple user accounts are not easily
managed", and (2) settings do not stay the same when user account rights are
changed, these (2 and 3) are not reworked on a daily or weekly basis. In
most cases, once it's done (e.g. user account settings), they are not done
again for a very long, long time. The item that worries me most is #1. How
do new user accounts get spawned, and who spawns them ? Who has the right ?
Can a Limited user account spawn new user accounts ? Can a process spawn
new user accounts, if it is launched by a Limited user account ? How can
this spawning be stopped ?

An understanding of these lingering questions would help millions like me
defend ourselves better. Some examples or specifics would be helpful in
transforming your words into tangible steps leading to operational weaponry.
E.g. other than the standard suite of defenses used by 99% of us home users
(anti-virus, anti-spyware, firewall, folder/account permissions), what
additional tools and tactics would you use to help defend a standalone PC ?
After all, as in life, it's not the 98% preparedness that hurts us, it's the
2% unpreparedness that hurts. Again, we greatly appreciate your
experience/expertise, and thank you in advance.


"cquirke (MVP Win9x)" wrote in message
...
On Fri, 28 May 2004 10:34:49 -0500, "JW"

Hey James, I'm new around here, and am also the only user of my PC, but
after a while, I realized that having multiple user accounts is very
useful.
Here are the multiple users I set up, and am glad I did. Obviously an
Administrator account is needed for Windows Updates, installing new
software, etc. Rename it to something else though, because it is too
easily
guessed. Other than Windows Updates, I never use the internet, when logged
on the Administrator account, because any spyware/crippleware that gets in
has unlimited ability to damage your installation, if you're logged in as
Administrator.

That's the theory, and applying this theory is one way to reduce risk
exposure. It's not 100% effective though, given that there are many
ways to escalate beyond intended account rights - user accounts become
meaningless if malware drills below this level of abstraction.

There are other ways to reduce risk exposure, which aren't 100%
effective either. Unfortunately, adopting user accounts as your
strategy can render these other methods difficult or impossible to
use, forcing you to choose one or other of these partially-effective
strategies. This is due to limitations in the way user accounts are
currently managed in XP.

After evaluating the risk/benefits of each, I decided that multiple
user accounts are more hassle than they are worth. Instead, I use a
single full admin account that is set up properly. If I could prevent
the spawning of new user accounts, I'd be that much happier.

There are three basic problems with user accounts in XP:

1) You can't pre-set the template from which new accounts are spawned

Safety strategies that involve settings and non-default locations will
fail when new accounts are spawned that fall back to MS duhfaults; the
only current solution is to avoid spawning new accounts, or make sure
that new accounts are manually set up as soon as they are created.

At this point, folks will quote an MS knowledge base article that
outlines how to set up the "default user" account so that new accounts
that are derived from this will start off the way you want them. The
process involves creating an account with non-admin rights and then
copying everything other than the registry hives to the "default user"
account. Trouble is, no registry means no settings; see also (2).

2) Settings don't "stick" when account rights are reduced

In XP Home, I find that a number of settings fall back to MS defaults
if the rights of the account are reduced below full admin status. For
example, file name extensions are hidden, full paths are not shown,
etc. So whatever safety benefits I gain by limiting account rights
have to be offset against the safety benefits I lose.

3) You can't easily manage multiple user account settings

This applies to maintaining settings in general, but has particular
significance when tackling malware that integrates itself via
per-account settings. For example, running Ad-Aware to clean up
commercial malware may fail to clean up user accounts other than the
one it is run from, requiring the process to be repeated for each
account. When an account can't be accessed (password unknown, or
settings are held remotely), the system can't be cleaned up.

To answer your other questions, don't delete "All Users" or "Default User".
Default User is used as the basis for creating new accounts. I don't know
what "Owner" is.

Owner is prolly the user account as created by the system builder when
Windows XP was installed.



-------------------- ----- ---- --- -- - - - -
No, perfection is not an entrance requirement.
We'll settle for integrity and humility
-------------------- ----- ---- --- -- - - - -

On Sat, 29 May 2004 12:44:19 -0500, "JW"

Cquirke, thanks for including your experience in this thread. While very
valuable indeed, the meaning was sometimes over my head and hard to grasp.

When that happens, quote back the sticky bits and I'll try to explain
them in more detail. Top-posting may make it more difficult for me to
know which bits are sticky, though, especially if you don't trim out
the parts of the quoted material you don't need more details on.

Hope you're still watching this,

Yep - I tend to hang on to the threads I enter, so as long as you
don't start a new thread, I should still be there

Millions of other XP users like me are trying hard to understand and use
every tool and feature in XP to lock down security as best as is possible.

I'm one of those users too :-)

While I understand the terms "many ways to escalate beyond intended account
rights" and "malware drills below this level of abstraction", the method
escapes me. (How it is done would help lead to an understand of how to
inhibit it.)

It's not useful to enumerate the ways, because to do so presupposes
new ways will not be discovered. Instead, you can predict what will
happen just by looking at this conceptually.

Human activities have an inescapable error factor. If I ask you to do
something utterly menial, such as write the letter R on paper 10000
times, you will make some mistakes. Read this post and you will see
typos, and that's in English, my first language, not (say) C++

The more complex a system is, the more likely there will be errors -
in fact, with modern software, this tends to inevitability. This
makes computers interesting, in that they beging to act
non-deterministically. A practical consequence is that one should not
assume any slab of code will always work properly, and thus the more
code that is exposed to the "outside", the higher the risk of exploit.
It doesn't matter what the code is, or how it's intended to work.

Good system design would simply remove dangerous functionalities that
none of that system's users intend to use, and rely on weaker risk
managements (passwords, security zones, account rights) only where
functionalities are to be used, but only in certain contexts.

If you have to rely on a weaker risk management strategy, such as
passwords etc., then this is most effective when the surface exposed
to the "outside" (the "fronteir", in other words) is small. The worst
scenario is where these risk filtering measures are expected to
operate throught the interior of the system - there's such a large
surface area of code exposed, that breakthroughs are inevitable.

Breakthroughts would fall into these categories:
- spoofing a more powerful context (cracking pwds, etc.)
- breaking through into a more powerful context
- drilling beneath that entire layer of abstraction

Millions of us newcomers are thinking that folder permissions
in XP security is not ambiguous or equivocal. E.g. Deny permission
to UserA does not mean UserA is sometimes denied access but
sometimes can drill through it.

Yep. But take Witty as an example; this drills into a defect in Black
Ice Defender (a third-party firewall) and thus attains raw Ring 0
access to the system. At that far lower level of abstraction,
concepts such as "user", "permissions" or even "file system" simply
don't exist. The downside for Witty is that while it's operating at
this low level, it would have to construct by hand an awareness of the
file system in order to find and read files - but if all it wants to
do is trash stuff, it can (and does) simply write to raw disk.

The take-home messages here a
- no security measure is 100% effective
- therefore *any* measure is useful if downside is small enough
- therefore also, plan what to do *when* defences are breached

In order to move toward an understanding of how to better secure our
systems, how exactly does "malware drill below this level of abstraction"

In the case of Witty, it finds an opportunity presented by bad coding
to position its code such that Black Ice Defender will run it. From
that moment on, it's indivisible from Black Ice Defender as far as the
OS is concerned, and it can do whatever that app can do.

There are other ways where context is lost. For example, consider
security zones such as Internet Zone, My Computer Zone, etc. If a
3rd-party email app passes HTML "message text" to the OS to render as
a Temp file, the chances are high that the OS will process that temp
file as per My Computer (anything goes) zone.

If you read the various security alerts, you will see that many of
these go about loss of context, or an escalation from one context to
another more powerful one.

How does malware "escalate beyond intended account rights"

As above. Malware opportunities arise in three ways:
- social engineering
- bad design
- bad code

Patches go about bad code, but often the bad code is just a wart on
the back of a bad design, and you'd prefer to rip out the entire bad
design as your risk management strategy.

For example, one security alert describes a defect where scripts
within cookies are processed in "My Computer" security zone, rather
than the intended "Internet Zone". As far as MS is concerned, that's
an example of bad code. As far as I'm concerned, that's an example of
bad design - what the hell is the OS running scripts in cookies for,
anyway? - and the patch does NOT address the *design* issue.

What exactly are "these other ways to reduce risk exposure" which are
"rendered difficult or impossible to use", when employing user accounts
(i.e. folder permissions) as a security strategy. Regarding the single
Admin account that you use, what exactly does "set-up properly" mean ?

My starting point is this:
- what I don't intend to risk, I wall out
- what some may need to risk, I differentiate (pwd, etc.)
- what I may need to risk, I evaluate first
- what I decide to risk, I av-scan first

So antivirus is the "goalie of last resort" in this chain.

In order to evaluate risk, I need decent info; I need to know exactly
where I am in the namespace ("show full paths"), know that I am
looking at everything that is there ("do not hide system or hidden
files") and am presented with information about the type of files I am
looking at ("do not hide file name extensions").

If I limit an account in XP Home, it falls back to hiding paths,
hidden files, and file name extensions. Dangerous!

While I certainly agree that (3) "multiple user accounts are not easily
managed", and (2) settings do not stay the same when user account rights are
changed, these (2 and 3) are not reworked on a daily or weekly basis. In
most cases, once it's done (e.g. user account settings), they are not done
again for a very long, long time.

You misunderstand me. When you drop an account from Admin rights in
XP Home, whatever settings you have already made revert to MS
duhfaults, and you cannot change them back.

Else it would be a nuisance rather than a crisis; you'd just change to
Admin, apply settings, and change back again, whenever you needed to
change settings that lower rights render inaccessible.

The item that worries me most is #1. How do new user accounts
get spawned, and who spawns them ? Who has the right ?

You (for human and bot values of "you") need admin rights to spawn new
accounts, and this can be done via keyboard and mouse, or
programatically. When this is done, the new account starts off as per
"Default user", within the additional limitations I've mentioned if
the account has less than admin rights.

Can a Limited user account spawn new user accounts ?

Not directly, AFAIK.

Can a process spawn new user accounts, if it is launched by
a Limited user account ?

Once it transcends the limited user rights, yes. For a cluefull
hacker or malware, it's a game of "Simon Says", that's all.

How can this spawning be stopped ?

No front door I can think of, other than to create a "default user"
account that's so broken any new accounts created from it won't work.

An understanding of these lingering questions would help millions like me
defend ourselves better. Some examples or specifics would be helpful in
transforming your words into tangible steps leading to operational weaponry.

Those are the skills I'm trying to build also. I'm relatively new to
NT, coming from a background in Win9x (that's what I was awarded MVP
in) and I read the XP newsgroups to learn more than to post.

E.g. other than the standard suite of defenses used by 99% of us home users
(anti-virus, anti-spyware, firewall, folder/account permissions), what
additional tools and tactics would you use to help defend a standalone PC ?

My approach is:
- what I don't intend to risk, I wall out
- keep code patched up to date
- kill off admin shares
- kill off WSH (as I don't use it)
- wall out BHOs (I don't use them either)
- set MSware email to fake settings (I use Eudora)
- use FATxx instead of NTFS (controversial)
- avoid multiple user accounts
- disable remote desktop invites
- block \Autorun.inf processing on HD volumes
- use Classic view (less Desktop.ini risk exposure)
- never full-share C:\ or any part of startup axis
- keep File and Print Sharing off Internet connection
- keep the firewall on
- what some may need to risk, I differentiate (pwd, etc.)
- as single user, nothing falls into this category
- I'd pretend to be a "limited" user if accounts didn't suck++
- what I may need to risk, I evaluate first
- I avoid any auto-running facilities
- improve the information that the OS presents to me
- keep myself up to date reading malware descs, etc.
- what I decide to risk, I av-scan first
- use email app that breaks out attachments on arrival
- keep incoming material out of data set in "suspect" subtree
- run one resident av and keep it up to date
- use additional non-resident av for on-demand and formal use
- update and use on-demand scanners for commercial malware
- make sure I can maintain system in event of disaster
- avoid NTFS until a suitable maintenance OS and formal av exists
- avoid NTFS until a suitable data recovery tools exist
- enable Recovery Console to be more effective
- use a DOS mode as an alternate boot environment
- have an alternate web browser on hand
- find and build skills with maintenance tools
- automate backups (another *long* story, that!)

Links:

http://cquirke.mvps.org/whatmos.htm
http://cquirke.mvps.org/ntfs.htm
http://cquirke.mvps.org/9x/safe2000.htm (dated but useful)
http://cquirke.mvps.org/9x/malware.htm (dated but useful)
http://cquirke.mvps.org/9x/riskfix.htm (Win9x-orientated)
http://cquirke.mvps.org/9x/eudwhy.htm (why I use Eudora email)



-------------------- ----- ---- --- -- - - - -
No, perfection is not an entrance requirement.
We'll settle for integrity and humility
-------------------- ----- ---- --- -- - - - -

Amazing. Reading your response was like finding a box half buried in the
sand, opening it, and seeing a pirate's treasure. While I understand it, I
was amazed at some enemy tactics I never knew about before. E.g. using bad
code in cookies or a firewall to use the program (e.g. Black Ice) to attack
the OS, as opposed to directly attacking a weakness in the OS. Makes
perfect sense though.

It really made me realize that the more filtering programs a person uses,
the greater the possibility that one of these well-intended programs will
compromise the OS. In other words, every anti-virus, anti-spyware,
cookie-filter, and firewall program exposed to the outside world, is another
target the enemy will try to manipulate to betray the trust of the OS, in
order to attack system files/folders. Even more reason, it seems, to isolate
what runs in memory, from what's stored on disk. Maybe absolute safety can
only be attained by a diskless internet appliance. But then, many web sites
that use ActiveX components or require persistent cookies wouldn't work at
all.

From a conceptual perspective (high altitude view), I really like the
approach of making the hard disk as completely off limits as possible to the
account that surfs the web, and confining everything that comes down the
wire to run only in memory, to the greatest degree possible, conceptually
speaking. Alas, even though that will never ensure total protection for OS
system folders, from everything I've seen, it should be one of many strong
layers of protection we use in our defense. Like laminating several layers
of composite material is stronger than a single layer of strong material.

In the real world though, in order to enjoy many web sites that have
forfeited safer tools, in order to employ riskier tools that "enhance our
experience", opening up a folder on disk is unavoidable for the web user
account. Which is why we still need all those other layers of defense
(anti-virus, anti-spyware, firewall, etc.). I must say it is sad to see
(IMHO) that folder permissions is rarely mentioned as a tool/tactic in
newsgroup advice, alongside the top 3 (anti-virus, anti-spyware, firewall).
Especially since folder permissions has less downside risk than filtering
programs (anti-virus, anti-spyware, firewall) to the danger of being
modified or manipulated by enemy forces.


"cquirke (MVP Win9x)" wrote in message
...
On Sat, 29 May 2004 12:44:19 -0500, "JW"

Cquirke, thanks for including your experience in this thread. While very
valuable indeed, the meaning was sometimes over my head and hard to grasp.

When that happens, quote back the sticky bits and I'll try to explain
them in more detail. Top-posting may make it more difficult for me to
know which bits are sticky, though, especially if you don't trim out
the parts of the quoted material you don't need more details on.

Hope you're still watching this,

Yep - I tend to hang on to the threads I enter, so as long as you
don't start a new thread, I should still be there

Millions of other XP users like me are trying hard to understand and use
every tool and feature in XP to lock down security as best as is possible.

I'm one of those users too :-)

While I understand the terms "many ways to escalate beyond intended account
rights" and "malware drills below this level of abstraction", the method
escapes me. (How it is done would help lead to an understand of how to
inhibit it.)

It's not useful to enumerate the ways, because to do so presupposes
new ways will not be discovered. Instead, you can predict what will
happen just by looking at this conceptually.

Human activities have an inescapable error factor. If I ask you to do
something utterly menial, such as write the letter R on paper 10000
times, you will make some mistakes. Read this post and you will see
typos, and that's in English, my first language, not (say) C++

The more complex a system is, the more likely there will be errors -
in fact, with modern software, this tends to inevitability. This
makes computers interesting, in that they beging to act
non-deterministically. A practical consequence is that one should not
assume any slab of code will always work properly, and thus the more
code that is exposed to the "outside", the higher the risk of exploit.
It doesn't matter what the code is, or how it's intended to work.

Good system design would simply remove dangerous functionalities that
none of that system's users intend to use, and rely on weaker risk
managements (passwords, security zones, account rights) only where
functionalities are to be used, but only in certain contexts.

If you have to rely on a weaker risk management strategy, such as
passwords etc., then this is most effective when the surface exposed
to the "outside" (the "fronteir", in other words) is small. The worst
scenario is where these risk filtering measures are expected to
operate throught the interior of the system - there's such a large
surface area of code exposed, that breakthroughs are inevitable.

Breakthroughts would fall into these categories:
- spoofing a more powerful context (cracking pwds, etc.)
- breaking through into a more powerful context
- drilling beneath that entire layer of abstraction

Millions of us newcomers are thinking that folder permissions
in XP security is not ambiguous or equivocal. E.g. Deny permission
to UserA does not mean UserA is sometimes denied access but
sometimes can drill through it.

Yep. But take Witty as an example; this drills into a defect in Black
Ice Defender (a third-party firewall) and thus attains raw Ring 0
access to the system. At that far lower level of abstraction,
concepts such as "user", "permissions" or even "file system" simply
don't exist. The downside for Witty is that while it's operating at
this low level, it would have to construct by hand an awareness of the
file system in order to find and read files - but if all it wants to
do is trash stuff, it can (and does) simply write to raw disk.

The take-home messages here a
- no security measure is 100% effective
- therefore *any* measure is useful if downside is small enough
- therefore also, plan what to do *when* defences are breached

In order to move toward an understanding of how to better secure our
systems, how exactly does "malware drill below this level of abstraction"

In the case of Witty, it finds an opportunity presented by bad coding
to position its code such that Black Ice Defender will run it. From
that moment on, it's indivisible from Black Ice Defender as far as the
OS is concerned, and it can do whatever that app can do.

There are other ways where context is lost. For example, consider
security zones such as Internet Zone, My Computer Zone, etc. If a
3rd-party email app passes HTML "message text" to the OS to render as
a Temp file, the chances are high that the OS will process that temp
file as per My Computer (anything goes) zone.

If you read the various security alerts, you will see that many of
these go about loss of context, or an escalation from one context to
another more powerful one.

How does malware "escalate beyond intended account rights"

As above. Malware opportunities arise in three ways:
- social engineering
- bad design
- bad code

Patches go about bad code, but often the bad code is just a wart on
the back of a bad design, and you'd prefer to rip out the entire bad
design as your risk management strategy.

For example, one security alert describes a defect where scripts
within cookies are processed in "My Computer" security zone, rather
than the intended "Internet Zone". As far as MS is concerned, that's
an example of bad code. As far as I'm concerned, that's an example of
bad design - what the hell is the OS running scripts in cookies for,
anyway? - and the patch does NOT address the *design* issue.

What exactly are "these other ways to reduce risk exposure" which are
"rendered difficult or impossible to use", when employing user accounts
(i.e. folder permissions) as a security strategy. Regarding the single
Admin account that you use, what exactly does "set-up properly" mean ?

My starting point is this:
- what I don't intend to risk, I wall out
- what some may need to risk, I differentiate (pwd, etc.)
- what I may need to risk, I evaluate first
- what I decide to risk, I av-scan first

So antivirus is the "goalie of last resort" in this chain.

In order to evaluate risk, I need decent info; I need to know exactly
where I am in the namespace ("show full paths"), know that I am
looking at everything that is there ("do not hide system or hidden
files") and am presented with information about the type of files I am
looking at ("do not hide file name extensions").

If I limit an account in XP Home, it falls back to hiding paths,
hidden files, and file name extensions. Dangerous!

While I certainly agree that (3) "multiple user accounts are not easily
managed", and (2) settings do not stay the same when user account rights
are
changed, these (2 and 3) are not reworked on a daily or weekly basis. In
most cases, once it's done (e.g. user account settings), they are not done
again for a very long, long time.

You misunderstand me. When you drop an account from Admin rights in
XP Home, whatever settings you have already made revert to MS
duhfaults, and you cannot change them back.

Else it would be a nuisance rather than a crisis; you'd just change to
Admin, apply settings, and change back again, whenever you needed to
change settings that lower rights render inaccessible.

The item that worries me most is #1. How do new user accounts
get spawned, and who spawns them ? Who has the right ?

You (for human and bot values of "you") need admin rights to spawn new
accounts, and this can be done via keyboard and mouse, or
programatically. When this is done, the new account starts off as per
"Default user", within the additional limitations I've mentioned if
the account has less than admin rights.

Can a Limited user account spawn new user accounts ?

Not directly, AFAIK.

Can a process spawn new user accounts, if it is launched by
a Limited user account ?

Once it transcends the limited user rights, yes. For a cluefull
hacker or malware, it's a game of "Simon Says", that's all.

How can this spawning be stopped ?

No front door I can think of, other than to create a "default user"
account that's so broken any new accounts created from it won't work.

An understanding of these lingering questions would help millions like me
defend ourselves better. Some examples or specifics would be helpful in
transforming your words into tangible steps leading to operational
weaponry.

Those are the skills I'm trying to build also. I'm relatively new to
NT, coming from a background in Win9x (that's what I was awarded MVP
in) and I read the XP newsgroups to learn more than to post.

E.g. other than the standard suite of defenses used by 99% of us home users
(anti-virus, anti-spyware, firewall, folder/account permissions), what
additional tools and tactics would you use to help defend a standalone PC ?

My approach is:
- what I don't intend to risk, I wall out
- keep code patched up to date
- kill off admin shares
- kill off WSH (as I don't use it)
- wall out BHOs (I don't use them either)
- set MSware email to fake settings (I use Eudora)
- use FATxx instead of NTFS (controversial)
- avoid multiple user accounts
- disable remote desktop invites
- block \Autorun.inf processing on HD volumes
- use Classic view (less Desktop.ini risk exposure)
- never full-share C:\ or any part of startup axis
- keep File and Print Sharing off Internet connection
- keep the firewall on
- what some may need to risk, I differentiate (pwd, etc.)
- as single user, nothing falls into this category
- I'd pretend to be a "limited" user if accounts didn't suck++
- what I may need to risk, I evaluate first
- I avoid any auto-running facilities
- improve the information that the OS presents to me
- keep myself up to date reading malware descs, etc.
- what I decide to risk, I av-scan first
- use email app that breaks out attachments on arrival
- keep incoming material out of data set in "suspect" subtree
- run one resident av and keep it up to date
- use additional non-resident av for on-demand and formal use
- update and use on-demand scanners for commercial malware
- make sure I can maintain system in event of disaster
- avoid NTFS until a suitable maintenance OS and formal av exists
- avoid NTFS until a suitable data recovery tools exist
- enable Recovery Console to be more effective
- use a DOS mode as an alternate boot environment
- have an alternate web browser on hand
- find and build skills with maintenance tools
- automate backups (another *long* story, that!)

Links:

http://cquirke.mvps.org/whatmos.htm
http://cquirke.mvps.org/ntfs.htm
http://cquirke.mvps.org/9x/safe2000.htm (dated but useful)
http://cquirke.mvps.org/9x/malware.htm (dated but useful)
http://cquirke.mvps.org/9x/riskfix.htm (Win9x-orientated)
http://cquirke.mvps.org/9x/eudwhy.htm (why I use Eudora email)



-------------------- ----- ---- --- -- - - - -
No, perfection is not an entrance requirement.
We'll settle for integrity and humility
-------------------- ----- ---- --- -- - - - -

Wanted to say thanks again for all the advice.
While I still like the idea of a separate user account, used only for
surfing the web, barred from all folders on the hard disk, except those in
the user profile (My Documents, Favorites, Settings, etc.), by using folder
permissions in XPpro, which are more flexible than in XPhome, I learned so
much from your response, that I will add to my arsenal.

These include
- killing off admin shares
- killing off WSH
- walling out BHOs
- setting MSware email to fake settings
- disable remote desktop
- block \Autorun.inf processing on HD volumes
- use Classic view (less Desktop.ini risk exposure)
- never full-share C:\ or any part of startup axis
- disable File and Printer Sharing
- keep the firewall on