Why Bother with Restricted Accounts?

[Guest]

I'm running XP Home, and I'm the only person with physical access to the machine. I always run as administrator. I've been told that this will allow any virus, worm, etc. to do more damage than if I run with lower privileges. Is that so?

If I run as 'guest', what won't I be able to do? Will I have to move all my files from my current user folders to the shared folder? What other changes will I need to do?

I see that some people here complain about trying to run as less than administrator. What is it likely to break? Is it worth trying to make the change?

Harvey

 

[Jerry]

I've been running as Administartor since I installed XP and have had no
problems. In fact I removed the second account in my name that XP setup
during the installation and that hasn't caused problems either. There is no
other user of this syetm at all.

To prevent infiltrations I have a Zone Alarm firewall, McAfee virus scanner,
Spy Sweeper, and Ad Aware installed.

I'm running XP Home, and I'm the only person with physical access to the

machine. I always run as administrator. I've been told that this will allow
any virus, worm, etc. to do more damage than if I run with lower privileges.
Is that so?

If I run as 'guest', what won't I be able to do? Will I have to move all

my files from my current user folders to the shared folder? What other
changes will I need to do?

I see that some people here complain about trying to run as less than

administrator. What is it likely to break? Is it worth trying to make the
change?

 

[Guest]

I just got a pc with xp home. I tried creating and experimenting with several accounts, both limited and administrator. Any new account I create is giving me fits with the rights to programs and security settings.

I do think its a good idea to have a limited account, except I have not figured out how to get the limited account set up correctly. Maybe a limitation of the XP Home software?

 

[Guest]

Thanks for the responses! I've been perfectly happy running as administrator, but I read a book ("Writing Secure Code" from Microsoft) which said that if a hacker got past my firewall and anti-virus, and highjacked my program, it could do less damage if I wasn't running as administrator. But there's certianly no point in doing it if it's going to be a continuous hassle.

Harvey
--------------------------

 

[JW]

It's true what you said that if a hacker or trojan got past your firewall
and anti-virus, it could do far more damage if you were running as
Administrator. So the question becomes "Can a hacker or trojan ever get
past your firewall and anti-virus program ?" Then answer is not only yes,
but there are documented cases of all of the following: (a) Trojans
downloaded from web sites the user visits opening up back doors for hackers
and malware to either destroy systems or secretly harvest userID/passwords
and credit card or bank account numbers; and (b) worms and viruses that
disable, hijack, or completely shut down vulnerable software firewalls and
anti-virus programs. My philosophy is why toy with the risk ?

While I respect Jerry's opinions and do not disbelieve his unique personal
experience, my personal experience is different, along with hundreds of
people who have come to this newsgroup in the past, suffering from the same
consequences of a false sense of security. Although I am no expert when it
comes to all the tweaks and tricks it takes to make Administrator a
perfectly hacker-proof, Trojan-proof, and safe-from-myself-proof, I can
definitely tell you and have documentation in my Event Viewer to prove
vermin from somewhere somehow slip past my firewall and anti-virus programs,
and attempt every week to either uninstall stuff, run services, or corrupt
or delete files in the folders named \Windows and \Program Files. How? I
don't know. All I care is that they are all logged as Failed Attempts
because I (a) surf the web with a Limited Account, and (b) remove all access
except Read/Execute to \Windows and \Program Files, by accounts in the group
named Users (accounts used by children and by my Internet-only account).

The special account I set up for surfing the web has never been a continuous
hassle, because I never use this special Internet-only account for anything
else but surfing the web. I certainly never use this special Internet-only
account for private online banking, completing private tax returns, or
maintaining private family financial records. Might as well buy a home
security system, and leave home with the doors open. When I want to do
private family or personal transactions or record-keeping, I use a different
account with different privileges (you could use Administrator for this).
The rare person who complains about exchanging files between the accounts
has not yet learned about Shared Folders or \All Users.

Thanks for the responses! I've been perfectly happy running as
administrator, but I read a book ("Writing Secure Code" from Microsoft)
which said that if a hacker got past my firewall and anti-virus, and
highjacked my program, it could do less damage if I wasn't running as
administrator. But there's certianly no point in doing it if it's going to
be a continuous hassle.

Harvey
--------------------------

I just got a pc with xp home. I tried creating and experimenting with

several accounts, both limited and administrator. Any new account I create
is giving me fits with the rights to programs and security settings.

I do think its a good idea to have a limited account, except I have not

figured out how to get the limited account set up correctly. Maybe a
limitation of the XP Home software?machine. I always run as administrator. I've been told that this will allow
any virus, worm, etc. to do more damage than if I run with lower privileges.
Is that so?my files from my current user folders to the shared folder? What other
changes will I need to do?administrator. What is it likely to break? Is it worth trying to make the
change?

 

[JW]

as recently as 1:55 PM Wednesday, a suffering user posted the following:

I've isolated an infection in my system. Norton AV does NOT detect it. So
I'll send the particulars to them. For everyone else: If your standard XP
firewall won't stay enabled. If your AV program won't stay in
"auto-protect" and gets automatically terminated when you try to run it.
When task manager terminates after about 30 seconds or so. When certain
security-related folders disappear after about 30 seconds when you're trying
to view them. When looking at security-related URL's with IE and IE
terminates unexpectedly. Then look for these: ...


Moral of the story: There are lots of PC security products rushed to market
with leaks, cracks, holes, bugs, and other vulnerabilities. More examples
of vulnerable products can be found in the following PC World article:
http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp



It's true what you said that if a hacker or trojan got past your firewall
and anti-virus, it could do far more damage if you were running as
Administrator. So the question becomes "Can a hacker or trojan ever get
past your firewall and anti-virus program ?" Then answer is not only yes,
but there are documented cases of all of the following: (a) Trojans
downloaded from web sites the user visits opening up back doors for hackers
and malware to either destroy systems or secretly harvest userID/passwords
and credit card or bank account numbers; and (b) worms and viruses that
disable, hijack, or completely shut down vulnerable software firewalls and
anti-virus programs. My philosophy is why toy with the risk ?

While I respect Jerry's opinions and do not disbelieve his unique personal
experience, my personal experience is different, along with hundreds of
people who have come to this newsgroup in the past, suffering from the same
consequences of a false sense of security. Although I am no expert when it
comes to all the tweaks and tricks it takes to make Administrator a
perfectly hacker-proof, Trojan-proof, and safe-from-myself-proof, I can
definitely tell you and have documentation in my Event Viewer to prove
vermin from somewhere somehow slip past my firewall and anti-virus programs,
and attempt every week to either uninstall stuff, run services, or corrupt
or delete files in the folders named \Windows and \Program Files. How? I
don't know. All I care is that they are all logged as Failed Attempts
because I (a) surf the web with a Limited Account, and (b) remove all access
except Read/Execute to \Windows and \Program Files, by accounts in the group
named Users (accounts used by children and by my Internet-only account).

The special account I set up for surfing the web has never been a continuous
hassle, because I never use this special Internet-only account for anything
else but surfing the web. I certainly never use this special Internet-only
account for private online banking, completing private tax returns, or
maintaining private family financial records. Might as well buy a home
security system, and leave home with the doors open. When I want to do
private family or personal transactions or record-keeping, I use a different
account with different privileges (you could use Administrator for this).
The rare person who complains about exchanging files between the accounts
has not yet learned about Shared Folders or \All Users.

Thanks for the responses! I've been perfectly happy running as
administrator, but I read a book ("Writing Secure Code" from Microsoft)
which said that if a hacker got past my firewall and anti-virus, and
highjacked my program, it could do less damage if I wasn't running as
administrator. But there's certianly no point in doing it if it's going to
be a continuous hassle.

Harvey
--------------------------

I just got a pc with xp home. I tried creating and experimenting with

several accounts, both limited and administrator. Any new account I create
is giving me fits with the rights to programs and security settings.

I do think its a good idea to have a limited account, except I have not

figured out how to get the limited account set up correctly. Maybe a
limitation of the XP Home software?machine. I always run as administrator. I've been told that this will allow
any virus, worm, etc. to do more damage than if I run with lower privileges.
Is that so?my files from my current user folders to the shared folder? What other
changes will I need to do?administrator. What is it likely to break? Is it worth trying to make the
change?

 

[Guest]

JW: Thanks! That's very helpful!

When on the web as a non-administrator, do you have problems with saving emails to disk, or downloading programs? Can you run FTP?

I assume that there must be many files you had to move from your personal document folder to the shared folder. Is that correct? Would I lose access to the cookies and passwords saved under my old user-name?

Can you suggest a tutorial that might help with the process?

Harvey

 

[JW]

Cookies and Favorites can easily be exported and imported by your new
account. You would not have to reenter passwords previously saved for your
ISP. Email messages and addresses can be exported and imported too, but it
takes a few extra steps. See the following for details:
http://www.iopus.com/guides/oe-backup.htm

My personal usage is such that I don't copy many files from the
Internet-only account to \All Users, only because I don't download many
files and programs from the wild wild web, and rarely receive attachments in
Email messages. You would never have to copy any personal private files and
folders to the \All Users folder, unless you want to Email one to somebody.
By copying it to the \All Users folder it would be accessible when you go
online. I have had no need to do this, but in order to maintain personal
privacy, you could convert it to a password-protected Zip file before moving
it to the \All Users folder.

As a Limited User, I have no problem saving Email messages, Newsgroup
postings, Web site pages, etc. to disk. I have no problem downloading
executables, but of course, violations do pop up if the executables
automatically start and try to install stuff. This could be considered both
beneficial and inconvenient. Without me knowing, other crap might be
downloaded that I do not want to be installed. But there is the
inconvenient step of copying the executable to \All Users, and switching
accounts to Administrator, before I can install stuff downloaded from the
internet.

While this poses both a beneficial and inconvenient hurdle, it is no
guarantee that the downloaded program does not contain a virus/worm/Trojan.
Especially in cases where the virus/worm/Trojan is undetectable, because it
is either compressed or encrypted. But if there is a compressed or
encrypted virus/worm/Trojan, running the executable first in the
Internet-only account (knowing it will fail to install) might reveal it to
the anti-virus program, when it is uncompressed or decrypted.

I can use FTP as a recipient. I have not gotten FTP Server to work, but I
don't think the problem is a Limited User account. Windows Messenger works
fine for text chat, but ICF (XP's built-in firewall) prevents Limited Users
from using voice/video in Windows Messenger. ICF must be disabled to get
voice/video in Win Messenger to work with a Limited Account. Don't disable
ICF unless you have another firewall installed.

These are just my personal experiences. I don't know of any tutorial
describing the above, because there are still many people who believe it's
perfectly safe to surf the wild wild web as an Administrator. I will admit
the time my PC is most vulnerable is when Windows Update runs, since it
requires both Internet access and Administrator privileges at the same time.
There is no avoiding that, but creating an Internet-only Limited User
account is still worth all the benefits.

JW: Thanks! That's very helpful!

When on the web as a non-administrator, do you have problems with saving
emails to disk, or downloading programs? Can you run FTP?

I assume that there must be many files you had to move from your personal
document folder to the shared folder. Is that correct? Would I lose access
to the cookies and passwords saved under my old user-name?

Can you suggest a tutorial that might help with the process?

Harvey

 

[JW]

I should rephrase something. It is not ICF that prevents Limited Users from
using voice/video in Windows Messenger. It is the fact that Limited Users
do not have the authority to open ports in ICF, that prevents voice/video
from working with Win Messenger (when using ICF). It is not an ICF problem,
but a Limited User restriction. Limited Users can avoid this problem by
using a different firewall, and disabling ICF. Administrators have
authority to open ports in ICF, but again, I recommend against using
Administrator for text chat and voice/video. Any vermin that gets past the
defenses would have all the same privileges and authority as the
Administrator.

Cookies and Favorites can easily be exported and imported by your new
account. You would not have to reenter passwords previously saved for your
ISP. Email messages and addresses can be exported and imported too, but it
takes a few extra steps. See the following for details:
http://www.iopus.com/guides/oe-backup.htm

My personal usage is such that I don't copy many files from the
Internet-only account to \All Users, only because I don't download many
files and programs from the wild wild web, and rarely receive attachments in
Email messages. You would never have to copy any personal private files and
folders to the \All Users folder, unless you want to Email one to somebody.
By copying it to the \All Users folder it would be accessible when you go
online. I have had no need to do this, but in order to maintain personal
privacy, you could convert it to a password-protected Zip file before moving
it to the \All Users folder.

As a Limited User, I have no problem saving Email messages, Newsgroup
postings, Web site pages, etc. to disk. I have no problem downloading
executables, but of course, violations do pop up if the executables
automatically start and try to install stuff. This could be considered both
beneficial and inconvenient. Without me knowing, other crap might be
downloaded that I do not want to be installed. But there is the
inconvenient step of copying the executable to \All Users, and switching
accounts to Administrator, before I can install stuff downloaded from the
internet.

While this poses both a beneficial and inconvenient hurdle, it is no
guarantee that the downloaded program does not contain a virus/worm/Trojan.
Especially in cases where the virus/worm/Trojan is undetectable, because it
is either compressed or encrypted. But if there is a compressed or
encrypted virus/worm/Trojan, running the executable first in the
Internet-only account (knowing it will fail to install) might reveal it to
the anti-virus program, when it is uncompressed or decrypted.

I can use FTP as a recipient. I have not gotten FTP Server to work, but I
don't think the problem is a Limited User account. Windows Messenger works
fine for text chat, but ICF (XP's built-in firewall) prevents Limited Users
from using voice/video in Windows Messenger. ICF must be disabled to get
voice/video in Win Messenger to work with a Limited Account. Don't disable
ICF unless you have another firewall installed.

These are just my personal experiences. I don't know of any tutorial
describing the above, because there are still many people who believe it's
perfectly safe to surf the wild wild web as an Administrator. I will admit
the time my PC is most vulnerable is when Windows Update runs, since it
requires both Internet access and Administrator privileges at the same time.
There is no avoiding that, but creating an Internet-only Limited User
account is still worth all the benefits.

JW: Thanks! That's very helpful!

When on the web as a non-administrator, do you have problems with saving
emails to disk, or downloading programs? Can you run FTP?

I assume that there must be many files you had to move from your personal
document folder to the shared folder. Is that correct? Would I lose access
to the cookies and passwords saved under my old user-name?

Can you suggest a tutorial that might help with the process?

Harvey