Domain: editme.com
Stories and comments across the archive that link to editme.com.
Comments · 20
-
ghod has been common in SF fandom
... for ages.
-
That's a stupid approach
Just run all internet-facing software under a restricted set of user rights. Two years ago I changed all my browser and messenger shortcuts to launch using the handy little DropMyRights utility. Result? I haven't caught anything from a malformed web page or IM attack in all that time -- even with running everything else under my normal administrator-class account. (This is on WinXP Pro SP2).
-
Yep, it's not easy to be secure on XP.
The hardest thing to do as an unprivileged user is to change your monitor power settings. The effects of this setting is VERY visible to the user, and very annoying if it is not set correctly. It gets more annoying when you can't change the settings, because you don't have high enough privileges.
So, you log out, and then login as an administrator, make the change to the power settings, log off and then log back in as your unprivileged user only to find out that the changes that you just made as an administrator only affect the administrator's user profile.
Sigh.
OK, Logout, login as administrator, grant your unprivileged user rights so he can change the power settings, logout, login as your new super user, change the power settings, remove the privileges so you are an unprivileged user again, log out, and then login as the unprivileged user once again.
Thankfully, there are ways to deal with this. -
Re:It's not the software.
Runas was more akin to su than sudo, which made for a bit of frustation when you ran a program as "administrator" that program would save files to the Administrator's My Documents folder instead of your My Documents folder.
I wrote a very kludgey program awhile back called winsudo that solved this problem, and later some others who could program wrote proper implementations that bring sudo functionality to Windows 2000 and XP. -
Re:Run As
"It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!"
1) Click on my sig
2) Go to the useful tools section and grab one of the "sudo" type programs. Sudo WN is my favorite. The sudo tools solve the problems you mentioned above. -
Another good site
http://nonadmin.editme.com/
Thought you probably would have found that via Aaron Morgosis' Blog.
I have my wife setup as non-admin, and she doesn't really notice. I run as non-admin at home and its fine. Sometimes it gets messy during development when you need to attach a debugger to a system process (IIS), but there are ways to resolve each issue, and they are documented at the above sites. -
It _can_ be done, but I have stopped suggesting itFirst off: the windows administrator account isn't EXACTLY root. The "System" account is the most privileged account. Of course, it is fairly easy to escalate Administrator privileges to do anything that System can (you just have to jump through a few hoops).
I've run my own machine (when I ran windows) and machines which I have had to support as non-admin. It is completely doable if the workstations have to run only a few programs and/or there are IT people backing up the attempt. Many programs will be need to be modified to be run as a non-admin & many of those must run some things with escalated privileges. Some of those have holes in them.
It isn't something I'd suggest to mom -- her support is me & I don't have time to make sure she can do everything she needs to as non-admin. Non IT people would have to jump through too many hoops to do basic things.
It is feasible to do MANY things as a non-admin & switch to an admin account when you absolutely must. Superior SU is handy for this. I'd suggest setting the admin's desktop to an obnoxious red color so you can tell the difference. PrivBar is also useful to see your rights.
There are a handful of LUA sites to help you find other tricks in general or to get specific programs to run as non-admin (some of which are below). Usually, this involves installing as admin & granting read & execute privs to dlls and executables. Sometimes you need to grant write access to what SHOULD be protected directories.
Some sites: -
Re:I guess that this article can be skipped
I guess that this article can be skipped if you are a windows user?
:)Check out the excellent Nonadmin site:
http://nonadmin.editme.com/WinSUDOLots of useful stuff there that not many people know about...
-
Re:I'll see those claims and raise you...
I think you just missed the difference that I intended between !, *, and -. !=important, *=nice, -=whatever/already solved.
Accounts: Admin/User isn't perfect, but that is largely a result of application software trying to write things to the wrong places (ie: HKLM or Program Files). Take a look at http://nonadmin.editme.com/ if you don't know about it already.
FUS: FUS is generally unnecessary. You can do almost everything with "Run As", and the worst problem I've had with it was solved by "Run As"ing cmd, and then opening iexplore or whatever and doing permissions, etc. I never have to log out a user unless I'm rebooting the machine, or trying to get rid of that damned Outlook desktop icon.
Imaging: The other poster on this comment explained that well. It's really just not a big problem to begin with.
Recovery Discs: I have a Linux boot disk that resets passwords and does Registry manipulation. I have recovery console CDs that fix more serious issues. Anything that takes more than 15 or 20 minutes is more quickly solved by reimaging the machine.
Shell: I agree, having a better shell in Windows won't make me complain. MS just isn't adding anything that isn't already available. This is a user desktop machine, so this isn't important.
Scheduler: Also agreed, improvements are welcome. It just isn't a real issue that they are solving that is worth the OS upgrade. We're still talking about a user desktop, so this doesn't matter.
You might find them useful, so you will probably buy Vista. Many, many other people see this update as solving nothing that isn't already solved. That's really what Vista is... just an update. I'm not wasting time, money, and energy doing a round of MS updates, along with all the massive headaches new MS software always comes with, unless I get something truly good out of it.
I'm downplaying all those updates because they *really* don't improve Windows very much. They certainly don't offer anything that makes the upgrade worth the time, let alone the price tag. -
Re:My personal policy...
Take a look at this if you haven't already found it. It has a ton of tips for using Windows as a LUA.
http://nonadmin.editme.com/ -
Microsoft's "Lower rights" solution flawed
It strikes me that Microsoft are pursuing a lower rights model in order to allow users to have Administrator privileges in their interactive session but restrict the privileges of specific processes (for example, Internet Explorer) within that session.
This approach is also evident in the unofficial, free tools being created by Microsoft developers.
This approach seems to be a "have my cake and eat it too" solution, and unfortunately seems to be making the same mistakes of attempting to identify and quarantine bad behaviour as those we have made in the past regarding the design of firewalls, antivirus tools and the like.
Remember when it was common practice to only firewall the "bad" ports, and let the "good" ports have free reign? Over time (and in no short measure due to certain worms utilising flaws in Microsoft, and occassionally other, software) we have realised that the only sane approach is to deny all and then selectively allow that which we want.
Likewise, the traditional approach of antivirus software, intrusion detection/prevention systems and the like in recognising "bad" phenomenon has been shown incapable of keeping up with new threats. We are slowly realising that we (somehow!) need to define what is "normal" behaviour in our systems/networks and then quarantine that which does not meet the norm.
Unfortunately it strikes me that Microsoft's current direction in terms of Least User Privilege seems to be to give up on it as an overriding principle, and instead "allow everything" as a default, and then selectively deny those processes which are seen as high-risk. I would have thought the parallels to my previously mentioned examples of firewalls, antivirus and IDS/IPS are clear.
-
Microsoft's "Lower rights" solution flawed
It strikes me that Microsoft are pursuing a lower rights model in order to allow users to have Administrator privileges in their interactive session but restrict the privileges of specific processes (for example, Internet Explorer) within that session.
This approach is also evident in the unofficial, free tools being created by Microsoft developers.
This approach seems to be a "have my cake and eat it too" solution, and unfortunately seems to be making the same mistakes of attempting to identify and quarantine bad behaviour as those we have made in the past regarding the design of firewalls, antivirus tools and the like.
Remember when it was common practice to only firewall the "bad" ports, and let the "good" ports have free reign? Over time (and in no short measure due to certain worms utilising flaws in Microsoft, and occassionally other, software) we have realised that the only sane approach is to deny all and then selectively allow that which we want.
Likewise, the traditional approach of antivirus software, intrusion detection/prevention systems and the like in recognising "bad" phenomenon has been shown incapable of keeping up with new threats. We are slowly realising that we (somehow!) need to define what is "normal" behaviour in our systems/networks and then quarantine that which does not meet the norm.
Unfortunately it strikes me that Microsoft's current direction in terms of Least User Privilege seems to be to give up on it as an overriding principle, and instead "allow everything" as a default, and then selectively deny those processes which are seen as high-risk. I would have thought the parallels to my previously mentioned examples of firewalls, antivirus and IDS/IPS are clear.
-
Microsoft's "Lower rights" solution flawed
It strikes me that Microsoft are pursuing a lower rights model in order to allow users to have Administrator privileges in their interactive session but restrict the privileges of specific processes (for example, Internet Explorer) within that session.
This approach is also evident in the unofficial, free tools being created by Microsoft developers.
This approach seems to be a "have my cake and eat it too" solution, and unfortunately seems to be making the same mistakes of attempting to identify and quarantine bad behaviour as those we have made in the past regarding the design of firewalls, antivirus tools and the like.
Remember when it was common practice to only firewall the "bad" ports, and let the "good" ports have free reign? Over time (and in no short measure due to certain worms utilising flaws in Microsoft, and occassionally other, software) we have realised that the only sane approach is to deny all and then selectively allow that which we want.
Likewise, the traditional approach of antivirus software, intrusion detection/prevention systems and the like in recognising "bad" phenomenon has been shown incapable of keeping up with new threats. We are slowly realising that we (somehow!) need to define what is "normal" behaviour in our systems/networks and then quarantine that which does not meet the norm.
Unfortunately it strikes me that Microsoft's current direction in terms of Least User Privilege seems to be to give up on it as an overriding principle, and instead "allow everything" as a default, and then selectively deny those processes which are seen as high-risk. I would have thought the parallels to my previously mentioned examples of firewalls, antivirus and IDS/IPS are clear.
-
Re:Acronymtastic!
Or you could just read the Definitions page
:) -
Non-admin Wiki!
Everything you need to know http://nonadmin.editme.com/
-
Re:a tip
do the click like the old IBM keyboards, now THAT would be worth the extra money.
Your wishes have been fulfilled. -
no mention of a pioneer in OSS license services...
I just searched the comments and found no mention of BlackDuck They have been in this business since 2002.
-
Re:Come on over to Linux!
No, you don't.
You have to be root and deliberately set parameters in places like /etc/fstab to support what you want to do.
The real point is that there is an established model that is documented and understood for setting up a system under GNU/Linux.
Windows is finally awakening to the requirement, and knowledge is finally getting spread through the likes of Non Admin.
The real difference is one of attitude:
Windows: user == sheep
GNU/Linux: user == shepherd -
Re:Anyone know...
Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?
I'm sure it does extend to that. Users aren't used to dealing with computer security, on any operating system. It wasn't so important to a home user before the Internet, and it was impossible on 9x. Now they're using a different OS and are connected to a malicious network, but don't want to learn to adapt.
As for resources, ask Google.
noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)
Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy. -
Re:Interesting error messages
From this page:
"This is not a viral infection. It comes from programs like write, talk, and wall, if your invoking UID doesn't correspond to a valid user (probably due to /etc/passwd being corrupted), or if the session (pseudoterminal, specifically) you're using isn't properly registered in the utmp file (probably because you invoked it in a funny way)."