Slashdot Mirror
Running Windows Without Administrator Privs?
javacowboy asks: "For a while now, I've been advising friends who run Windows to try running as a regular user, as opposed to running as administrator, which is the default setting. However, I switched to Mac a year and a half ago and I haven't run Windows since, so I'm probably not the best person to be giving this advice. Still, on a philosophical level, *trying* to run Windows as a non-admin, given the prevalence of viruses, worms, trojans, and spy-ware, seems to make sense. Have any of you tried to run Windows as a non-admin, and how did it work out for you? Are there certain tasks or certain software you need to be admin to run? How realistic is it to expect a Windows user to run their OS as non-root?"
A friend's computer shared by the entire household was unendingly compromised. We restored XP many times from scratch but the result was always the same, within a month XP was toes up again.
We did manage to trace the culprit pretty certainly to one of the kid's AOL sessions. No emphasis and teaching was enough to stop a trusting click to wreak trojan horse havoc. (I don't blame the kid, she was using in good faith and only talked to friends, and only clicked when she was assured they were "being good". Unfortunately, in the world of XP running with admin privelege, this is not enough.)
We finally bought a separate computer with discrete accounts, and only one had admin access. The kids' accounts were non-admin. This new machine remains uncompromised, but with a price.
The non-admin accounts, while unable as expected to install software, have random and mysterious failures. I've been able to track some down to exactly what I (and most) feared -- applications which expect to have admin access. Not one example was legitimate in the sense the failure point was performing work requiring admin access, it was just presumptive development by the application. (Interestingly, one of the applications that works fine in admin access but not in non-admin access is Windows Media Player 10.)
Unfortunately this turns out to be a common symptom running non-admin in XP. Lots of applications will work fine. Lots won't.
The machine remains partitioned as described, but the ultimate result has been the kids gravitating back to the unprotected computer for unfettered access. I expect that machine will continue to need its periodic re-imaging.
These problems in XP aren't rare and are artifacts of an infrastructure with security tacked on in ugly layers again and again, all as afterthoughts. I hope Vista proves better at this, but wonder how many applications will continue as problematic because of a murky and muddled and shifting security architecture.
For the record, I'm simply amazed Microsoft has gotten away with this for so long... it's ample empirical evidence more deals on shop architectures are being made on the golf course and not around the white boards.
And, also for the record, Microsoft has the money and power to fix this once and for all. I'm sure some will defend Microsoft's incremental work on this, but for too many years my observation has been Micosoft using their money to buy additional fingers with which they point at others to blame rather than work to solve comprehensively the security and system integrity problems.
- Bottom line:
I still recommend PC owners create separate non-admin accounts with only one admin account. Applications that won't/can't play nice I recommend they uninstall and ask for their money back. This isn't optimal, but it keeps the machine healthy longer.Sigh.
Runs "The Non-Admin Blog" - one of the most useful resources for this. He's a Microsoft staff consultant, and often has tips for it you won't find elsewhere.
Check it out at http://blogs.msdn.com/aaron_margosis/
Cue The Sun...
It's somewhat annoying, to me at least. If you have to make a change in global confguration, install an application or just use some special hardware (parallel port), you'll have to switch users. You'll have to stop whatever you are doing, close your session if you are at a domain, do your stuff and restart what you where doing. A waste of time.
I have always used the NT, 2k and XP as non-admin. It works somewhat in my experience, but not as good as in Mac OS X.
Microsoft Office works as it should and with Visual Studio you would maybe want to add your user to the Debuggers-group (or something like that). Otherwise Microsoft's own apps works in my experience.
To me most problems occur with large (non-Micorsoft) commercial applications, especially games. You have to hack around to get it running as non-admin, and when you finally get it running it crashes on some feature, like multiplayer in games. Stupid. If you only have a couple of such games/apps, you could use the "Run as" (administrator user) option with Windows. There are also some 3rd party applications that allow you to do a wrapper application/script to allow running as admin.
So in summary, I'd say that if you are mostly using Windows for web, e-mail and Office, non-admin is the way to go. If you are doing some other stuff too, you will most likely need at least some tweak in filesystem permissions with the bigger apps to allow write or read access. And if you play games, then there's a 50-50 chance that you need admin-rights or not... But you can always use "Run as", to be safe with other apps!
I demand the Cone of Silence!
Registry permissions can be set using reged32.
Installers are also a problem. Since Windows program like making a mess (i.e. putting DLL files in the system and system32 directories), you usually need to run then as Administrator. The "Run As..." menu item can be used to elevate priviliges for a single program. This appears in context (right-click) menus by default, unless you're in the Control Panel. In that case, hold down shift when right-clicking.
Windows Explorer can be started as a different user, if you set the option to run Explorer Windows in a separate thread. This option needs to be turned on for the user you're changing to, not for the current user. You can find this option in Control Panel (Classic View), Folder Options..., View tab, Launch folder windows in a separate process.
Here's a few sources to consult:
I'm sure I missed some things, but other posters will point them out.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Running as a standard User (NOT power user) is possible, and has gotten a LOT better in the past 3 years.
Still, the Runas command doesn't work like SU in Unix, and there are many problems.
In the corporate/business environment it's somewhat possible if the business is locking down users and not letting them admin their machines, install odd programs, etc. And it does prevent some malware and worms.
In the home environment, so much of the software used wants/needs to be admin, it's very difficult and often impractical. Things like personal finance, CD burning software, games, etc.
The trick: You gotta get used to running Regedt32 and with file/folder permissions. Find *where* the program is doing odd writes to the registry and give them Full Control of those portions. Quite a bit of trial and error involved.
The assumption in with this is that the malware isn't trying to write to those particular keys... which is actually usually true.
When I was interning for the tech school I was going to, I was envolved in setting up a batch of machines for use in the library. One program(something to do with the culinary course) required users have write access to it's program files in the system folder in order to get around having every culinary student be a power user.
Typically, you can email the program's developer or publisher for details on what permissions need to be set in order to run a progarm while a limted/standard user(it helps to be running XP Pro on a domain when dealing with the permissions though).
Considering most users like to install the latest kitchy program, I would assume it would be quite a trial in the current format, to have a user run without admin access. I could only imagine the calls the local techy friend would get, instead of "can you pleeeeease come and fix my malwared/spywared/virused/trojanned/fubar'd computer" it will now be "can you pleeeease come and install happybloggeryp2pdownloadmeforfreeporntoday.exe"
I've been running Windows NT machines (and later) for almost 8 years without using superuser permissions for normal use. You just have to become very familiar with "runas". In some cases you will need to actually be logged in as an Administrator to do certain tasks, but that is fairly rare. Some examples: if you need to access your control panel you can use:
/user:Administrator "C:\program files\internet explorer\iexplore.exe c:"
.", you will open up a directory in explorer with the logged in user priveledges, not the superuser priveledges. That is why you must use "iexplore.exe c:" to get Administrator priveledges.
runas
and then navigate there (though I recommend you rename your 'Administrator' account). Another useful program is mmc (and after a year or so you will memorize all the component names).
I should note, however, that it may seem that a runas for cmd might be useful. Sometimes it is. But some of the functionality is limited. For example, if you have an Administrator priviledged cmd prompt and you type "start
Windows XP is sort of nice now that you can right click for a runas. If you are frequently using runas, you may find that that feature is helpful. Finally, I should note that you shouldn't do highspeed tasks with a program loaded with runas. You will definately see a performance drop, especially with programs that make extensive use of the windows API.
Suddenly, the hairy finger of a familiar monkey tapped me on the shoulder. It was time.--G. T.
By all means read Aaron Margosis's blog, get used to Run As, and be prepared to debug apps that don't want to run in a normal account (often it's just a few files or registry keys. Edit the ACLs for them and it may fix things).
A few months ago, Windows Update somehow stopped working from Run As. Annoying, but you only need to run it once a month.
I'm posting from a limited account on an XP box right now. I've been doing this for a while now in Windows, but it isn't always a pleasant experience. It seems a lot of programmers out there write software that requires admin when there is really no need to do so. I had to get friendly with Run As so I don't need to switch users when I have to run a program with admin priviledges. I can understand my atomic clock sync program needing admin since limited accounts are unable to change the time or date, but a usenet reader? I tried NewsBin Pro and it doesn't work unless running under an admin account.
It is possible to run as limited depending on what applications you use without much of a hassle, but it would be a good idea to show your friends how to run programs as administrator. Also try and teach them it isn't a good idea to do that for any program that asks, only ones they know are safe. I've locked down a number of systems that friends and family ask for help with and it has made a major reduction in the number of calls I get about problems with their computers. I generally don't have many worries about spyware or viruses myself as I try to be careful with what I run, but it gives me peace of mind. I know I have another layer of protection to assist me in keeping my system clean.
I ran Win2k Pro at home with a non-admin user just fine several years ago. Back then, there were still quite a few day-to-day programs (especially games and burning software) that required elevated privileges. It's not hard to set up a "run as" link for those apps, though.
I work in a corporate-type environment where almost no one has admin on their machine. Folks here run all sorts of applications, burn CDs, etc with no problems. In fact, we deny everyone write access to the C partition (where the OS and programs live; the Documents and Settings folder is on D in our image). Usually, programs that won't run as non-admin just try to write to their program directory, which can be easily worked around.
It's always a long day... 86400 doesn't fit into a short.
Several games are insisting on running as admin without ANY real need except programmers lazyness. Several applications has been seen to do the same (Adobe has f.x. been a real pita some years ago).
The real blame for this should however be placed hos Microsoft who accepted that software didn't use Windows security model when it got the "Designed for Windows" mark.
--
This sig is designed for painless integration with the comment...
Learning German is probably an effort on par with trying to replicate their years of work and experience. ;-)
There was even a database detailing which application caused how much trouble without administrator privileges.
However, in all of this the question comes to mind whether the best way to obtain as much as possible of Mac-like security and ease of use on PCs wouldn't simply be installing Linux in the first place.
It just makes sense; on UNIX you wouldn't do non-administrative stuff as root, but I'm not big on gaming, so I'm not sure how gamers would get on as User. But for all the usual non-gaming tasks running in a user account doesn't get in the way at all.
One thing not many people mention; to get the best out of running as a user you should change the permissions on the drive Windows NT is installed on. On XP users can create folders outside of their home folder by default, but it'll keep things much cleaner and a throw a spanner in the works of most spyware if you turn this permission off (You have to turn off simple file sharing to do this, which unfortunately you can't do in XP Home).
Running as user, and with disk access limited to your home folder, you get some of the best of UNIX's security settings on Windows.
// MD_Update(&m,buf,j);
You can Windows as a normal user under the following circumstances:
a) You are in a company, working with a professional IT environment, with a helpdesk and administrators with knowledge
b) You are an administrator with knowledge
Running windows as non-admin is not for the faint of heart. While most Microsoft software runs flawlessly as non-admin, there is a large percentage of third party software which does not. This can be fixed in most circumstances, changing permissions in C:\Program Files\, the HKLM Key in the Registry, giving some Special Permissions to users, etc. pp.
Most games still don't work as non-admin. Installing a new application becomes a rather tremendous task of trying to find out what doesn't work. Sometimes these missing permissions cause rather subtle errors, which aren't obvious to figure out.
You will need to use sysinternals filemon/regmon each time you install an application.
It's not a problem to create a professional company network with only restricted users, if you have staff which is always available (-> You are not using a service provider). And if you have a rather restricted set of applications which is in use (You don't upgrade apps on a weekly basis - might happen if you're using SPS or PBX configuration tools).
My usual recommendation to home users are the following points:
* Use COMMON SENSE, think about what you're doing
* Keep a recent image of your machine on a seperate USB Harddisk
* Run your machine behind NAT of some sort
* Keep an updated Antivirus/Antispyware solution on your machine
* If you can, buy a Mac
The latter is a good choice, as long as macs aren't to popular.
Personally, I think running as non-admin is a good idea, but I don't really like the way it's implemented in Windows, so I don't do it myself.
I can't tell you the number of computers I repair that don't even have a password set on the admin account itself. Most users don't know this account even exists. Even if you use a non-admin account, many hackers use the password-less Admin account itself.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
So, you run XP as admin with no firewalls or antivirus despite having been hit by a virus in the past, and you don't reboot after updates, which means basically that your updates are not applied to your machine...
What is it exactly that the 'clueless morons' do that you don't?
Information doesn't want to be anthropomorphized anymore.
How realistic is it to expect a Windows user to run their OS as non-root?
About two months ago I tried it. It was absolutely fucking horrible, and just a colossal pain in the ass. It may just be because I'm constantly installing/uninstalling both software and hardware, tweaking the system settings, etc. but it was flat out unusable. I've managed to avoid getting any virii, trojans, rootkits, etc. for the past decade - but even if I were to have to do a completely random system wipe once a year (in addition to my four quarterly reformats each year) I would still be way, way ahead in productivity compared to running as admin.
It's simply not worth the hassle.
--Ryvar
My user account (SID) on my x64 windows machine at home isn't in the administrator group, and I occasionally run into problems. Most software works ok, though.
The typical problem is that the programmer or software architect didn't account for user-specific config settings. Just like on unix, Windows lets you keep user-specific stuff in the user's profile. However, Windows has the ability to synchronize the user's profile across the network -- including the HKEY_CURRENT_USER subkey from the registry, so it's not as simple as just writing a bunch of stuff to a dotfile.
The WinNT kernel actually has an entire subsystem in its executive layer dedicated to handling its elaborate permission system: the security manager. It isn't nearly as easy to learn as the unix permission system, but it is capable of doing some pretty nifty things, like creating audit entries every time someone accesses a driver endpoint, or requiring someone to be logged onto the system console before allowing them to do something.
The problem is that it's just like xlib: you'd have to be crazy to use the APIs directly. So, programmers have the option of either:
A) Write hundreds of lines of code to implement graceful fallback using those APIs to test whether a privilege is available (and gracefully handle errors that occur when calling those APIs), or
B) Write one line of code to call MessageBox() and throw up a dialog telling the user they're boned if some API fails and GetLastError() returns 5 (access denied).
Both ways will result in working software -- as long as the user is running as administrator. Your typical profit-oriented software house doesn't have any financial incentive to help the users run with least privilege, so they nearly always choose option B if they have a choice about it. This is why a lot of people hold a grudge against certain application packages for throwing up uncomprehensible error messages. It's not that the programmers don't know how to do it right, it's just that they don't want to.
As a specific example, Cadence's capture product for EE work will throw up this helpful dialog if you don't have write access to the HKLM registry key, which is only writable by the Administrator and LocalSystem users by default.
By the way, the poster's use of the word "root" is a little misleading. In Windows terms, "root" is really the LocalSystem user, which has full access to everything, including \Device\PhysicalMemory and other juicy objects. The Administrator user has the ability to escalate privileges to LocalSystem, but it requires a few extra steps.
As far as helper software goes, there are only two things you need to know: the RUNAS command and the *.MSC files. The *.MSC files are Microsoft Management Console profiles, which are used by MMC to throw up dialogs like Local Users and Groups (lusrmgr.msc), Disk Management (diskmgmt.msc), and Device Manager (devmgmt.msc). You can even run them from the run dialog or the command prompt, since the MSC extension is associated with the MMC program by default. Go try it, I'll wait.
But how does this help you if you don't have privileges to modify disks or devices? Enter the RUNAS command. If you've heard of sudo, you can think of this as sudo for Windows. In fact, I usually do this on Windows boxen where I'm non-root:
C:\>cd %userprofile% /user:administrator %*
...
C:\Documents and Settings\myself>mkdir bin && cd bin
C:\Documents and Settings\myself\bin>copy CON SUDO.CMD
@ECHO OFF
REM sudo -- run program as administrator
runas
^Z
1 file(s) copied.
C:\Documents and Settings\myself\bin>sudo "mmc devmgmt.msc"
Enter the password for administrator: *************
Attempting to start mmc devmgmt.msc as user "MYBOX\myself"
C:\Documents and Settings\myself\bin>
Then the de
-- thalakan
Three years ago my girlfriend took her machine to a friend of hers to get it fixed. The guy installed a bootleg copy of XP on the machine, as well as an install of Norton AV.
When I had to clean the malware off, I noticed that there were no service packs, and the Norton had not been updated in over a year and a half.
I backed up all the pictures and work documents, then installed a legal version of Win2K Pro, Anti Vir, Clamwin, Firefox, spybot and Ad Aware.
The hardest part was convincing her to use her newly created user account. She did not like the idea of not having privledges on her own computer.
After alot of explaining, she agreed that maybe I knew a little bit more than she does about maintaining a computer. I had to give her the root password, but made her promise not to use it.
Now, the box has had no malware infections for over a year and a half. The only programs not useable by the user accounts are StarCraft, and Bit Commet. Neither of wich she cares to use.
The three different accounts all have different wallpaper, admin has a very large picture wich is predominantly red....signifying "stop", or "Danger". If she wants to start browsing, she checks to see if anything is running, and then shells out into her user account.
My user account has a wall paper picture wich is a green background with a Templar in blue and green hues...signifying "go", or "Safe."
Her account has a nice picture of the San Francisco wharf, taken from a boat. There is no way for her to infect this machine unless she does it maliciously. And even then, the I keylogger installed will probably help me figure out what she did, as well as when.
Today's show is brought to you by the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0: 25
most places don't give users local admin, including at mine. once in a while you'll find an app that won't work right that way, but most mainstream apps that are written properly work just fine. the biggest complaint i've heard is not being able to double click on the clock to get the calender. users and guests can't do this by default, but this can be enabled in the local security policy. one big perk is that if you aren't logged in as admin, automatic updates will just be downloaded and installed without being prompted, so you don't have to worry about users ignoring their updates. we've also not had any viruses in over a year (knock on wood). i've found most apps that initially don't work right under user accounts will work if you give the user write access to that apps directory under "program files"; much better than giving full blown access.
There have been a number of stories about it in the last few years even interviews with MS people in wich this was adressed.
Basically, it can be done but not easily and not without a lot of hassle. MS knows this and is supposed to be working very hard on this. Vista is supposed to cure it all.
So for now it seems you are condemned to run with higher privileges then necessary.
Well unless you are willing to just set up your machine right and then not mess with it as a user. You know like it is being done if offices around the world?
No, a regular user can't install many software packages because they need admin. So? Yes this is different from unix systems but is it all that bad?
The entire point of virusses and trojans and userlevels is overrated anyway.
I run as admin on my gaming box all the time because as far as I know games need admin and never been infected in all the years of windows. It just takes a bit of common sense. No this doesn't mean avoid P2P. I never had a dud file via P2P. I don't understand how people manage it. Fake movies? The only fake movie I downloaded was Doom, they took my action movie and turned it into an aliens wannabe.
Guess I am just to smart to fall for trojans and virusses eh?
Then again, I don't get much spam either. Nobody likes me :( The I love you virus totally skipped me.
Somebody spam me? Please!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I've run my own machine (when I ran windows) and machines which I have had to support as non-admin. It is completely doable if the workstations have to run only a few programs and/or there are IT people backing up the attempt. Many programs will be need to be modified to be run as a non-admin & many of those must run some things with escalated privileges. Some of those have holes in them.
It isn't something I'd suggest to mom -- her support is me & I don't have time to make sure she can do everything she needs to as non-admin. Non IT people would have to jump through too many hoops to do basic things.
It is feasible to do MANY things as a non-admin & switch to an admin account when you absolutely must. Superior SU is handy for this. I'd suggest setting the admin's desktop to an obnoxious red color so you can tell the difference. PrivBar is also useful to see your rights.
There are a handful of LUA sites to help you find other tricks in general or to get specific programs to run as non-admin (some of which are below). Usually, this involves installing as admin & granting read & execute privs to dlls and executables. Sometimes you need to grant write access to what SHOULD be protected directories.
Some sites:
...but in a corporate setting. At home I wouldn't dare run without admin, too much stuff doesn't work. But in an office setting like that it's very easy to manage without admin.
/env to use the current uesr's profile as this fixes most problems that installers and programs have. As long as you setup things to use admin that need them, you can have a workable system. I've done that for a couple family members and it's worked out fine. And no spyware for them!
My recommendation is setup shortcuts that use runas.exe whenever you have something that needs admin access. Use
"I want to get more into theory, because everything works in theory." -John Cash
http://blogs.msdn.com/aaron_margosis/archive/categ ory/5785.aspx
(Btw, I personally prefer "Folder Options->View->Launch folder windows in separate process" to MakeMeAdmin, because I remember that's the only way to properly run Windows Update from Internet Explorer as Admin from non-Admin account)
I've run Microsoft OSes from DOS 3x up to Win2k and the one thing I've gotten used to is screwing everything up and having to reload the system from scratch. It's just something I have to do. I can load in Win2k and several CDs full of crap in about 4 hours --that includes setting up Apache/PHP/MySQL, setting up my start menu folders, and thinking vaguely about getting a shower after I'm done. But this happens about once every two months and not because someone from outside comprimised my system, but because I flipped the wrong switch. Why all this trouble? Because I can't stand not having 24/7 administrative access. I have to be able to jigger with things I shouldn't be jiggering with and I have to have that 'in control' feeling. Security isn't the issue --but it might be... you see, through all that trouble I've had to learn to be more careful. You don't get that when you can stumble all over the place and have the system lock you out of anything that'll get you and it into trouble. But you've gotta have some serious patience to pull that off, so it's not for most people. The last thing the average user wants is to take the resposibility for dropping an OS and losing a day or more of someone else's work. For some reason I can pull that off, but I imagine that those of the non-insane world would rather avoid the trouble.
You can eliminate the guess work by using Regmon and Filemon from here.
These utilities log all file and registry access attempts, successful or unsuccessful.
Most applications that "need" admin rights, actually only need the correct rights on a specific reg key or directory. Granting only the needed rights gets the app working without adding unnecessary rights/risks.
A house divided against itself cannot stand.
The problem with not running as Administrator constantly for most Windows users is they value their own laziness over security. As if the security flaws in the Windows codebase itself weren't bad enough, it also has to compound the problem by encouraging everyone to run as Administrator by 1) making it the default and 2) not providing "Run as user..." in places you might realistically need to run as root, such as control panels instead of the current situation of only arbitrary binaries getting that option...
Help us build a better map!
Some software vendors haven't bothered much to make their product running _well_ in a multi user environment. Configuration files should not be stored in the application directory, but rather in the user profile.
Other thing to consider would be to run the browser as other (totally unprivileged) user, I guess the next incarnation of Windows has something like this onboard.
Your last sumnary contains an oxymoron. I don't think realistic, running windows and security should be combined into one article.
:)
Oh and while your fixing it say "hi" to (-5, Flamebait) for me
"I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
I have separate user accounts that my kids use and about 1/2 of their games don't work. So when I let them log in on an account with admin priv to run their games they invariably exit the game and do "web stuff" later on and the next day I sit down to do work and there's all sorts of crud installed.
Recent games (the last couple of years) are behaving better eg World's of Warcraft runs as a regular user but previous Blizzard games didn't. The Sims2 runs as a user but puts multi 100 megs of files in each users profile.
You have to find out what programs ppl will be using. Many CAD/Animation packages need to be administrator to run. If it's just Office or websurfing then user admin accounts are fine and safer (and as you say, the user is less likely to screw things up).
I had thought to allow the kids their own computer each and they can do whatever they want as administrator, but the time taken fixing their machines and the bandwidth taken by malicious sw meant it wasn't worth it so I quickly gave up on that idea.
pithy comment
I never said I believed it. But that is what is claimed. Surely MS won't think it can pull the same crap again?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
How realistic is it to expect a Windows user to run their OS as non-root?"
Unfortunately, completely un-. I've tried at home -- too much of a PITA. I have to at work (corp. policy), and when it is a PITA, it's a huge PITA.
Hopefully this will all change in Vista, but until then, do the opposite, continue to log in as admin, but run network-facing programs, esp. IE, under a limited user account. On XP there's DropMyRights. I run 2K at home, which doesn't support what that utility needs, so I achieved similar manually, described in my journal, here and its addendum.
Attention zealots and haters: 00100 00100
Back then it was a bit of a pain, as some maintenace tasks actually required logging in as an Administrator and didn't work with "Run As". Plus, "Run As" required you to actually download and install a PowerToy, rather than being part of the context menu by default.
Nowadays pretty much everything necessary is doable via "Run As" - and the few things that aren't XP users can simply use Fast User Switching to bounce into an Adminstrator account (I use Win2k3 on my desktop which, sadly, lacks this feature). Windows 2000 users will need to start up a CMD prompt or Explorer window running as Administrator and go from there, or in rare cases actually login to an Administrator account.
The biggest hurdle is teaching "ignorant" end users the distinction between an "Administrator" and a "Regular User". Once you've achieved that, teaching them how (and when) to do stuff in "Administrator mode" is relatively easy.
Unfortunately, running as an Admin is only effective today because the vast bulk of malware is as poorly written as much consumer software and craps itself when faced with a non-admin account. As non-Admin accounts become more common - and malware writers become more competent - this will change and most of the protection offered by a non-admin account offers will evaporate.
It's not especially difficult to run as a non-Admin, assuming the user actually understands what that means, but IMHO - after having put some thought into this recently - a good set of well maintained antivirus and antispyware software will provide a level of protection as good, if not better, and do it less invasively and more sustainably. The usefulness of unprivileged accounts - particularly on the typical single-user desktop - is overstressed by people who have histories of heavily multiuser environments (or like to pretend they do) and think that the principles there translate directly into the "appliance computing" the typical PC is used for.
If the user in question will have a relatively static application load and someone to set it up for them initially, with the occasional spot of maintenance, then running as a regular user is trivial (my mum was using Windows XP in a regular user account for ~4 years until I bought her an iMac last year - I think I had to do some maintenance on the machine maybe 3 times, one of which was the SP2 install).
But for the most apps this is not a problem. Some apps have issues running out of the "Program Files" directory in user mode. But there are simple ways around that.
To come across an easy way for instant elevation (run as admin, w/e) in XP. Maybe I'm not looking hard enough? Not many issues as far as spyware / virii. I'd def give it a shot if I wouldnt have to reboot every time I install an application.. thats why I'm usually at least a week or two behind on patches, I hate rebooting.
:)
As a general user that doesn't know how to install programs on their own anyway and has issues doing simple things like sending an e-mail attachment there is no reason to run as admin. So for yourself or more savvy users I could recommend possibly running as admin and for the less-knowledgable without it.
Of course there is the 3rd case where people are able to do admin tasks and you don't want them to.. that one should be obvious though
As a user, what's the most painful thing a virus could delete or steal? Delete: my files that aren't backed up recently (or for home users, ever). Steal: my CC and similar info, which is either in said files, web caches, or even email for some.
What's the common thread for all of those? Right, you as the non-admin user still have full privs over them.
"Office is the most wellknown example" We run office, we are not administrators. Where's your evidence that you have to be admin to run office?
Apart from programmer/developpers, you'd be surprised at how many people in medium to large corporations run as non-priveliged users.
Once you make users non-priveliged, a *HUGE* number of support problems go away. Before I handed off desktop support to an assistant, people would often come to me and ask for admin privs. Everyone who asks for admin priveliges will swear upon everything that they find holy that *they* would never cause any problems. Like prisoners, they're *all* innocent. And yet, without the admin rights, things go sooooo much more smoothly.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
A working 'Safe' setup I have set up a windows 2000 box about 4 years ago for my parents and put them directly in user mode. (also disallowed IE to the internet and stop Outlook Express from starting using Kerio Firewall). This fast became a problem because it was impossible to use the video grabbing software. I ended up to make an administrator account with less icons visible. In the past 4 years I have taken about 6 evenings to fix some odd stuff. And one complete reinstal because of an hardware upgrade. I also explained that when then needed to install some software they needed to use the 'video grabbing' account for installing software if they needed to. They have installed some software for a digital camera, some tax programs and quite a lot of other tools that my father deemed to be safe. He is not prolific in eigther English or IT in general but he never managed to kill the box. Enter 'The Expert' Two months ago they took up ADSL with WiFi. The technical support guy installed the drivers (in user mode, because he did not recognize it) After about 2 hours he began asking my father questions about why it might not work and my father ended up giving him access to his Video grabbing account. Then the driver did install and it worked almost immediately. The biggest trouble is that the whole freaking driver does not work in user mode. You need to be admin to use network. The box is now in stable and I probably have to reinstall the whole thing. Using a pci WiFi card instead of the 'free' USB crap. All in all, it seems the 'tech' had never encountered a locked down windows box and even managed to kill a perfectly working system. That's probably what you get when you are on vacation and have to rely on 'colleagues' :)
Non-admin use of windows can be quite useful when running Windows in a company/corporate environment, as the admin is able to give or take permissions from the users. This is specially true as the support team has a fixed portrait of what a user has or not in his/her computer, which is quite useful as the average user does not install (voluntarily or not) any software that is not approved by the admin team. However, that type of restriction can be quite a pain if one wants to install this OS in a home desktop system. There are some causes to that: 1) the average user does not understand thoroughly the admin/normal user scheme used; 2) some (not many really) manuals take notice that this scheme can be in place, but usually just say "You have to be an Administrator" or something like that, failing to say HOW to be an Administrator; 3) to get Admin privileges in Windows is slow (at least the way I know how to do it), you have to switch users and do what you want, instead of just using su or sudo without having to close/switch the session, this forward-backward motion usually takes time that the average user does not want to lose if all he wants to do is install a small tool; 4) many people complain that the computer or connection is slow, but does not even know what a malware is or how to prevent it, believe, the best way to avoid that stuff is education; 5) there are some people that know that they have malware installed and don't worry about that... I know some that even access bank sites in that condition. Note that by "average user", I mean the people-out-there, who use the computer just as a tool, unlike most people here on /. which just prefer a better OS, or who at least know how to handle that kind of problem on their own.
Anyway, although I have dualboot in case I have to use some esoteric software, I do not take this OS very seriously, so take my advice with a truckload of salt.
"What is it exactly that the 'clueless morons' do that you don't?"
/.? Even a windows user who runs admin with no av or firewall and reads /. has to be a geek right?? =P
Post on
Time is an illusion. Lunchtime doubly so. - Douglas Adams
I've been running XP (and 2000) as non-admin for a while now. Most tasks are fine, with the usual problems being post-installation for new apps and games after you've logged out as admin and actually want to use them. :)
The most common problems I encounter are Registry-related, apps trying to open HKLM keys in read/write mode for example, and are primarily due to the software developers running as admin on their own machines and never testing with lesser-privilaged accounts.
I usually contact the developers with specific information as to why their apps aren't working as non-admin, generally getting positive responses and updates to the offending apps. The best experience I ever had was with Holger Matz, developer of the FL Datastorm program (a companion app to the MS Freelancer game) who, after a couple of back-and-forth e-mails had a new release fixing the problems in 2 hours and 2 minutes. How's that for service!
Unfortunately, most mom and pop users wouldn't have a clue how to use APIspy and Regspy to diagnose these sorts of problems.
From a technical perspective, Windows doesn't have any equivalent to 'root'.
I've been using win2k as a restricted user for probably 5 years now. It's basically a non-issue, since I don't have to install stuff often. However, some programs (usually always the same publishers) require admin-priviledges. Some even can't be used utilizing Runas.
Some of the worst offenders:
* Nero Burning ROM (notice: I use an older Version, as I am a student and can't afford to by newer stuff if the older ones work fine)
* Every newer game (probably since 2003) by Electronic Arts. I'm especially looking at you, Battlefield 2!
* Miranda IM won't work without admin priviledges, although there might be a mythical way to work around this that I haven't yet discovered.
* Steam...but that's rarely used, anyway.
* Origin 7.0 (same as steam)
And,on the other hand, there are programms, that work perfectly:
* Firefox (even the automatic updates!)
* Thunderbird (same)
* OpenOffice
On the whole, not a real issue, running without admin priviledges. But sometimes,you've got programms that won't work.For example: my girlfriend's laptop's wifi won't work unless in admin-mode. great, if you're logging into a university network...it's a fujitsu siemens with Intel M processor.
The biggest problem I had with this was when I ran WinNT (and I'm assuming it still holds for later versions). Certain programs would require administrator access to install correctly, so I'd log in as administrator to do the install. Once I was back on my non-admin account, the security permissions in the registry (for keys created by the install) didn't allow me to access those keys--and the program wouldn't run correctly.
If I recall correctly, XP has a feature whereby you can allow a program to run as a different user. So maybe this isn't a problem anymore. I finally got sick of it all and just run as an administrator.
Check out Chad's News
You really want to be safe? Don't allow the regular users write access to WINNT and Program Files. WINNT proved not to be a problem. But when you block write access to Program Files, about half of the programs I use simply do not work. Another handful work, but don't retain settings. Its not really the fault of Windows, but the fault of the application creators. For all of the inconsistencies in Unicies, you know that you store user data in dot files in ~, and temporary files in /tmp. Windows has Documents and Settings and /WINNT/temp, but application developers just don't use them. You could probably write a book on the paradigm differences between Windows and UNIX that results in this symptom.
The masses are the crack whores of religion.
First: games. If it's a computer you plan to play a lot of games on, you're pretty much screwed, because many of them won't work, and they won't give you a decent error message as to exactly what permission they're missing. Quasi-educational games for children are the worst offenders, but games intended for adults will give you trouble too. My recommendation is to have a separate computer for nothing _but_ games, don't do anything important with it, don't store any important data on it, run as admin, and when (not if) it's compromised, just fdisk and reinstall.
Another problem area is automatic updates -- not Windows Update, those work fine, but automatic updates for other applications, such as antivirus software, web browsers, extensions, plugins, and the like, will often not happen until somebody logs in as admin. For this reason, somebody needs to log in as admin on a regular basis, preferably daily. Most home users will not appreciate the ritual of having to log in as admin but then log out and log back in under another account to do stuff, so unless you've got a geek around that can take care of that sort of thing there could be significant... issues, in terms of getting that to happen.
Finally, the problem that bothers more savvy users who try to do this is that, as near as I can determine, there's effectively no reasonable, convenient equivalent for su or sudo. If someone can tell me an easy way to log into XP as a limited user and open a cmd prompt with admin privs on my otherwise-limited-privs desktop, without logging out or using the Switch User feature, I'll be more grateful than you can know. Surely I must be missing something, but for the life of me I cannot locate this feature.
Cut that out, or I will ship you to Norilsk in a box.
This is mostly because configuration is all performed though GUI interfaces. So instead of just doing 'sudo something ...', you have to do 'runas' a GUI program (e.g. 'control'), and it's not always clear which program you should run.
On top of this, the 'runas' program isn't always sufficient. For example if you need privileges for doing things in the 'explorer.exe' program, 'runas' probably can't help you. Add to this the fact that when you're in a domain, you can't login as two different users simultaneously (admin and non-admin), and you've got yourself a royal pain in the ass.
We have found that a lot of programs that want to run as administrator really just want to have write access someware that a normal user can't write to. Once you figure this you just give that user write access. Easy to say - hard to do. Some programs required a registery edit to make it work in just userland. These took a lot of research on the internet to find someone's answer. One could claim that it is not Microsoft's fault but blame the software applications; BUT, Microsoft is just as guilty as everybody else in not programming for normal users running their applications and it is Microsoft's OS that is being abused.
zenray
I've been doing this at home on my WinXP Pro computer and it works fine for me. The only time I bump into problems is when I need to install software, which is rarely now that I have finished setting up the system. I also use Firefox for web browsing and I use web based email, so two of Windows biggest problems (Internet Explorer and Outlook Express) are never used.
Personally, I would like to see more Windows software support drag and drop installation, like most Mac OS X software does.
Set up a Power User account (if you're using XP Pro). It's not as restrictive as a regular user and it'll be less exposed than an Admin account. I don't know whether any games have problems running in p-user mode, but of all the apps I've tried I've not come across any problems yet. (except System Mechanic, but you'd expect that as it really needs the access privileges) Of course power-user is still vulnerable to installing of trojans/malware but I suppose for that education is the best solution, teach whoever will be using the computer that not all software plays nice.
And if you had a firewall, you wouldn't have been hit by MSBLAST. By the way, thank you for spreading that one - my log files have been mucked up ever since by the noise that thing spews.
The Unix crowd gets excited about non-Administrators in Windows every now and then. In fact, it's fairly pointless. The root user was designed for multi-user systems (hence the administrator). Single-user systems don't need it. On a single-user system, the most important thing is not the system files: those can be recovered from the factory install disk—it's the user files.
There are a lot of advantages that Linux and Mac security have over Windows. It's sad that anyone thinks that their most useless security tool for home users (the root user) is actually responsible for any of that security advantage. How often do you hear about a Linux user who has lost user data from a non-root exploit? Pretty rare, huh? So it can't be the root user that saves the day. It's the Unix security design philosophy that's the real advantage. (And low popularity...)
Not that Microsoft doesn't have some cool stuff coming out. IE 7 runs in a sandbox on Vista. This is an impressive security advantage. IE 7 won't even have the privileges of the user running it. It's an application of least privilege; that's a security model that I'd like to see a lot of software use. Least privilege philosophy is leap ahead of root versus user-level privilege, and is what real security people are debating.
www.vmware.com
Back it up when it's in a pristine state, then anytime they mess it up, delete it, restore from the backup.
http://nonadmin.editme.com/
Thought you probably would have found that via Aaron Morgosis' Blog.
I have my wife setup as non-admin, and she doesn't really notice. I run as non-admin at home and its fine. Sometimes it gets messy during development when you need to attach a debugger to a system process (IIS), but there are ways to resolve each issue, and they are documented at the above sites.
WMP does not require admin priveleges. You are probably just trying to read media files, or have your entire library stored, in a folder that the non-admin user does not have access to. Put the files in the My Documents (or Shared Documents) tree, or grant permissions to the folder you are already using.
MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be a admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS need to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
I work in State Government in an IT shop, and we have almost all of our users running as non-admins, with the exception of those of us in the IT shop, and one of the developers. It works really well, and we rarely have trouble with malware.
Ever heard of Fast User Switching feature in Windows XP?
Ever heard of substantial prices for RAM? Windows XP OS's Fast User Switching requires extra RAM for each user logged in at the same time. Prepare to endure extended thrashing if you still use an old PC with less than 512 MB of RAM.
switcher \'swi`ch &r\, n.
A person who thinks that they are a Mac user but are really just trying to be. The mistake they make is to try to become a Mac user, when real Mac users are all about not trying to be anything and following your own rules. There is no fashion code to being a Mac user. There are no rules as to what applications you have to run.
Recent converts like you are ruining the old school Mac community because you are posers. Apple releases one OS that popularizes Fitts' law and the Genie effect, and suddenly people assume being a Mac user is all about owning a Mac. But a real Mac user is born, not made. You "switchers" are misrepresenting yourselves and the Mac platform. You're giving people the wrong idea of what Macintosh is.
switcher: shops at hot topic, thinks Firefox is a good Mac app, waiting for OS X port of PayrollPro 2000, follows any hint of a fashion trend (instead of setting them!), wouldn't know Clarus from Carl Sagan.
real Mac user: someone true to who they are, the misfits, the rebels, the troublemakers, the round pegs in the square holes. The ones who see things differently. They're not fond of rules and they have no respect for the status quo. The ones who are crazy enough to think that they can change the world.
I thought using Windows was supposed to be SO much easier (and intuitive!) than using *nix.
You're expecting granny to master all this---including reading an MS-consultant blog---to run her computer effectively? No wonder why she only leaves $5 in the birthday cards.
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
We always create the first account with the name "Install Software" and password protect it. That way other family members, children, etc. can't get in there and cause problems.
I always try to make them do everything they would normally do while I am there to assist with creating the limited accounts, password protecting any that need it, and setting up software. Invariably within a day or two I get a phone call/visit due to some random software not working right.
In one case a bank had some special software you had to use to do online banking which not only had to be installed via the admin account, but would only run there as well.
While working for a University managing labs I ran across a lot of software that freaked out if you didn't have admin privileges. Discreet products are notoriously bad about this. 3dStudioMax pops up a ton of error messages if you run it as a non-admin, but it mostly works just fine. Combustion randomly fails when you access different modules. Our solution in this case was Drive Shield which locks the drive and makes you think you can make changes. Those changes are lost at reboot though.
For normal people most things can be done fine. But there will be some software they will run across (and every person will find at least one) that requires that Admin access. Whether it is banking software, printer software, games, etc.
The way around this is to attempt to train the users how to properly utilize their one admin account. Make sure they know not to use it unless absolutely necessary, and then only use it for what is needed and get out of there! This requires a paradigm shift for most casual windows users and some will be able to adapt and others won't.
That is unfortunate but the truth. Personally I would choose a person or two you are called upon to clean up often, and try to do the switch with them. With luck you will have few problems, and if you do have some hopefully they will teach you how to more effectively train users to play on Windows safely.
This is one thing I enjoy about using the Mac. Even an administrator account doesn't have full blown privileges all the time, and must authenticate for many tasks. And since with OS X they threw out a lot of backwards compatibility most developers write software that can deal with non-admin users. I have found very few software packages that require an admin account, and those tend to be weird edge cases that most normal people would never run anyway. How many normal people need NFS mounts? I'm talking normal people here.
Even software installs are often painless with many companies doing a drag and drop application. Non-admin users can put it on their desktop or in their home folder and it runs normally. Admin users can drop it into the system wide applications folder for all users. Slick. Two different users want different versions of Moneydance? User two can download it and put it on their desktop and launch that one instead of the /Applications/ version.
Of course I don't see windows getting anywhere near that user friendly in this context anytime soon. And really that is sad as it makes keeping your machine clean way easier.
But back to my windows friends. Two people I set up as above where very non-technical people. And both, while feeling really confused at first, within a week or two seemed to be running pretty smoothly.
As a matter of fact, a bit over a year ago I wrote up a quick and dirty article about limited accounts and other ways to be safe in Windows. It probably won't help you, but some have found it useful.
Shawn's Tech Articles
As someone who runs as a non-admin, I'll share a few tips I've learned on how best to make everything work...
1) Download CPAU, which works somewhat like RunAs but will let you create "job" files so you don't need to type a password each time.
2) Make three accounts, a "guest" (don't use the built-in guest account for this) user, a "poweruser", and an "admin" (don't use the built-in admin account for this). For the rest of this post, I'll call your real account "fred", the lower-permissioned account "barney", and the higher-permissioned account "gazoo".
3) Set the root of all drives to explicitly "deny" all permissions to "gazoo". This wouldn't even slow down an interactive attacker, but few hostile programs expect to need to take ownership and change permissions from an account already having admin privs.
4) Give "fred" write permission on "Documents and Settings\barney". Give "barney" read permission on "Documents and Settings\fred". Give "fred" read permission on "Documents and Settings\gazoo". That alone will solve 99% of permission problems you'll have.
5) Use CPAU to set up job files to run all your networking programs (browser, email, IM, etc) as "barney". Do the same for all programs that legitimately need admin access (many CD/DVD rippers, for example) to run as "gazoo".
6) To install most software (even well-behaved software that doesn't require admin to run), log in as admin (the real one, not "gazoo") and create its directory under Program Files, giving "fred" (or "barney" if it will run with reduced permissions) write permission to that dir. Then, install it while logged in as "fred" (or, again, as "barney" if applicable). Also, some pesky software will work best if you install it first as the user it will run as, and then as "fred". Firefox and Thunderbird fall into this category, because of the way they handle user profiles (Using the highly-recommended "Portable" versions of both will completely avoid this problem, btw).
The above will take care of most common problems you might have. Other problems will still pop up, however.
For example, good luck printing from your web browser - you can use Microsoft's TweakUI to edit the relevant ACLs, but that seems like about a 50/50 shot of working. I curently have two machines at home set up more-or-less as described above, and basically identical. One of them can print from "barney" and one can't. Wierd.
Also, get used to using UNC names. Mapped drives, even if mapped under all three accounts, will not show up for programs running as anyone but the currently logged-in user.
And some "experts" wonder why so many Windows users still run as admin.
This problem always crop up with limited user accounts. If they use quicken, they need to be admin.
What I have done to alleviate this problem is to create a virtual machine in my Windows XP box. I installed Fedora on it and use it to surf. However, if someone needs Windows, they can install Windows on their virtual machine. Any app that wants admin access can happily have it. If that virtual machine is compromised, then it is only the VM which is compromised, not the entire enclosing Windows machine. Just delete the VM and create a new one in that case.
It's completely possible to run as a limited user and just install software as a computer administrator. The problem with that is, computer admin privileges aren't required in order to install software. "Program Files" is writable by all, probably for legacy reasons (old apps storing data in their folder), and only the "All Users" profile is protected from Limited User installers (so they can't add icons to every user's desktop or Start Menu). In addition, spyware and other Internet Explorer-transmitted nasties don't mind a limited account at all - the limitations only slightly reduce spyware infection if at all, in my experience (manually removing spyware for 3 years commercially now). For the reduced compatibility with existing applications, it's often times not worth it for an average desktop system - Firefox, siteadvisor, and especially a little user education (don't download things!) go farther for less hassle.
(tried to post this last night - database maintenance, argh!)
I recognize people by their sigs. Is that a bad thing?
I would agree that many of the "problems" people face with Windows are caused by using root privileges. I only have one Windows box that I never power on, but I recently left a system admin company for which I was one of the chief Windows consultants. Because most of our systems were distributed for medical purposes, many of them had restricted accounts, only able to access one part of a hard drive, able to access a few select programs (with which Windows Media Player was not one), etc.
However, about a year ago (I left the company four months ago) we started to see an influx in rootkit problems. Our technical support department was constantly bringing me new programs that were being used, etc. In an effort to be proactive to stop the rootkit/spyware combination, I googled "Windows rootkit" to find what was out there. Try it. While MANY of your system problems will be cured by tweaking Windows in a "user mode", not all of them will be fixed.
Common sense is the best policy. Be careful what you click on, etc. I have friends who have great, stable Windows boxes that they have used for a long time. They work great. I use linux, and it took me much longer to get my systems up and running than it did theirs (of course, I have to tweak everything perfectly...)
You are a prick, plain and simple.
"After alot of explaining, she agreed that maybe I knew a little bit more than she does about maintaining a computer."
Talk about having a big head.
"And even then, the I keylogger installed will probably help me figure out what she did, as well as when."
Did you know that not only is this an asshole thing to do, it's illegal? You don't own that computer and spying on your GF without her concent is a violation of law. And since you seem to be SOOOOO concerned with being "legal"
"then installed a legal version of Win2K Pro,"
Thougt you might want to re-consider crossing the line.
In short...they do everything you can possibly imagine. All those things that you think, "Nahh...no -way- is somebody dumb enough to fall for that." Know why the scum of the net continue to do it? Because it continues to work. That's the difference in not having AV and being ok, and having all the AV, anti-spyware, popup-blocking, and everything else in the world and still somehow magically ruining a box every month.
Unpleasantries.
Microsoft does share the blame, and in fact they have _most_ of the blame.
Certainly this problem happens because of lazy developers, but the market forces at work imply that developers would do the least work necessary to market their program to the majority of users.
Furthermore, no developer has central control over "all programs" - the direction of development of "all programs" rests squarely with MS. We aren't talking about a minimal set of back actors here.
So the fault lies with M$ for shipping an OS that expects to be installed by default as an admin. If the majority of XP machines were NOT shipping this way - if these applications would break for MOST users - then these people would stop shipping these apps.
Here's a random trivial solution they could've implemented:
Step 1: Add a "modernapp" flag that software can have/set that says "I'm approved for any user"
Step 2: Create a "super-power-user" priv, where everything runs as admin, except things setting the modernapp flag which run as PU. Again, ONLY the apps that ASK for Windows to enforce strict checking get strict checking therefore you have no legacy software problem.
Step 3: Popup a warning whenever you run apps that _don't_ have modernapp set. Don't even prevent it, don't even ask for comfirmation - just a warning popup would be sufficient to make those apps fixed.
This would keep it from RUNNING at all. But it would create a reason why Joe Consumer would call the app manufacturer and complain, and after a point it would be cheaper to fix it than answer their questions.
This parallels the way the signed software stuff works, and that would've been a good time to implement it.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
I do NOT recommend RunAs. Because for every program that can't run as non-admin there's two that can't run as a different user than they were installed in.
So to me there are _3_ "kinds" of users from a program requirements point of view:
Admin, Normal/PU, and "Normal/PU but must have admin to install AND must run as the same user they were installed by"
Our standard operating procedure for the installation of new software on a nonprivileged single user machine with 2k or XP is to:
logout, login as administrator
as admin, elevate the local user's privs,
logout, login as user
install software
reboot if necessary
run software to ensure it does its "first run" stuff
reduce user's privs back to what they should have been
logout and log back in.
But MakeMeAdmin looks awesome, I hadn't seen that before.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
I attempted to post on this last night, but db maintenance got in my way.
Not being able to run WindowsUpdate is a major impediment to people being able to run windows with non-admin accounts. This is one of the reasons why I'm happy I switched to a Mac Mini last year, and why I still loath having to support my wife's Windows laptop.
If there's some way to do it, please let me know - I haven't had time to read through the blog linked in other posts.
I'll create an amusing sig when I have something meaningful to post.
I'm a mac user (at home) too, - and at work, I generally run as Admin on WinXP because Rational ClearCase has been a very tough nut to crack.
Generally;
Running as a User is fine - unless you're going to need to access any control panels, or mess with system areas of the file-system.
But this alone is not really enough to provide real security. You've got to also set some restrictions on file-system and registry permissions. An Excellent guide can be obtained as a pdf file from the NSA.gov website: Guide to Securing Microsoft Windows XP - (Report Number: C44-026-02). Pay careful attention to setting up permissions on the TEMP directory. It really helps a lot with locking everything else down very tightly; as long as your apps are well-behaved. You have to know where your apps are writing their temp files, and as a user, you have to know where your files are being saved.
One of the other tricky areas is the Desktop - because you're seeing a combination of All Users\desktop and %userprofile%\desktop. You need to lock out write access to one, but not the other, if you tend to save files to your desktop.
If you follow all this advice, and find that one or more of your "needed" applications breaks, then here are your two best friends:
Sysinternals Filemon.
Sysinternals Regmon.
Other good pals to hang out with a lot are: Eventvwr.exe (with auditing switched on), compmgmt.msc, and sysinternals psexec.
Fast User Switching is pretty useful - but I think the MOST useful is to enable Terminal Server Service (Remote Desktop). You log in from a remote system as Administrator, and fire up Filemon or Regmon, then locally log in as your unprivileged user - try to do what you're trying to get to work, but is now broken. Filemon and Regmon will show you exactly what your application was trying to access, and failed at. Then you've got to consider what you need to do to correct that situation: either open up access to those objects, or change how you're using the application. Some apps are just plain stubborn though, and will force you into unpleasant trade-offs.
But for most standard web-browsing and document writing, running as User is no problem. Developers tend to get into more trouble because developer tools often require elevated privileges (which is my problem at work right now with ClearCase). This leads to developers normally unit-testing their code as Administrator - which leads to more applications that only run well as Administrator: ie a viscious circle.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
I have been running Windows as a non-admin since 2001. A few ideas, comments, suggestions:
/user:Administrator cmd.exe". It will then prompt for a password and you'll be set.
e Admin.zip ) and run that. The script prompts you for the admin password (if you have renamed your admin account as I have you can change that in the script easily) then for your own password. It then launches a command prompt that is actually running as your regular logged on account, but with admin privileges. This should let you work around any remaining issues you may have.
1. There are many things that need to be run as administrator (app installs, etc.) but this can usually be accomplished by right clicking on executables and clicking Run as... for one time access.
2. Use the runas command from Start->Run. Basic usage is "runas
3. Get familiar with the command prompt. There are certain administrative dialogs that are nearly impossible to run as Admin while logged in as another user. For these tasks, you can do a runas to open the command prompt and do it from there.
4. Be aware of explorer problems. The main problem with running as non-admin is that you can not (easily) get explorer to run as an admin account. There is a workaround, though. Download MakeMeAdmin ( http://www.speakeasy.net/~aaronmar/NonAdmin/MakeM
Hope this helps. It's really not as bad as it may sound.
Reading all this stuff I've come a conclusion. In order to "properly" use Windows, there is just as much mucking around with admin tasks as when using Linux. All these people say how difficult linux is as a user experience, but then you realise that windows users are essentially ignoring or working-around security, something that jsut isn't done by default in linux. There are repeated remarks here about having to change file and registry permissions and using "RunAs" in order to PROPERLY use windows as a non-admin user. We do this stuff everyday in linux. That's a crucial part of the difference in user experience between the two. Windows users simply aren't doing this stuff. And not because they "don't have to" or "shouldn't" but because they don't know or choose to ignore it.
:)
In fact, because linux typically does a good job of being ready for non-root users, the experience is BETTER. Out of the box, just about everything runs properly with proper permissions etc.
And for the record, I use both: Debian Sid on my work box, various versions of Debian on my server, router and mythtv box, and XP on my family/play machine. And yes, I run the XP box as admin.
man, I feel like mold.
Windows isn't Unix, so it is laughable when people assume that buy not running Windows as an admin, it is safer.
Windows simply doesn't have the security layering that Unix has, there is really NO distinction between a non-admin user and an admin user, except for a few Windows-centric tasks, like making new users or a few other networking/server like features. Even the idea you can't install software if your not in admin mode is laughable. You can. You may not be able to install an application (if that application uses an "installer"), but you can still run things like virus and trojans just as easily in Windows in non-admin mode.
Vista does introduce the idea of having two distinct levels of users in Windows, they introduce the idea that you can't run or install software unless your in admin or type in the admin password, but I can tell you from experience that this is friggin annoying and most Microsoft customers WON'T want to be forced to type in passwords every time they want to install a program or access the Internet.
Running XP in non-admin mode will give you a false sense of security, and it is no better a practice then running in admin mode. Even in non-admin mode, if your users are opening up email attachments, browsing to phishing websites, or downloading Trojan/spyware software from questionable sources, it won't matter, it's insecure by design.
Unlike Unix and its derivatives, Windows wasn't designed with security in mind, and it is no more or less secure to run in admin mode as any other mode. Microsoft hasn't made a clear distinction between these two user modes and until Vista is released, I would say that its of no consequence to run XP in admin mode and its a pointless discussion not to do so.
I haven't thought of anything clever to put here, but then again most of you haven't either.
the 'secure' way is to run as power user, and then when you have some weird program that needs admin, switch over to admin, install it, then recursively grant file permissions to that programs directory.
in real life, most 'average users' will not understand how to do this, let alone want to, let alone understand why.
so they will either quit using their computer because they cant install games etc, or they will switch themselves back to administrator and be in the same pickle they were in before.
however at an office you can get away with a lot more since people dont need to install random crap as often and they can get you on the horn if they need you. at least at some offices.
Been running our entire network of users (100+) as non-admins for almost 2 years now with almost 0 problems. It's entirely possible and very much encouraged. There are no apps that actually require admin privs to run, you just need to find out what it requires to have access to read and write to. Sysinternals have some great tools for this with regmon and filemon. Parse the logs and you can find out exactly everything that each program is trying to read or write to. Grant rights to these locations to the non-admin users and you'll have no problems with non-admins running any program they want while still having the security of non-admin users.
I mean, really. Why do 90% of Windows apps currently require admin rights to run? Lazy designers, that's why.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Actually, I set my parent's XP accounts to non-admin a while ago, and their usually completely-hosed, on-all-the-time desktop hasn't gotten sick since (of course, they also have AVG antivirus). My plan was that because my account (with no password) has admin privileges, I could just tell them to click in as me if they ever need it. To my surprise, they have _never_ reported any problems.
Maybe a lot of nerds are too afraid to pull the admin rug out from under the techo-ignorants in their custody? The truth of the matter is that they are _already_ confusedly plugging through weird messages they don't understand anyway. The real beauty of Windows is that it conditions users to ignore problems and trudge through, firing off a few clicks, ducking for cover, firing a few more, and so on. Just make sure they don't ever think that its _your_ fault.
Computers are complex machines, which is why real computers need system administrators to regulate the system and users. Windows tries to make this not so (but it still is) since most of their users want something between a typewriter/telephone/tv set. Average people have gotten much more computer savvy in the last 10 years, but not 'this isn't true posix..' savvy. People install applications/plugins/etc. all the time without batting an eyelash. No system/requirements/user reviews, nothing. Just install.exe and see if it fails.
I run windows as Admin (equiv) and don't get into trouble, but I've hardened my system and don't make foolish choices. I still re-install OS about once a year. You have to, the registry gets too bloated.
first off, I run linux. have for at least eight years, and I haven't had a windows computer at all for about a year now.
/usr/, I don't care. take out /etc/, I don't care. take out /home/saurik/, and I might as well stop using the computer. _works_ just fine, but all my _data_ is gone. what makes it _my_ computer is gone.
what do you intend to protect by not running as Administrator or root? it takes a few hours for me to reinstall my computer from scratch. back when I ran windows I tended to do that every four to five months anyway as the installation model was so poor (although it also took me more like six hours to do it).
_big deal._
the _only_ data of any importance on my entire computer is in my home directory and that that's the _only_ data that is allowed to be damaged by code that I run as my user. take out
the _one_ intelligent thing you can do is backup your data regularly. (and no need to backup all of C:\Program Files\, which some people are commenting about and complaining is writable even by regular users on Windows... _there's hardly anything useful in there_ (what is is data that should have ended up in C:\Documents and Settings\ under your user anyway).) (although I will point out that backups also have their issues because data typically degrades in importance over time, data from a year ago to me is much less valuable than data I created yesterday, which leads to some kind of continual backup argument, but whatever, that's another issue.)
I don't really know if this accounts as non-root-access, but my company is using Windows XP boxes with a central server that holds our homedirs and updates the boxes with new/changes usernames/passwords and home directory files. (Is this LDAP? I don't know...)
So you can login with your passwort and you get only access to Windows shares (general shares and your personal homedir).
Anyway, while Windows Explorer and other "ordinary" Windows applications gave me a feeling of being locked out of the drive C:, cmd.exe told me otherwise: I can read and write all files on this computer, except other users' data in their respective home dirs which have proper attributes set (the box has a local and a network copy of the homedir and sync's them).
So... what is the point of hiding some drive letters but letting them be accessible through ordinary file I/O? Any virus or worm that doesn't care about if it should have access to C: or not will simply install itself anyway and continue to spread or kill the system or whatever.
Only changing file permissions (and obeying to them on OS level) would do the trick.
This is the second time, I see security holes like that. The first time, I encountered this strange concept of security on a WYSE terminal. While "Run a command" (and thus direct access to cmd.exe) was disabled, too, a cmd.exe-copy on my usb stick did the trick. (I suppose the WYSE thingy can automatically reinstall a clean Windows image, but still it is terrible approach of trying to be secure).
On the other hand, all my "official" software, like HP scanner drivers, fail to install themselves when I'm logged in but require "admin" access; I have no clue why!?!
First, some background about my experiences. I have run Windows as a limited user for nearly 6 years. The only time I had to reinstall was when I took the XP plunge. I was on the same installation of Windows 2000 through two motherboard upgrades. During this time, I have only encountered a few problems.
Second, here are some common misconceptions I run into with people who are anti-LUA (limited user account):
1. Anti-LUAers believe running as a limited user is intended to limit the user.
The purpose of LUA is to limit the programmers of the various programs we run. I don't personally know the authors of Unreal Tournament 2004, and I'm convinced they are human, so they make mistakes. I'm not going to grant them complete control over my computer.
2. Anti-LUAers believe programs that don't work with LUA need admin rights.
No, the Administrator group is just a group. It is extremely rare that those programs check to see if the user is in the Administrator group. Programs that have difficulty with LUA simply need what they are looking for (usually filesystem rights, rarely registry rights). Unreal Tournament 2004 wants to download maps and put them in the Program Files install directory. That's poor programming, but I've compromised by granting my account change rights to the UT directory. There, now UT will run. I can get more granular with the permissions if I wanted to.
3. Most people believe the user's account is the user.
Accounts describe roles, not users. I have two accounts that reflect my roles. I use my computer, so I have a user account; I administrate my computer, so I have an administrator account. Anyone who has two roles should have two accounts. Don't use admin accounts as an all-in-one solution.
4. Most people believe their anti-malware will protect them.
How many layers of anti-virus, anti-spyware, and anti-whatever will you try to install before you realize that none of these will protect you from new threats? They only protect you from old threats. Exploits gain the privileges of the vulnerable program. The only way to combat new threates is to deprive exploits the privileges they need to take over your computer.
In my experience, very few programs actually need elevated privileges. Those that do usually just need elevated filesystem permissions. Don't give out guns to those needing a flyswatter.
What I have seen more problems with are programs that don't work when installed under one account and used in another. They try to use HKCU keys in the registry and don't recreate them when they don't exist (under another account). That has nothing to do with LUA. Those programs have problems with profiles, not privileges.
With all this being said, can a regular user get by with LUA on their own? No. They will need an experienced administrator to get over some hurdles. My main beef is that "experienced" administrators don't want to educate themselves on LUA. They try it once, and at the first sign of trouble, they give up. They fear what they don't understand.
I tried to set up a user's home machine with limited rights instead of admin. Gave up when I found that the Windows Automated Updates would not install under the non-admin account. (This can be worked around if you are on a domain but not for a user at home with dialup).
My brother does the exact same thing with his computers.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
WTF? I hit reply on the post below the grandparent and somehow my reply ended up on the wrong post. Slashdot has issues with Safari. It also sometimes does a "preview" when I click "submit."
Comment of the year
My dad is a 'computer guy'. He has been using computers as the FOCUS of his job for 30 years now; yes, even before MS-DOS came out.
He is not a UNIX newbie, and he has been using DOS since version 2.0. He even knows some programming.
Yet he won't run anything other than Windows or MacOS. Not due to some inherent bias against UNIX/Linux, but because it's just too much work to run for simple tasks (his words, not mine.) There is *NO* convincing him to run Linux, not even after showing him an Ubuntu install. Why? Mostly that he has some Windows-only software, and he never could get WINE to run it. (Yes, he has TRIED to run Linux before.) He at least, does smartly, only run in Standard User mode.
Why do I mention this? Because, even someone who is fully comfortable using UNIX (he runs one BSD machine at work, along with a Mac and a Windows machine,) you may still jut not want to switch. And if the person has been using THAT computer for a couple years, they're probably too comfortable with it as it is to change anything around. (Heck, I had one of my employees tell a customer that in order to really fix the underlying problem, they would have to: 1. Back up everything, 2. Erase the hard disk, 3. Reinstall Windows. His note SPECIFICALLY said to back everything up first, in bigger letters than the others. The customer didn't have any backup media, so my employee told him to go get DVD-Rs and back everything up. Of course, the customer promptly erased the hard drive as soon as my employee left, then proceeded to call our office because she claimed that our employee had scewed everything up. When I went out, 'BACK UP HARD DRIVE ONTO DVD-R" was very clearly written above everything else, and in a larger font, too.)
In short, you can't always trust even an expert to be comfortable trying another OS.
As for when you HAVE to run Windows, there is yet another problem. I've seen viruses and spyware get onto a computer running in Limited User mode, WITH antivirus and antispyware software running. (Usually out-of-date, but there are so many things out of date on end user's computers these days that they probably THINK they are up to date. The other major problem is that lots of software (mostly pre-2000, but some XP-grade,) that will only run in Administrator mode. (Most notably, anti-virus updating!) Yes, two of the biggest problems with Limited User mode is that Norton won't update, and Ad-Aware won't run.
Sadly, until Microsoft adds the 'Professional-class 'User', or even 'Power User', home users are stuck betwwen 'Admin' and 'Limited User'.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Well it boils down to the fact that it is easier to use Windows as non-admin when youknow the Administrator password. :)
Because you already HAVE XP!
Less Talk. More Stab.
I am the author, and have been eating my own dogfood (using WinSUDO) for months now. In fact I just used it ten minues ago to install the "windows vista upgrade advisor" on my PC.
The bottom line is, it works great. Previously I had some dire warnings on my page about WinSUDO being an early version, and to beware, but I have removed them, as I've only gotten positive feedback about the program and never had a report about it screwing anything up. Of course, the standard "don't blame me if your computer breaks" disclaimer applies, and is still on the page, but the program is too simple to cause any serious problems.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
1) Don't use Winamp. Use foobar2000. Works properly with multiple/non-privledged users... plugins for everything under the sun.
2) There are other programs besides the Logitech tool that can take pictures with your camera. Try any other PTP supporting application (like the Windows XP Camera wizard). In general bundled software that comes with any hardware is likely to be crap... not just Logitechs'.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Create a secondary user, call it, I don't know, Granny2.
e ntVersion\Explorer\Shell Folders
Give this user permissions to do whatever it is that the unprivledged account can't deal with (modifying its own Program Files directory, whatever). Make it have no password and deny interactive logon, but allow batch logon.
Now, using "su" from sysinternals, create a shortcut that runs su with the options to log on as "Granny2" using a "batch" logon, and have it run the nasty application.
Here's the key. PUT THE LINK IN HER PERSONAL START MENU/DESKTOP. Not in the All Users desktop. These are special shortcuts for this ONE USER.
To complete the tour de force, go into the registry under the Granny2 user find:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
Change Personal, Desktop, etc. to MIMIC the Granny user. Then give Granny2 R/W privs on the Granny profile.
Boom! Smooth, seamless access to all misbehaving apps. I did this to get Turbotax and Quicken to run on a family PC under multiple accounts with unprivledge users who know nothing about technology or to remember passwords.
Worked like a charm.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I left two PCs for younger siblings running Windows 2000 at my parents house for two years... the only real problems have been hardware failures. I used to remote in to type in the admin password when they wanted to install a new game, but I got tired of that real fast (and felt like too much of a control freak). Instead, I created an admin account called "games" with no password that they can runas the stuff that needs it. Having been unable to install programs for so long they put enough thought into it now prior to using this ability that it still hasn't been a problem. It's been good enough, and is probably what I'll do for all future setups.
If Intuit doesn't want to have to deal with Grampa Bob and 50,000,000 of his closest friends who can't run TurboTax because Vista defaults to a user account, then Intuit can fix their application or cede all of their customers to TaxCut.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I tried setting up a non-admin account to use for day-to-day use on my laptop, but I abandoned it when I could not find any way to change the power settings. I couldn't go to bed and leave something downloading overnight because the machine would go to sleep and the download would be lost. It drove me crazy, so now I only use a full admin account.
That used to be the case.
Now, with network broadcast buffer overflows, I have had Win boxen infected within seconds of being connected to the internet. Running Windows outside of a firewall *or* with no AV *or* unpatched and unrebooted is simply not an option anymore.
I know a few people who still run with software firewall only, but they are typically the ones I have to go fix their boxes regularly also.
But I log in as admin to install software, and neither of my kids knows or will ever know that password.
My book, podcast
I'm a Mac user myself, while using Linux on my laptop and servers. I do have a Windows server that I RDP into every once awhile to use these Windows-only applications or do work remotely. I try to run as a non-admin user and it isn't that bad. But, two things bug me:
Firstly, some applications will go crazy if you don't run as an administrator. Maybe it's because of a bug in the software, but Photoshop refused to load under a normal user, stating that my installation was "corrupted" (while it worked perfectly in administrator)
Secondly, some java applets on the web will refuse to run. It's not a great deal, but I go into them once awhile.
But, Windows has this nice tool which allows you to run a certain program under another user (kind of a sudo, but more simple). The problem with that is that you need the "Terminal Services" and "Second user login" services to be running, which will take quite some RAM on the lower spec machines.
So get your friend to try it! You have nothing to lose.
Next week, tell him to install Linux.
The hip way to get your IP. No ads, ever.
and that was like 3 years ago. haven't had spyware
... if u get my drift :P
:-] chicken and egg) ...
or viruses so far, except one java virus which coincidented
with a friend of the family using the computer to "check his
email".(*)
it's routine to install new programs as administrator now. no big
hassel.
for games or program there's always the "compatibility" tab
set to run in compatibilty mode "win98/me" which takes care of
many incompatibilities.
for hard-core programs i just set persmission for that directory for
a limited user to access "full". this is not really safe but it
limites program compromise to rights that that limited user has.
anyway if thing do get sluggish i just delete that limited user account
and make a new one which fixes the sluggishness 99% of the time.
anyway, i stand my ground and call people accessing a network with
potential 100 million attackers as ROOT or administrator = not computer
literate, sorry.
a limited user account is a "throw away" account.
(*) i have notion sometimes that other user are abit jeaoulous about
my "luck" not being infected/compromised and that they want to "proof"
that i have no clue about computer security
*warning* running as limited user doesn't protect you from buffer overflow
and other serious defects in the OS. so it's still possible for a rights
escalation to admin if there's a bug in the operating systems core files
(or drivers for that matter), but that applies to all OSes (except maybe
minix, singularity, etc (which can also have bugs in the core files)
You've got it all wrong. I reboot when I install an update that actually pertains to security in a real way. Most don't, or are of very marginal use.
I was hit by msblast, yes. It was also gone fifteen minutes after I got that 60 second error.
What I'm saying is simple: Running as non-admin users is not necessarily the "optimal solution". If you're technically competent, running as admin has very few negatives. Running without firewalls simplifies the port insanity that firewalls bring, and allows software to work with fewer headaches. UPnP is a nice step towards eliminating port insanity. Finally, I've yet to find an antivirus software that wasn't a pain.
In a nutshell, know what your updates do and understand the security holes in Windows. If you do, you don't need to bother introducing potential glitchiness by using limited accounts. I'm aware this is very contrary to how most Linux users think, which is likely why I was moderated down.
My technique speaks for itself; I've fewer than 24 hours of downtime (probably more around 10ish) on my main machine in the last year, and this is without any configuration optimizing it as a server.
Continuing on with GPs example of Lotus Notes, this is demonstrably ineffective. Managed (ie: in an Active Directory or NT4 domain) Windows machines have always defaulted to non-admin level user accounts. Yet this has resulted in little to no changes in Lotus notes and many other pieces of commercial software.
Then when Grampa Bob tries to run TurboTax and it shits all over him (that's the technical term for, "Bob's attempted execution of the TurboTax application failed with a cryptic and unhelpful error message"), Grampa Bob is going to call up Intuit and say, "WTF?".
And Intuit will say "here's how you add your account to the Administrators group" (hell, they'll probably put in in the installation notes).
Take your entire fucktarded family, find a cliff or a bridge, and have you and your entire fucktared family jump off. Problem is solved.