Linked by Thom Holwerda on Sun 30th Jul 2006 15:39 UTC, submitted by nedvis
Privacy, Security, Encryption "Millions of Windows users run the OS with an administrator account because Microsoft's never made it easy to do anything different. In fact, you have to work a lot harder to run with fewer rights. Microsoft will push Vista as the solution to the ever-increasing number and ingenuity of attacks. But why wait? With our five strategies, you can give Windows XP a taste of Vista's UAC protection."
Order by: Score:
Bit_Rapist
Member since:
2005-11-13

Interesting that they'd miss the best (IMHO) option out there when considering time and money.

RunAsAdmin explorer shim is great, once you install it all of your programs launch in a limited security context, but you have the option of running applications in admin mode (the ones that need it).

I recommend the 2.0 beta release, its actually quite solid and integrates with windows explorer well.
http://sourceforge.net/project/showfiles.php?group_id=127612

Edited 2006-07-30 16:02

Reply Score: 2

StevOS2 Member since:
2006-07-30

RunAsAdmin explorer shim is nifty... First you drop everyone's rights by providing USER group membership only to domain users then (trust issues aside) users can elevate priv's on their business apps that don't comply with LUA/UAC.

Seems RunAsAdmin doesnt like control panel applets with the exception of compmgmt.msc (where a short cut of the applet is on the desktop and right click to elevate priv's).

Thanks Bit_Rapist!

Reply Score: 1

1 Way to Get Vista's Security Now
by Dark Leth on Sun 30th Jul 2006 16:07 UTC
Dark Leth
Member since:
2005-07-06

1. Download FreeBSD/Linux.

Reply Score: 5

WorknMan Member since:
2005-11-13

1. Download FreeBSD/Linux.

Wow, thanks! You know, I had never considered that. Thanks for the blinding flash of the obvious, Sherlock!

But for those of you for whom the solution of Linux/Mac doesn't work and you absolutely need Windows for one reason or the other, do the following:

1. Don't use Internet Explorer. Use Opera or Firefox instead
2. Have some kind of firewall running (even a $30 hardware router should do the trick if you don't want one running in the background)
3. A free anti-virus program such as AVG. Though you don't have to run this resident, you better be damn careful about scanning everything you download if you don't.
4. Use a little common sense about what you download. If it promises you naked pics of Britney Speaers or more smileys for your IM/email, it's probably bad news.

Do the above and you have just eliminated 99% of security issues in Windows. Of course, there's still a remote chance that somebody could hack into your machine (just like somebody could break into a locked car while you're in a shopping mall), but if you're the average Joe User and not running a high-profile server, you shoudl be fine with this.

'But why NOT run as limited user, you say?' Because I've been doing the above for the last 6 years or so and have never had a problem. Why do more than is actually necessary?

BTW: I've never heard of the process manager program .. will definitely check it out.

Edited 2006-07-30 16:42

Reply Score: 3

kernelpanicked Member since:
2006-02-01

Man the moderation Nazis our completely out of control on this site. It was a freakin joke guys, get over it. Probably just hurts that even though it's a joke, there is some serious truth to Leth's comment.

Mod this

Windows troubleshooting steps:
1.Restart
2.Reboot
3.Reload
4.RedHat

Reply Score: 4

dimosd Member since:
2006-02-10

Man the moderation Nazis are completely out of control on this site.

+1 from me...

Reply Score: 3

twenex Member since:
2006-04-21

Good one!

Reply Score: 3

postmodern Member since:
2006-01-27

You mean I can get this "symbolic link" technology that Vista leverages, right now?

But in all seriousness, it's good to see Microsoft deploying these security measures by default, and users wanting them. Sadly they should have done this long ago, and not make their users jump through hoops to attain average security.

Reply Score: 1

bn-7bc Member since:
2005-09-04

I.m nott 100% shore, but this tool worked gfor me ehen i was on windows a year ago http://www.sysinternals.com/Utilities/Junction.html
Some limitations: you can omly symlink within the sam patition/or was it disk(as in pysical disk) (man I forget quickly), and no GUI (well not a biggie)

Reply Score: 1

Poor opening shot, good recovery
by Havin_it on Sun 30th Jul 2006 17:07 UTC
Havin_it
Member since:
2006-03-10

The first thing that struck me was how swiftly Option 1 was dismissed. I'd say the effort involved in familiarizing yourself with the tools mentioned in later Options is just as much effort as migrating to a non-admin account.

Of course, I wouldn't think of doing this on an already-lived-in install; yes, doing it this way will bring many headaches. So simply do it on a fresh install of Windows - if you're unaccustomed to doing this on a twice-yearly basis, your system is likely a thing of misery already. If you care about your program configs, you'll already know how to backup and restore them. Then you can clean-install Windows, install the apps as Admin, then settle down to using them as Limited User. It's really not hard!

They didn't get the app installation point across at all well, IMHO. Of *course* you won't have much luck installing programs as a Limited User - they usually prefer to install into locations that Limited Users can't accidentally delete and LU-initiated malware can't corrupt. Funny, that :S

I'd have liked them to mention that if a multi-user program installed by the Admin doesn't work correctly for Limited Users, then it's *poorly-designed*. I'm all for shaming developers [*cough*Symantec*cough*] that commit such errors.

Bottom line: running your whole login session as a Limited User is hugely safer than just doing so with your browser and other chosen apps. That said, the 'drop my rights' solutions presented here are certainly better than nothing, and kudos for giving them a bit of welcome publicity.

Reply Score: 3

PlatformAgnostic Member since:
2006-01-02

Symantec apps are system-level utilities, by and large... it makes sense for them to be admin-only (except maybe for antivirus).

I think the reason that Windows goes admin by default is a pretty reasonable one: for a single-user workstation it really isn't worth it to have a separation of privileges as long as the user is reasonably judicious in what he or she installs. People were more or less just fine with Windows 95 (except for the inherent instability in the OS) because the market for malicious programs was a lot smaller. I don't run AV and I run as admin for convenience, and I have no viruses (as reported by the once-yearly scan I do with AV and Rootkit Revealer) because I have an idea of what is good and what is harmful. And nothing beats the convenience of being able to access your whole computer the whole time without having to elevate your privileges.

Reply Score: 1

PlatformAgnostic Member since:
2006-01-02

And the only times I ever reinstall OSes on my computers are when the disk fails or when I'm upgrading to new versions. (Or when I was trying a new linux distro, but that didn't affect my Windows installs)

Reply Score: 2

Havin_it Member since:
2006-03-10

Commonsense does go a long way I agree, and 99% of the time your methods would be adequate for me too, I reckon. But I still don't trust myself not to be suckered eventually by some clever enough bit of social engineering or trickery.

Just to outline my beef with Symantec, it was indeed the Antivirus that caused the problem. It can't update under non-Admin, not even as a System-initiated scheduled task. Yes, it should generally be running as Admin and not tinkerable while running by non-Admins, but updates don't have to be an interactive process. Most other Antivirus vendors have grasped this.

Reply Score: 1

dimosd Member since:
2006-02-10

The first thing that struck me was how swiftly Option 1 was dismissed. I'd say the effort involved in familiarizing yourself with the tools mentioned in later Options is just as much effort as migrating to a non-admin account.

I was using "Limited accounts" for about 8 months, starting from a fresh installation. You won't believe the number of headaches I had, from "small" problems like Start menu entries not showing up, or having to go and fix the location of configuration files originally in "Program files", to having to install programs in "My Documents" in order for them to work, or just *having* to run a program as admin or it won't work at all.

I also tried all the "sudo" like programs in the market, I didn't find something comfortable enough.

Finally, I gave up, switched accounts to Administrator and crossed my fingers. Everything is so much smoother now!

The problem is that, say, 70% of Windows apps are broken for Limited accounts/Multiple accounts. (including many popular ones). The 2 simple things that would fix most of them:
1) store per user configuration in the user's home folder (%USERPROFILE\Application Data), not in a global location (Program files\App name)
2) by default, store menu entries in "Documents and Settings\All users", not under the account who installs the program.

These apps are written with a Windows 95 -or worse, DOS - mindset: single user, omnipotent and lack the tiny drop of Unix common sense.

I hope Vista will convince Windows developers to think NT, not DOS...

Edited 2006-07-30 19:31

Reply Score: 2

netpython Member since:
2005-07-06

The problem is that, say, 70% of Windows apps are broken for Limited accounts/Multiple accounts. (including many popular ones).

Dead on i would say.For example take the majority on online games with punkbuster.Most people play online as admin because otherwise the anti cheat software complains and kicks you from the server.

What is the use of all the protection in that case i ask myself.

Reply Score: 1

postmodern Member since:
2006-01-27

What about those online games with punkbuster, that run on FreeBSD/Linux/OSX? Only time I got kicked by punkbuster was when the pb settings became outdated and I had to manually download the new ones.

Reply Score: 1

netpython Member since:
2005-07-06

What about those online games with punkbuster, that run on FreeBSD/Linux/OSX?

Never had any problems running punkbuster monitored games on FreeBSD/Linux/OSX ,exept when due to my own fault punkbuster was outdated.

Edited 2006-07-31 11:45

Reply Score: 1

konkat Member since:
2005-11-13

I similarly changed to a limited account several months ago and as the article mentions had some problems.

Modifying several folder paths under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellFolders in the registry got me any missing folders/files/settings back. Also setting the start menu to "all users" under the admin account will mean all users will see installed programs.

1) store per user configuration in the user's home folder (%USERPROFILEApplication Data), not in a global location (Program filesApp name)
2) by default, store menu entries in "Documents and SettingsAll users", not under the account who installs the program.

I came across this problem as well. Some programs would complain about not being to update config files unless I gave access to that file to the limited user account. It's unfortunate that more applications don't take advantage of the (%USERPROFILEApplication Data) directory instead of using the program directory or the registry.

I created shortcuts for Nero, Services.msc, cmd.exe, and an explorer replacement with the following: runas.exe /user:x /savecred which allows me to start those apps as admin.

It's a bit more cumbersome running as a limited account but I hope that the effort will pay off.

Reply Score: 1

Havin_it Member since:
2006-03-10

I probably exaggerated a bit in my original post - there are a lot of pitfalls and things to work out, which maybe I didn't feel as acutely as others might. That's because, before I started, I'd located two invaluable guides that provided much of the know-how in the planning stage: nonadmin.editme.com and Aaron Margosis's blog on MSDN. Having a good resource makes all the difference.

Reply Score: 1

Re: Running Windows securely
by aGNUstic on Sun 30th Jul 2006 17:51 UTC
aGNUstic
Member since:
2005-07-28

When I read this article I could not help but chuckle a little.

It wasn't at the article but at my knowledge of windows users here in Goober Gulch, New Mexico. I'm sure it's a sampling of the larger population within the U.S. and the globe in general.

My personal opinion is that windows should have been secure in the first place back when it was migrated from 3.1 to 95 to NT to XP, etc.

Hind site is twenty-twenty and rather expensive.

We really should not be discussing `basic` security on an OS in 2006. I guess that's the difference between the `ideal` and the `real` of windows.

It's nice to see the system moving forward and introducing a stricter model of security. I'm not sure the average windows user will like the consequences of applying strict system and file permissions.

I used to make good money cleaning and repairing windows systems. I found users never liked the idea of actually using an administrator account or the `super user` Run As command.

The reason millions of windows users run the OS with an administrator account is the core fault of the manufacturer. They `should` have an administrator and elevated user creation as-well-as an explanation of the reason behind it in the initial build or install.

Oh well, I guess this news to the windows folk but rather old hat to us in the BSD, Linux, and *nix world.

Reply Score: 2

RE[3]: 1 Way to Get Vista's Security Now
by nedvis on Sun 30th Jul 2006 18:23 UTC
nedvis
Member since:
2006-01-02

BTW: I've never heard of the process manager program .. will definitely check it out
Process Lasso will do the job better than Taskmanager or CLI kill
http://www.bitsum.com/ProSuper.asp

Reply Score: 1

ghost image
by netpython on Sun 30th Jul 2006 18:41 UTC
netpython
Member since:
2005-07-06

All nice and good but i prefer the good old ghost image.

No more install festivals,only one single activation.Hardly any "bad boy" survives.

Reply Score: 1

Seriously...
by jbalmer on Sun 30th Jul 2006 18:49 UTC
jbalmer
Member since:
2005-12-18

Why don't they use Unix type rights (ugo)? It is high time they removed the difficult to grasp user creation settings and inject some simplicity in it. And also abolish the concept of registry. It is one of the most complex thing I have ever seen.

The primary reason I switched from windows to linux was because I found *nix much more simpler to configure and use.

Microsoft has a history of thriving in complexity. To get their developer products more embraced, they should think about simplyfying everything.

Reply Score: 2

RE: Seriously...
by twenex on Mon 31st Jul 2006 10:07 UTC in reply to "Seriously..."
twenex Member since:
2006-04-21

You just can't please all of the people. Back when everyone KNEW Unix and VMS are the only serious OS choices for department- and enterprise-level computing, refugees from other OSes used to complain about features in their old systems that were missing in Unix. Extremely complicated rights systems a la Windows were one of them. Now of course, ECRS's have come to Linux courtesy SELinux, AppArmor &c.

Reply Score: 2

The joke...
by bouh on Mon 31st Jul 2006 01:37 UTC
bouh
Member since:
2005-10-27

...is the fifth statement.

You have a Mac. Right, a Mac. Personaly I don't. But, if I had one, I would not install Parallels to install XP to do what? Browse the web...

Oh no, sorry: it's to get Vista security.

Seriously?

Reply Score: 3

Yet again....
by bailey86 on Mon 31st Jul 2006 11:19 UTC
bailey86
Member since:
2005-10-14

Sigh.... Yet again.....

Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer

Reply Score: 3

Re:
by vesselinpeev on Tue 1st Aug 2006 21:05 UTC
vesselinpeev
Member since:
2005-07-06

A 6th way: a recent topic called "Application-Level Virtualization for Windows" (http://www.osnews.com/comment.php?news_id=15214) mentions several applications, including Sandboxie (which has a free version, yet says it "reminds occassionally to be registered", for cheap). Vista will have some similar functionality, so this is a 6th way (which should actually come before the Mac way). Of course, it isn't convenient to use for all programs, but it is for many. I think this should have really been in the article.

Reply Score: 1