Wisdom of running as limited user.

Topic

New Reply

About a year ago, I ‘upgraded’ from Windows 98 on an old computer to Windows XP Home on a reasonably fast new one (which I built). I had often seen folks criticized for running regularly under XP with admin privileges, as this supposedly increases one’s risk from malware. I also wanted automatic login when I powered up; and, as I understand it, this can only be done for non-admin accounts. So I set up an account with limited privileges which I will call User. I also had my Admin account. Trying to run primarily as User has caused me all sorts of problems. I regret that I set up two accounts on the machine. I regret it so much that I am inclined to reinstall XP with but a single account. But before I do that, I thought I would check and see if there is something I was missing that could allow me to be happy running without privileges most of the time. So, in the following, I am going to describe some of the types of annoyances which I believe have arisen from my decision to create two accounts. Hopefully this information will enable some folks to give me some relevant advice and/or pointers. Thanks in advance for any help.

Whenever I install something, I have to run as Admin. There are a number of programs I have that I cannot run successfully as User. iTunes is one of them. There are plenty of others. Some will mostly run, but there are certain things that they cannot do. I think this is because such things requires updating information that ‘belongs’ to Admin, and these programs were not properly designed for XP. (A trivial example is Hoekey. With that, I frequently want to introduce new keyboard shortcuts and the like, but it keeps its configuration file in an area not accessible to User. But I am almost always User when I discover something I want to add.)

(An odd exception is an old version of BlueSoleil (a Bluetooth stack) which came with a USB Bluetooth adapter I bought recently. It works (most of the time) only for the first account logged in, which is User on power up. I cannot start it for Admin.)

As far as I am concerned, both Admin and User are really me, just with different privileges. Thus it is a constant annoyance that Admin and User cannot share the same profiles. I have separate user profiles for important applications like Firefox. I still need to use the browser when logged in as Admin – e.g., to get help for configuration issues from forums like this one. I want the profiles to be the same; but they constantly get out of sync. I cannot read my email when I am Admin, because the relevant profile for that is User’s. (I can send email OK as Admin.)

When I have to log in as Admin to handle some configuration issue that I cannot as User, I no longer have the context that motivated me to make the change; so, to finish it, I have reconstruct what I was doing before I realized that I needed to be Admin.

I think I encounter Windows XP bugs as well. For example, if I leave Admin logged in when I go back to User, it is not unusual for Windows to ‘lose’ its profile for Admin. In particular, when I go back to Admin, I am told that Windows cannot find my profile data and that it is logging me in under a temporary account. If I reboot, normal access to my real Admin account (and the associated profiles) is restored. (This bad behaviour is a reason that I am considering reinstalling XP rather than just eliminating the current User account.) Another thing that can go wrong is that the graphics driver for Admin can get fouled up. We’re talking about ATI Catalyst Center. It breaks and XP wants to “phone home” about it. (The problem is not even that serious, because it can be restarted OK.) As User I don’t see this, and when I attempt to go to standby, I am surprised to discover later that it did not work because of the current hangup for Admin.

Clearly the solution adopted in both Vista and Ubuntu is a much better way to deal with these issues. You need only one account (with one set of profiles) and you normally run without privileges. However, you can acquire them briefly to do something that really needs them. I think something somewhat like this exists for an unprivileged account in XP, but it does not work when the Admin account has no password. Even though my computer is situated securely in my home where no one can access it without my knowledge, I figure I need to bite the bullet and go ahead and put a password on Admin.

I think there may be reasons to be less paranoid nowadays about running with Admin privileges in XP. E.g, I use NoScript in Firefox; I have a hardware firewall in the form of a NAT router; and I have a software firewall (Online Armor). The software firewall seems to step in with respect to all the dangerous sorts of actions that would require privileges. I.e., I am reminded that what I want to do requires privilege (that I already have – but before invoking). The SP3 upgrades to XP also seem to have introduced more of those “Are you sure you want to do this?” types of reminders.

So what do folks think? Am I foolish to go back to a single-account configuration? Or is there a better way to live with an unprivileged User account?

Reply | Quote

Replies

You pretty much have it dead to rights. XP was designed before there was hardly any clamour or need for reduced priveledges and there was very little attention paid to its function and its one of the few things in XP that sucks.

Fortunately there are hardware routers and sandbox techniques that allow one to run intelligently “naked to the wind” if so desired. In other words, there are plenty of alternative methods to interact safely even with a full-on admin account.

Reply | Quote

It’s important to distinguish between the account called “Administrator” and (other) accounts with administrator rights. The account named Administrator is best left unused, reserved for emergencies. In XP Home it’s mostly not visible, except when you boot into Safe Mode.
Most people agree that trying to work in a limited user account is too annoying and frustrating to tolerate, and want to use an account with administrator rights. I recommend using an account with administrator rights, and a protective shell or sandbox around programs which might be vulnerable (your web browsers and others that use the Internet). I use DropMyRights. See here for how to use it and where to download it.
You shouldn’t have to re-install Windows to change your accounts. Probably what you’ll want to do is give administrator rights to your User account (and rename it if you want) and then remove your admin account (if it’s not the one named “Administrator”).

Reply | Quote

It’s important to distinguish between the account called “Administrator” and (other) accounts with administrator rights.

And I failed to do so. What I was calling “Admin” is really named “David” and I gave that account administrative privileges. It is what I use to administer the machine. The real Administrator account remains well hidden.

Thanks for the pointer to DropMyRights. That is a good solution. Indeed, the page for it also enumerates some of the annoyances of running without privileges – a couple of which I had not personally encountered (yet).

You shouldn’t have to re-install Windows to change your accounts. Probably what you’ll want to do is give administrator rights to your User account (and rename it if you want) and then remove your admin account (if it’s not the one named “Administrator”).

I was thinking of moving User’s profiles over to (my) Admin account and deleting the User account. However, there are some scary symptoms I get (like XP losing Admin’s (top level) profile) and which make me want to go ahead and reinstall. I also suspect that the installations of some of my apps has been compromised by the split, so I am willing to reinstall (all of) them. Besides, I now have a copy of XP Pro which I can install instead of XP Home.

Reply | Quote

I think something somewhat like this exists for an unprivileged account in XP, but it does not work when the Admin account has no password. Even though my computer is situated securely in my home where no one can access it without my knowledge, I figure I need to bite the bullet and go ahead and put a password on Admin.

I like to run as full admin. I know my system and setup. Less pain in the butt to have to switch, or log in to
change something.
Limited user accounts are good too from a security point of view, especially for inexperienced users.
It sounds like your used to, and comfortable with the limited account, with some notable caveats, so if I where you I would
just go ahead and create that admin password. If you find that it’s not to your liking, you can always change it.
It seems pointless from a security point of view not to have a logon password in the first place, especially with other user accounts, and even if you are the only one present.

Having a logon password for any computer user is among your first lines of defense.

as a side note:
Sand boxing applications are not as secure as you may be led to think and they will add slugishness to a system, especially XP.

Reply | Quote

“David wrote: I ‘upgraded’ from Windows 98 on an old computer to Windows XP Home “

David, if you installed Windows XP Home over Win 98, I would definitely do a clean install of XP.
As you have a copy of XP Pro, it’s worthwhile doing this anyway, as the XP Pro version is more
secure than the Home version

On a single user PC, that is up-to-date with all the latest MS patches, updated and patched 3rd party
software and solid security programs installed, I don’t see any reason to run that PC with limited
privileges.

Then, if your PC is say, a family PC where your children have access, it’s a whole different kettle of fish.
In that case, you would need to create at least one other account (or one for each of the kids) with limited
privileges and password protect your computer administrator account. I’ve worked on many PC’s that were
totally messed up by unexperienced users (or kids who think they are computer whizzes). The whole idea
behind giving them limited privileges is, that no harm can be done to your precious machine by them say,
deleting system files, installing unwanted or infected software or messing around with your files. And those
examples are exactly some reasons why you DON’T want to give your kids (or others who should not have
full access on your machine) full administrative rights. Sure, functionality is somewhat reduced and some
programs and utilities may not fully work in a restricted account, but that is exactly the idea behind it!

That brings me to the poll question of this thread: ”Should I go to a single-account configuration?“

This of course cannot be answered with a simple yes or no answer. In your case, if you’re the only user, then
the answer is yes, you having full administrative privileges. If others have access to your PC, then the answer
is no. In that case, of course password protect your account and let them use either the Guest Account (enable
in control panel/user accounts), or create an account for them with restricted privileges.

Reply | Quote

I have never run an XP computer without administrative privileges. Seems rather pointless, don’t ya think? I also have never had any problems with viruses, attacks, whatever just-so-long as I have run Windows Defender and some sort of anti-virus! I am the only account on my computer so it is pretty much taken for granted that I would have automatic login. Of course Windows XP is so, like, yesterday! I am, of course, running Windows 7 Ultimate 64 bit, also with automatic login and administrative privileges. If you can I would suggest putting Windows 7 on there. It will most likely run better than Windows 7!

Reply | Quote

I have never run an XP computer without administrative privileges. Seems rather pointless, don’t ya think? I also have never had any problems with viruses, attacks, whatever just-so-long as I have run Windows Defender and some sort of anti-virus! I am the only account on my computer so it is pretty much taken for granted that I would have automatic login. Of course Windows XP is so, like, yesterday! I am, of course, running Windows 7 Ultimate 64 bit, also with automatic login and administrative privileges. If you can I would suggest putting Windows 7 on there. It will most likely run better than Windows 7!

I too have never run with anything but full admin rights. Now, since I was “forced” to go to Window7 Pro 64 I have no idea how to do this.

I was “forced”to change operating systems due to a kuput Windows XP 3 computer.

Reply | Quote

I too have never run with anything but full admin rights. Now, since I was “forced” to go to Window7 Pro 64 I have no idea how to do this.

I was “forced”to change operating systems due to a kuput Windows XP 3 computer.

With Windows 7, the only way to run with full admin rights as in XP is to logon to the builtin in administrator account. You can have a user as a member of the administrators group but this is not the same as with XP. You still will have to use “run as administrator” for some activities that access or modify restricted system files & information.

I’ve found that I don’t need the full admin rights very often. That will be even less as more software authors get used to the way Win7 is structured.

Joe

--Joe

Reply | Quote

I have never run an XP computer without administrative privileges. Seems rather pointless, don’t ya think? I also have never had any problems with viruses, attacks, whatever just-so-long as I have run Windows Defender and some sort of anti-virus! I am the only account on my computer so it is pretty much taken for granted that I would have automatic login. Of course Windows XP is so, like, yesterday! I am, of course, running Windows 7 Ultimate 64 bit, also with automatic login and administrative privileges. If you can I would suggest putting Windows 7 on there. It will most likely run better than Windows 7!

Same here. I am the only person in my home, I run as full admin at all times. I don’t use suites for anything, I have individual tools for antivirus, firewall – both hardware and software, malware, memory resident tools and disk utilities including power tools. Have never had a virus nor a piece of malware or spyware make it through my defenses, nor a problem with XP that I didn’t cause myself, :^). I use FireFox almost exclusively, will be happier with it when they get the IE rendering engine working again, that’s been gone since ver. 3.5, but I could NOT deal with NoScripts, it drove me nuts. Since it is just me, I don’t see any reason to not run the machine in the way I am most comfortable. Different strokes and all that is perfectly okay too… :^)

Reply | Quote

Drop MY Rights is generally good if you use it to lower your admin rights on the web browser shortcut.
Whether one user as admin or assigning two accounts, one admin and one limited user, there are many arguments and preferences.
I prefer two: one admin and one limited. The rationale is that most of the time you are a user, not a constant tinkerer. If you are 50-50, well, you’d have to decide.
A limited user has one basic protection: software installation is denied.
It is a great way to protect yourself, even if you are tired or absent minded, such as carelessly clicking an evil link in an email.
With only limited rights, casual daily use will be protected without much ado. No one wants to be on guard, 24/7, high alert to boot. That’s not the way to enjoy your PC.

On the other hand, some software may not run under limited user account. Here is a trick:
Log on as admin. Change the limited user account to admin rights. Log on to user account (now has admin rights), install the software, or whatever modifications you want to make. Then go to Start-Control Panel-Users. Set yourself (!) back to limited rights account. Reboot. Now even the limited user has rights to run the installed program.

Why? The user is the ‘owner’ of the software files and folders. By owner I mean the user installs it.
You can also do same via security permissions, by changing the owner, or permissions (full-control/execute/read/write/…) of the execution file(s). It is more involved and should be left to advanced users.

Reply | Quote

If the DropMyRights program interests you, you might also take a look at the Sudown and Trust-No-Exe programs. They do things similar to DropMyRights.

Reply | Quote

On my PC I login as Administrator every time.

Bottom line is common sense usage of the PC.
– Don’t open emailed attachments from senders you’re not expecting.
– Don’t click on Links that are offer free stuff or clearly bogus offers.
– Keep Microsoft Updates fairly up to date.

And install ONE decent Anti-Virus program or Security suite.
And install a spyware scanning program as Spybot for on demand manual scans.

Reply | Quote

Coming from a Unix perspective, why have full rights if they’re not needed?

I log into & use my unix system without Administrator (root) privileges. The applications are written with the idea that those privileges are not needed. Mostly.

The fix is usually file/directory rights. Some apps start with rights, do everything that needs those rights, then drop the rights.

For installs, a dialog pops up to ask for a password before proceding. This can’t be bypassed so a virus/trojan can’t slip in w/o me doing something.

FWIW, MacOS does this too.

So, when I go on Windows, I’m very frustrated that there isn’t something in place to elevate privileges when I install, run iTunes, etc.
I’d like to have my son run as limited always. My wife & myself as limited with the ability to elevate.

Most windows apps assume you have admin rights that can’t be dropped. Why doesn’t MS set things up the opposite way?

Reply | Quote

Coming from a Unix perspective, why have full rights if they’re not needed?

I log into & use my unix system without Administrator (root) privileges. The applications are written with the idea that those privileges are not needed. Mostly.

I totally agree. I set up my XP account in the standard Unix/Linux way with one Administrator/root user and one ordinary limited-account user.
O.K., so the former is needed for installation and disk management purposes (basically any task that requires access to areas outside the user’s home directory), but,I’ve found, on average, I only need to access it one or two times a week. 99% of the time I log in to the limited user account and that’s all I need. Even if some malfeasant gets hold of my identity while I’m online they’ll only be able to mess with my user account – not my whole system.
I suppose, you could say, it’s slightly inconvenient that XP doesn’t have the one user/sudo type account that Ubuntu and Mint have, but I’ll place security over convenience any time.

Reply | Quote

The one thing I would point out is that it is very easy to install any version of Windows and create the Administrator account with no password. Once that happens, the PC can be taken over by any user that can connect to it. A blank password is one of the first things a password guessing application will check. The Administrator account is normally only accessible in Safe Mode and most users don’t think about assigning a password after installing Windows or setting up their PC.

Reply | Quote

It’s too bad that this is only available in the Pro or Business versions of Windows, but the user type “Power User” really helps with this issue. It is not as dangerous as Admin but it allows many capabilities, most notably application installation. I have used it for years with friends, family, and clients and it is one reason I always recommend the “Pro” versions of Windows in spite of the additional cost.

I think its presence would make the “Home” versions of Windows much safer.

Reply | Quote

I run my home machines with all accounts limited except for an admin account called ‘Janitor’. Many of the zero day unpatched threats are mitigated by running as limited user, and I want that protection.

Most new programs will run in limited fine. For me, the key app that doesn’t is Palm Desktop. Actually, Palm Desktop works fine in limited, but the Documents to Go program that works with it doesn’t. So I created a shortcut in my limited user account to ‘runas’ the Palm Desktop program as Janitor. I just have to enter the password for the Janitor account each time.

For my son’s games that require admin to work, I use runasspc: http://robotronic.de/runasspc/. It keeps the admin password in an encrypted file. I’ll admit the program is a bit rough around the edges, but it works. This way my son’s account is limited, but he doesn’t need the admin password to run his games, and I don’t have to enter the admin password every time he wants to play.

When using the Janitor account, I have desktop shortcuts to ‘runas’ Firefox and IE as my limited user. So, even though I’m in an admin account, the browsers (the entry point for lots of malware) are running limited. Plus, they are using my familiar profile from my limited user account and I don’t have to deal with syncronizing the profiles between my limited and admin accounts.

Whenever I install something, I have to run as Admin. There are a number of programs I have that I cannot run successfully as User. iTunes is one of them.

I have been running iTunes as limited ok.

I also had the problem you’ve had with my admin account saying it’s profile was corrupt, creating a temp profile. After restarting, it would work properly again. I ended up having to reinstall XP to fix this. David, you should do a clean install of XP.

Clark.

Reply | Quote

I’ve run in an “admin” account since WinNT 3.51 and never had a problem. I run with lots of protection and never launch websites I don’t trust and can’t find out about. If you take care with your browser, you don’t have problems with rogue sites.

Reply | Quote

Today’s Windows Secrets newsletter has two different articles on the malware Internet Security 2010, aka Trojan:Win32/Fakeinit. It blocks AV programs from running and blocks access to any website that might help. It prevents all access to restore points. One of the writers says that the complex removal instructions took him an hour to execute. This was lucky — if you search the Internet you’ll find people with much worse experiences.

But that’s only if you caught it while running as administrator.

When Fakeint infected my wife’s computer, she was logged on as a standard user. To remove it, I merely logged on as administrator and rolled back to a clean restore point.

Honestly, I am stunned and horrified that Fakeinit could install at all under a standard user account. But, because it had limited access to core systems, it was not able to deliver its full payload. Removing it was trivial.

Don’t be fooled. Risks aren’t lower now; they are higher. Fakeint rode in on a codec served via the CNN site, when my wife tried to watch Tiger Wood’s apology. How could that happen? Black hats can reroute you via a script served up by an advertiser, or even reroute advertisements via illicit servers. The following white paper describes how such a thing can happen:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/a_cybercrime_hub.pdf

On a practical note:

[*]Synchronize your browser settings between the two accounts using XMarks.
[*]Set a common mail depository for both accounts, preferably on your logical D: drive
[*]Install programs by right-clicking and choosing “Run As..”

You have to switch to Administrator to install Flash updates, but that’s about it.

Reply | Quote

Honestly, I am stunned and horrified that Fakeinit could install at all under a standard user account. But, because it had limited access to core systems, it was not able to deliver its full payload. Removing it was trivial.

Fakeinit didn’t “install” at all. It simply dropped an executable in the TIF folder and started it. All you have to do is kill the process or log off and re-logon. No system under my control has ever had malicious software install on a limited user account. But the scareware alerts will appear on a limited user account, scaring the user, but not damaging the system.

Reply | Quote

I’ve run a limited user account in Windows XP for years and fast-switched to an admin account, but as I’ve learned how Unix does it with sudo, I’ve wished that Windows would work the same way. It avoids so many problems if you can just elevate the privilege on the account you are using, instead of using a different profile.

I’ve found a tool that can do this. It’s “Surun”. Get it here: kay-bruns.de/wp/software/surun/.

Surun mimics Unix sudo as closely as it can. It has many useful configuration options and most importantly uses the secure desktop to get the password authorization for elevation. You can configure specific applications for elevation or allow the user to elevate anything when needed. It’s the best privilege tweaker I’ve seen.

That said, I really like the way Windows 7 works on an admin account. The only difference I have found with Vista/Win7 UAC (user access control) is that if you are using a limited account, UAC will ask for an admin password. If you are using an admin account, it still asks — but only for a button click. Note that carefully. Even if you are using an admin account, Windows 7 will ask for elevation escalation to install software or make important system setting changes. This is excellent protection and as far as I can tell, equivalent to running in WinXP in a limited account. It works almost exactly like surun on XP, avoiding the profile switch.

Reply | Quote

My family has always run Windows with full privileges – my wife is even still running Win98SE that way (not that there’s much of any other way…). Sitting behind our router seems to keep virtually everything out that might try to come in unexpectedly, and only once in a blue moon does our anti-virus software raise an alarm on something we bring in ourselves.

We do feel a bit safer using Firefox rather than IE, and when I’m feeling adventurous roaming around the Internet I’m glad I have NoScript enabled. My wife and daughter find having scripting hobbled annoying, but still seem to have survived (my daughter’s using Vista, which may have helped).

If you do want to use a second unprivileged account, consider using as many ‘portable’ applications as possible (they’re designed for USB sticks, but there’s no reason at all why you can’t just place them somewhere on your hard drive). That way they’re accessible in the same place (and with the same configuration) regardless of which account you’re currently using.

Reply | Quote

This whole thread is pointless. If you are still running Windows XP, or worse yet, anything older, you are a stiiting duck for malware. Period. There is no way to fix this. So, good luck, whatever you choose to do. You are burying the real issues in your sandbox.

That having been said, I run a laptop which is not Vista-ready, so I have three accounts:

1) Hidden Administrator, with a password. Never used except for emergencies, and no software shortcuts installed except to Acronis True Image and Acronis Disk Director. Get the picture?

2) Admin_01, password protected. This is for installations, removals, systemwide cleanups, defragmentation, and upgrades, among other truly administrative tasks. And Image Backups. Very seldom connected to the Internet with a browser window open.

3) User_01, password protected. Limited User. This is where I generally “live” inside my computer, whether on line or off line. I definitely use this account for web-surfing and streaming videos. Also used for banking or healthcare information. Anything truly risky, I do at my Public Library on their computers. If they do not allow it, it probably isn’t worth trying.

Limited User Accounts do not offer much protection, as Windows XP is a boat full of security holes. But if Folders for each account are owned (permissions limited to the current account only), there may be a little added protection. None of my Accounts, even Admin_01, can change anything in another account because of Folder Ownership. (I lift these restrictions only for offline maintenance.) (Note: this restriction of privileges may not be available in Windows XP Home.) But some malware can defeat this safeguard, so this is still false security.

Windows Vista and Windows 7 offer much better handling of privileges and escalation of privileges than older Windows versions. This is one strong argument for upgrading if your hardware allows it.

And forget about Windows XP “sandboxing” — it simply does not work for security purposes. I cannot seem to convince sandbox die-hards, but Internet Explorer has (even in a Limited User Account) full access to the Windows System Kernel. NOTHING can work around this basic Windows fact. And Firefox and Opera also have administrative access to these same System Kernel areas. Chrome and Safari are not so dangerous, but they too operate with full Administrator Privileges under Windows XP and earlier. And so does almost every other Windows program, regardless of the type of user account. This is not so much true of Vista or Windows 7. Both of these newer Windows OSes restrict System Kernel access rights — especially in the 64-bit editions.

Virtual Machines is not fully implemented in Windows XP and earlier, so true virtualization is also a myth in these older versions of Windows. Only Vista, Windows 7, and possibly Windows XP Professional, SP2 or SP3, can support true virtualization. And there have been cases of malware jumping from virtual machines and infecting the host Windows operating system, especially in Windows XP. VM’s do write to the Hard Disk, and MBR infections can come in from VM’s. This would infect the entire Hard Drive and be very difficult to remove. Again, this has happened to Windows XP users in the real world. No Administrator Privileges or Folder access rights needed.

-- rc primak

Reply | Quote

This whole thread is pointless. If you are still running Windows XP, or worse yet, anything older, you are a stiiting duck for malware. Period. There is no way to fix this. So, good luck, whatever you choose to do. You are burying the real issues in your sandbox.

That having been said, I run a laptop which is not Vista-ready, so I have three accounts:

1) Hidden Administrator, with a password. Never used except for emergencies, and no software shortcuts installed except to Acronis True Image and Acronis Disk Director. Get the picture?

2) Admin_01, password protected. This is for installations, removals, systemwide cleanups, defragmentation, and upgrades, among other truly administrative tasks. And Image Backups. Very seldom connected to the Internet with a browser window open.

3) User_01, password protected. Limited User. This is where I generally “live” inside my computer, whether on line or off line. I definitely use this account for web-surfing and streaming videos. Also used for banking or healthcare information. Anything truly risky, I do at my Public Library on their computers. If they do not allow it, it probably isn’t worth trying.

Limited User Accounts do not offer much protection, as Windows XP is a boat full of security holes. But if Folders for each account are owned (permissions limited to the current account only), there may be a little added protection. None of my Accounts, even Admin_01, can change anything in another account because of Folder Ownership. (I lift these restrictions only for offline maintenance.) (Note: this restriction of privileges may not be available in Windows XP Home.) But some malware can defeat this safeguard, so this is still false security.

Windows Vista and Windows 7 offer much better handling of privileges and escalation of privileges than older Windows versions. This is one strong argument for upgrading if your hardware allows it.

And forget about Windows XP “sandboxing” — it simply does not work for security purposes. I cannot seem to convince sandbox die-hards, but Internet Explorer has (even in a Limited User Account) full access to the Windows System Kernel. NOTHING can work around this basic Windows fact. And Firefox and Opera also have administrative access to these same System Kernel areas. Chrome and Safari are not so dangerous, but they too operate with full Administrator Privileges under Windows XP and earlier. And so does almost every other Windows program, regardless of the type of user account. This is not so much true of Vista or Windows 7. Both of these newer Windows OSes restrict System Kernel access rights — especially in the 64-bit editions.

Virtual Machines is not fully implemented in Windows XP and earlier, so true virtualization is also a myth in these older versions of Windows. Only Vista, Windows 7, and possibly Windows XP Professional, SP2 or SP3, can support true virtualization. And there have been cases of malware jumping from virtual machines and infecting the host Windows operating system, especially in Windows XP. VM’s do write to the Hard Disk, and MBR infections can come in from VM’s. This would infect the entire Hard Drive and be very difficult to remove. Again, this has happened to Windows XP users in the real world. No Administrator Privileges or Folder access rights needed.

I use Sandboxie on occasion – say for an hour – and after using it I have several times done a search – by using when was it modified and inputting the correct date – on my hard drive for anything that was created from the internet without finding anything on my hard drive. I use Windows XP pro. If Sandboxie wasn’t effective then surely the search would show the internet files that I had accessed?

Reply | Quote

I use Sandboxie on occasion – say for an hour – and after using it I have several times done a search – by using when was it modified and inputting the correct date – on my hard drive for anything that was created from the internet without finding anything on my hard drive. I use Windows XP pro. If Sandboxie wasn’t effective then surely the search would show the internet files that I had accessed?

Nice try, but no, your assumption is false. Windows Search does not see all, and it does not detect deleted files and folders, much less deleted Active-X or scripts. And it does not access Windows Event Logs (and other Windows logs), as some proactive AV and firewalls do.

Windows Search uses the Windows Explorer API. Rootkits and bots by their very nature sidestep the Windows Explorer (and other) APIs. That is why we need special programs to do a “raw” disk pre-scan and then compare this with the “live” Windows GUI disk scan. It is technically difficult to do forensics which will tell us what and when has passed through Temporary Files of any kind, and direct access to the System Files is not prevented when a browser does a download or an on-the-fly install or update. And Flash (among other plug-ins) can auto-update without even notifying the user, using Active-X Controls which do not leave behind any Temporary Internet Files. And yet, Flash alters System32 and other System Files. And rogue applications or scripts can do even more sinister things. You as the end user do not have the forensic tools to trace such activities.

Browsers under Windows, especially Windows XP (and earlier), CANNOT be sandboxed. The software vendors will not tell you how or with which tools you can prove this, but the evidence is on your computer. You and I just do not use the IT Professional or Law Enforcement tools which would show what has happened during a supposedly “sandboxed” browser session after the fact. But PC MagazineTest Labs, among other places, has these tools, and has on occasion warned about programs which claim to “sandbox” the Windows browser (like Zone Alarm Extreme Security, the current darling of the Secure Browsing crowd). The evidence is truly damning.

-- rc primak

Reply | Quote

Nice try, but no, your assumption is false. Windows Search does not see all, and it does not detect deleted files and folders, much less deleted Active-X or scripts. And it does not access Windows Event Logs (and other Windows logs), as some proactive AV and firewalls do.

Windows Search uses the Windows Explorer API. Rootkits and bots by their very nature sidestep the Windows Explorer (and other) APIs. That is why we need special programs to do a “raw” disk pre-scan and then compare this with the “live” Windows GUI disk scan. It is technically difficult to do forensics which will tell us what and when has passed through Temporary Files of any kind, and direct access to the System Files is not prevented when a browser does a download or an on-the-fly install or update. And Flash (among other plug-ins) can auto-update without even notifying the user, using Active-X Controls which do not leave behind any Temporary Internet Files. And yet, Flash alters System32 and other System Files. And rogue applications or scripts can do even more sinister things. You as the end user do not have the forensic tools to trace such activities.

Browsers under Windows, especially Windows XP (and earlier), CANNOT be sandboxed. The software vendors will not tell you how or with which tools you can prove this, but the evidence is on your computer. You and I just do not use the IT Professional or Law Enforcement tools which would show what has happened during a supposedly “sandboxed” browser session after the fact. But IPC MagazineTest Labs, among other places, has these tools, and has on occasion warned about programs which claim to “sandbox” the Windows browser (like Zone Alarm Extreme Security, the current darling of the Secure Browsing crowd). The evidence is truly damning.

To sum up then I take it that I am wasting my time using Sandboxie? I use it if I think that a site may have Trojans or viruses. It doesn’t prevent them landing on my hard drive?

Reply | Quote

This whole thread is pointless. If you are still running Windows XP, or worse yet, anything older, you are a stiiting duck for malware. Period. There is no way to fix this. So, good luck, whatever you choose to do. You are burying the real issues in your sandbox.

Is it possible that bobprimak is overstating the vulnerability of XP? He makes it sound as risky as continuing to run Windows 98. But Windows XP is an OS that MS still supports, issuing security updates on a regular basis. (And they will continue for some time now, since XP is still being sold for netbooks.) Surely XP can’t be all that bad if one is careful about his browsing habits. Is my faith in NoScript (with Firefox) not justified? (BTW, when I want to do some truly risky browsing I run Ubuntu (without NoScript).)

(As I had said, I was running Windows 98 up until about a year ago; and, even with it, I have never been infected with serious malware (but I have gotten some non-serious adware).)

Reply | Quote

Is it possible that bobprimak is overstating the vulnerability of XP? He makes it sound as risky as continuing to run Windows 98. But Windows XP is an OS that MS still supports, issuing security updates on a regular basis. (And they will continue for some time now, since XP is still being sold for netbooks.) Surely XP can’t be all that bad if one is careful about his browsing habits. Is my faith in NoScript (with Firefox) not justified? (BTW, when I want to do some truly risky browsing I run Ubuntu (without NoScript).)

(As I had said, I was running Windows 98 up until about a year ago; and, even with it, I have never been infected with serious malware (but I have gotten some non-serious adware).)

So you really want to challenge me after my experience and extensive reading on Windows XP security over the past eight or nine years? How about challenging Symantec, McAfee, and Windows Secrets’ very own Woody Leonhard, all of whom have written extensively about rootkits, MBR infections, and all the other malware which bypasses Sandboxie, Extreme Security, and all browser shields. Or PC Magazine’s review of the Zone Alarm browser shield component of Extreme Security? Can it be that you are simply in denial, and won’t even read the reviews I have read? I can look up a few of these articles if you wish. The notion that there is no way to sandbox Internet Explorer comes from Infoworld.com. Among other writers there, Roger A. Grimes (Security Advisor) has repeatedly warned XP and even Vista users never to rely on virtualization or sandboxing under any version of Windows. Way too many programs open browser calls without even opening the browser window, and even opening totally unprotected IE windows in Neil Rubenking’s (PC Magazine) test run of ZA Extreme Security, which is about as close to browser sandboxing as any security program can come under Windows.

So go ahead and post your evidence that sandboxing is effective. Show me the White Papers and the lab tests, as well as the security company field reports on who gets infected and through which vectors. I have read these reports, and I asure you, if anything, I have UNDERstated the case against sandboxing in Windows.

This having been said, I am NOT talking about the “baby ‘Nix” OSes, like Linux or Mac OS. These Oses do support reasonably secure browsing, browser isolation, and all kinds of other security measures to prevent OS kernel access, none of which works successfully under Windows. To my knowledge, Ubuntu and other Nixes do not have any in the wild browser based attacks at this time. So if all of the Web worked under Linux, this would be a safe alternative to Windows. But iTunes Store, QuickTime movies (PBS.org) and a host of other types of sites simply do not support Linux and probably never will. Heck, even under Windows, I just spent fifteen minutes messing around with NoScript and Comodo Firewall, just to log into my Yahoo Web Mail account.

So yes, you can have security. Or you can have a usable Internet. Unfortunately, at this time, you cannot have both. Certainly not under Windows XP.

-- rc primak

Reply | Quote

So you really want to challenge me after my experience and extensive reading on Windows XP security over the past eight or nine years? …

Sorry. I’m new here. I did not realize how erudite you are.

I was challenging the _extent_ of your condemnation of XP. However, it was not my intent to challenge your person; and I do not think I did that.

So go ahead and post your evidence that sandboxing is effective. …

I never claimed that sandboxing is effective. The point I made is that XP is a supported OS with MS continuing to issue security updates for it. You seem to imply that MS is wasting their time by doing so.

I have not relied on sandboxing; but I do rely on NoScript (and other features of recent Firefox) to help me keep my browsing safer under XP. I do not believe that I am invulnerable; but I do believe that, given my habits, the risk of infection is actually very low. Furthermore, the comments on this thread have convinced me that the additional risk resulting from running with privileges (as opposed to without) is not very big either. (As I understand it, it _should_ be much riskier, but that really clever malware is still effective at gaining control even without the privileges.)

… if anything, I have UNDERstated the case against sandboxing in Windows.

OK. OK. But I never disputed that.

Reply | Quote

My method of using a limited account is to use the original account that way but create a second account that I make with administrative privileges and used only for this purpose. This way my normal use is always on the original account. I switch to the second account to change privileges on the original account when needed.This offers little confusion as to what I do in each account. Every little bit of precaution helps and free is rather cheap. I will admit it is a pain at times, but I accept the hassle. I have not encountered much that does not work as limited other than program installations.

Reply | Quote

great thread!

I work for a large business and many of our users all have laptops with winXP and travel a lot. Of course they want admin right and what we do is give them an domain user account with limited user and a local admin account (not the administrator accoung which is renamed) which they can ‘runas’ or log out and log in and use. Most can’t get the hang of runas because it won’t run shortcuts and some other things – sometimes there is no runas in the right click menu.

The worse thing is that so many times user come back from OS with pretty vicious malware on their systems or virus as they haven’t updated their antivirus. these users are using onlytheir limited user account but some of those virus or malware cause enough damage to cause us to wipe and reimage their laptops. Plus all the arguing we have with them over not being able to have admin rights on their user account is very wearing. I am hoping window 7 will be an improvement but think we’ll probably have the same issues.

Reply | Quote

great thread!

I work for a large business and many of our users all have laptops with winXP and travel a lot. Of course they want admin right and what we do is give them an domain user account with limited user and a local admin account (not the administrator accoung which is renamed) which they can ‘runas’ or log out and log in and use. Most can’t get the hang of runas because it won’t run shortcuts and some other things – sometimes there is no runas in the right click menu.

The worse thing is that so many times user come back from OS with pretty vicious malware on their systems or virus as they haven’t updated their antivirus. these users are using onlytheir limited user account but some of those virus or malware cause enough damage to cause us to wipe and reimage their laptops. Plus all the arguing we have with them over not being able to have admin rights on their user account is very wearing. I am hoping window 7 will be an improvement but think we’ll probably have the same issues.

Of course, large businesses have a very different set of security needs from home users. And the damages caused by one infected laptop will not usually get through enterprise security measures to infect or compromise the corporate network. So in these environments, employees using company-issued laptops for business uses need not worry — there is always the Standard Disk Image to revert to at the end of the trip or at the end of the week, or whenever threats are discovered when the computer connects to the enterprise network.

Home Users do not have these protections, so we have to protect ourselves on a per-user basis. No “wipe and revert to Standard Image” option for us — not yet anyway. Unless we have the foresight to use an Image Backup program on a clean, new computer. Even then, getting all the updates is not as simple as connecting a company computer to the enterprise network and being fully patched in under an hour. Not yet, anyway. Although, Secunia is working on a new version of PSI which may be able to do something like this for home users. I await their offering with much anticipation. In the meanwhile, there’s Ninite, recommended by a Windows Secrets contributing columnist. Here’s a good Review of Ninite .

-- rc primak

Reply | Quote

I run XP Pro SP 3 on a computer I designed a couple of years ago, have about 15 applications installed on it, and the browser is IE 7. I set it up with an Administrator account, a Power User account, and a User account – each password protected. Windows Firewall, Data Execution Prevention (all programs and services), Software Restriction Policy, and User Switching are enabled. The Administrator account is used for Microsoft updates, application updates, some downloads, etc. – the usual administrative stuff, so it gets used once or twice a week. I’ve never used the Power User account. The majority of my work and play with applications and the internet is in the User account.

There is one old application that will not work in the User account without Administrator approval, so to access it from the User account I right click on the desktop shortcut for that application, select “Run as…,” check “Protect my computer and data from unauthorized program activity,” select “The following user” (the Administrator account), and enter the password, which all takes about 20 seconds. To move from the User account to the Administrator account, or vice versa, I select “Log Off,” “Switch User,” and then log into the appropriate account, which all takes about 30 seconds.

IE 7 Security and Privacy are set to High, with adjustments made at the Custom and Advanced levels to add a little more flexibility. Taken as a whole, the system tends to run flawlessly; I rarely have any trouble.

Reply | Quote

@ David Vanderschel — I was not just replying to you, although your posting did seem like a challenge, which I took up in what is in fact my usual way when challenged directly on my knowledge and experience.

But to all who have posted here in favor of sandboxing, I wanted and still want to point out that sandboxing is not panacea for Windows security when using a browser or connecting through an e-mail client (the two most common ways of getting on line). Microsoft supports Windows XP now, but not for very long. This is their way of telling us holdouts that MS can no longer provide even an adequate degree of safety for Windows XP through patching the OS. There will continue to be critical security patches, but the time is coming soon when going on line with this old OS will no longer be safe under any security system. This is one reason why IE-9 is not being developed for Windows XP. (The other main reason is lack of support for graphics and Internet Protocol changes which IE-9 will introduce, including HTML-5 and ipv-6.)

After nine years and three service packs, patching Windows XP is already dicey, and it would only get more difficult. My best bet for my old laptop would be to go on line with Linux in one set of partitions, while using Windows XP only off line. (This is a dual-boot, and I would use Norton BootMagic as my boot manager, placing GRUB only into the Linux Main Partition. This preserves the MBR and Windows Boot information from accidental corruption.) And I would transfer data from Windows to Linux, but never the other way around. This system (partitioning) does seem to stop most malware from jumping from one OS into the other, at least for most currently known attack vectors. And as long as only Linux receives data from Windows, there is no cross-platform malware known to exist between those two OSes — as long as the transfer does not go back to Windows. While Linux does not harbor Windows malware per se, it can transfer data and files, some of which can be executed or installed into Windows. It’s kind of like you can download Linux .tar archives into Windows, then transfer them into Linux, and use them from there. Some of these .tar archives are written to be virtually self-extracting once Linux recognizes them (but the Linux user still has to elevate privileges in order to install anything). Linux will still run on this laptop for the foreseeable future, complete with all the necessary updates, and perhaps a bit of Linux security — not that Linux needs that much added security.

I would have enjoyed the opportunity to reference some Web resources about sandboxing, and just what it can and cannot do. I’d rather reference the real experts than to use myself as a reference on technical matters such as this. I have a reference document already typed up with no place to post it . But I guess my point is made, and there is no need to clutter up the Lounge with any sort of overkill.

-- rc primak

Reply | Quote

I run XP Professional as the second admin. I have Sandboxie (paid) which has drop rights feature, and Online Armor with similar feature, with Avast! Free edition and Prevx 3.0 with SafeOnline, also SpywareBlaster. I have some on demand spyware scanners, Trojan scanners, and rootkit detectors. The only way Windows can be any more secure is for Microsoft to start over, build on Unix….

Reply | Quote

Games can be a trying experience, especially in getting them to run under LimitedUser accounts. My approach is based on installing the app as Admin, then try it as Limited User:

1) install as Admin
2) switch to a non-Admin account (or logoff/logon, if Fast UserSwitching is not enabled)
3) run the game, far enough into it to begin typical activity(s)
4) Also try Save, if it has such a feature

If the game fails to work as a non-Admin, often it will be because one or more files are too restricted for access by a LimitedUser. By “too restricted”, I mean in terms of how the game actually works, not any ideal sense of what sort of access ought to have been used.

To diagnose which files, try the following, logged on as an Admin:

5) Run ProcessMonitor (ProcMon, most recently 2.39, available from: http://technet.microsoft.com/en-us/sysinternals/bb896645 )
5.a) toggle on logging, via File, Capture Events (checkmark will be to the left)
5.b) minimize ProcMon
6) Run the game or app (same as step 3 above)
6.a.) go at least far enough into it to begin typical activity(s)
6.b) if there is a Save feature, use it
7) switch back to ProcMon
7.a) toggle off logging, via File, Capture Events
7.b) note what the application Path is
7.c) Filter, Filter, Display: Path begins with: {base_path of game}
7.d) Filter, Highlight: Operation is: WriteFile
8.a) File, Save, Events displayed using current filter and include profiling events — Format can be whatever is handiest
8.b) File, Save, All Events — Format can be whatever is handiest — Path set to wherever you will remember (be aware that can be a very large file)

Steps 8.a and 8.b are not strictly necessary, but can be handy for later review. There is a Find (under Edit menu) in ProcMon, but it may not be as handy as searching in a spreadsheet (.csv format from step 8 or within a web browser (.xml format). Step 8.a will be of use if the application is using Write access to files outside

Whichever approach is used, one needs to note the path of each file which the game accessed through a WriteFile operation. Only one instance of each file is needed on the list, and one can often ignore files that did not exist (which may be for optional features of the game, or files which can be in more than one place).

After the list has been collected, determine what the base of the path is used. For example {base_path}: %SystemDrive%program filesgame_dir

From a command shell (such as cmd.exe)
cd {base_path}
For each file in the list (where cacls is used to change access control lists (ACLs) :C stands for Change):
cacls {file} /e /g builtinuser:C

Switch to the LimitedUser account. If the game runs, Indiana Jones, or Sherlock Holmes (you) can rest. Otherwise, the game may require F(ull, instead of C) access to one or more of the files, or directories. The expedient thing to do (as Admin) is to go back through the list, and use :F, instead of :C, with cacls.

Otherwise, Good Luck, sleuthing further…

Reply | Quote

For my first few years under XP, from a personal view, I never found it convenient to use a Limited User account – too much hassle, and so I always used an Administrator account. I am a bit of a security freak and always felt somewhat uncomfortable with this choice – given that a Limited User is, comparatively, very safe.

That is until last year when I found SURUN (as suggested by KENT W, above). This is an outstanding free open-source program for XP, and since I found it a year ago I always use a Limited User account – without any inconvenience.

There are truly a lot of options in Surun, and there is also an excellent English speaking help forum where the creators of the software can help, if needed. It is a truly complete program to be a secure Limited User and Administrator within the same user account.

SuRun: Easily running Windows XP as a Limited User: http://www.wilderssecurity.com/showthread/?t=196737&highlight=surun
SuRun Tutorial: http://www.dedoimedo.com/computers/surun.html

Reply | Quote