Network News

X My Profile
View More Activity

The Importance of the Limited User, Revisited

If you use a computer powered by Microsoft Windows to surf the Web, check your e-mail and so forth, the single most important step you can take to protect your machine from viruses, worms and hackers is to use a "limited user" account for everyday computer use.

By running Windows the way Microsoft ships it -- using the all-powerful administrator account -- you expose yourself to huge security risks. If a Trojan horse or virus makes it onto your machine while you're using an administrator account, it can get its hooks deep into the operating system (often without your knowledge.) However, by regularly using Windows under a limited account, you can safely avoid the vast majority of malware out there today, simply because the limited-user account does not have the right to install programs or change system settings. As a result, when malicious Web sites try to use security weaknesses in the operating system or your Web browser to conduct "drive-by" spyware and malware installs, for example, that installation process fails.

I have written several times before about the importance of using non-administrator accounts on Windows, but the topic came up again on a talk show I was invited to speak on today (the Kojo Nnamdi Show on National Public Radio's WAMU American University Radio station) about online scams. As such, I'd like to point again to a recent blog post I wrote on "DropMyRights," a free program from Microsoft that makes it easier to run Internet browsers and other Internet-facing applications under less powerful user accounts.

Also, in last week's Security Fix Live online chat, a reader asked how he could keep his kids from installing programs and otherwise monkeying with his computer settings. I offered a quick-and-dirty tutorial on how to switch from using an administrator account to a limited-user account for everyday use. Basically, this uses the opposite approach from the DropMyRights program: All of the programs on your PC are run under a limited account, and the user is forced to supply a password before installing any program or run it as a user with full rights.

I thought it might be helpful to call special attention to that advice in a blog post for readers who may not have been able to join us for that chat:

Chances are that the user account you are using on your machine at the moment is the all-powerful administrator account (it might be named something else, but if you go to Start, Control Panel, and then User Accounts, you should see all of the accounts you have on the system. There are probably at least two accounts in there, one with administrator rights and another Guest account (which should be turned off: if it's not, turn it off). Assuming the main account is an administrator account (it will say so under the name), and that the only other account you have listed is an inactive Guest account, go ahead and create another administrator account. If you have kids or others who use the computer and you'd like to keep them from changing the settings on the machine, assign the administrator account a password (not one that your kids or other household users will guess but also one that you can safely remember (see our password primer for help here).

If you are the only one using your computer, you are using Windows XP, and you're relatively confident about the physical security surrounding the PC, it is actually safer to leave the administrator account without a password assigned to it. That's because Windows XP accounts with no passwords can only be used if you are physically in front of the computer: non-password protected administrator accounts in XP cannot be used for accessing the machine over a network.

Next, go to the main menu and enable "Fast User Switching," which should allow you to have more than one accounts logged in at the same time, so you if you need to you can toggle back and forth between the administrator account and the limited user account you're about to create.

Once you've created the second administrator account, change the account privileges of the one you are currently using. From the main User Accounts page, click on the admin account you're currently using and then click on the button that says "Change Account Type." Then switch it over to a limited account, and you should be all set. You will not be able to make any more changes to the system settings, however, until you log into the computer using the administrator account, so you'll notice a few of the options in the User Accounts menu are now no longer available to you.

If you want to try it out now, just download a piece of software and try to install it. It should fail. Now, if you right click on the file you downloaded and select "Run As" it will prompt you to select the account with administrator privileges and then for the password (assuming you've assigned one to the account). Enter both and you should be able to install the program, no problem.

I tested out my own advice before I gave it, and the process I described above worked for me, but my instructions assume the reader is using Windows XP Professional. Running the system under a limited-user account can present problems for some poorly designed third-party programs whose designers obviously assumed no one could possibly want to run their machine under an account with lesser system privileges. Such situations are not that big a deal for XP Pro users, who can change the privileges of any program running on their machine by right-clicking on the program icon and assigning 'full control' to the program on its "permissions" tab. For anyone who's interested, this Hall of Shame site contains a pretty decent list of programs that are known to present problems under limited-user accounts.

For people using XP Home or older versions of the operating system, however, there is no simple way to modify the permissions of a program on this type of one-off basis. My advice for users of those operating systems is to either consider using the DropMyRights program to lower the system privileges of key applications like the Web browser and media players, and/or to search out alternative programs that do not demand administrative rights to function properly.

I have found that some applications won't work at all if you install them under a limited-user account using the "Run As" option. In some cases, it may be necessary to log out of the limited account and log on using one with administrative privileges and install and configure the program (e.g., adjust firewall settings for that particular program).

By Brian Krebs  |  May 30, 2006; 2:03 PM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Fun With Java Updates
Next: Redmond Derby: Microsoft Meets NASCAR

Comments

Talk about burying the lede - Kojo Nnamdi? You know you've hit the big time now. Congratulations, BK.

Posted by: Robito30 | May 30, 2006 5:59 PM | Report abuse

Why do you instruct readers to turn off the Guest account? I believe it runs with less rights than a Limited account and so could be ideal for ad hoc use by visitors.

Posted by: Steve | May 31, 2006 1:17 AM | Report abuse

Limited user accounts offer considerable protection against malware. I've worked in both large corporate and government environments, and the LAN administrators in both sectors, wouldn't have it any other way.

That doesn't mean aggressive users are now free to patrol Russian and Bulgarian adult web sites without a care in the world. You might run into malicious code-writers who have built a package that installs without administrator rights.

Remember what they say about body armor: the vest is bullet-resistant, NOT bullet proof.

Posted by: Ken L | May 31, 2006 2:11 AM | Report abuse

If you're having problems running an application as a limited user, DO NOT go around throwing "Full Control" access to LUs. That's dangerous and may negate the protection provided. What's more, I doubt it will work unless there's a specific file the program tries to write to.

Posted by: Matthew Murphy | May 31, 2006 3:50 AM | Report abuse

Whilst it is true that using limited rights limits certain functions like installing programs and changing some settings, it does not automatically protect the system from malware being introduced. The reason being, this method does not protect files. The system has to have NTFS set up on the disk to protect the system and program files. Systems that have been upgraded to XP from 98 or Me, or system that have been installed from scratch may not have NTFS and hence the system will be much more vulnerable.

It is not just whether software works with limited accounts that one needs to consider. Some badly designed software will work with FAT32 but not NTFS because the software has read/write data in the Program File structure when it should be in the Documents and Settings structure. Some software just cannot cope with fast user switching and the associated multiple logged on accounts. Some cannot even cope with the scenario where no user is logged on. I have even seen software that assumed if there was one user logged on its system Id must be 0, which demonstrates a worry lack of understanding.

If one wants to have all the extra protection available then it might be worth considering opening System properties of My Computer; selection Advanced Tab then Data Execution Prevention Tab and selecting Turn on DEP for all....

So programs have at least 4 tests to pass to see if they are worthy of being considered XP compatible not just the one mentioned in the article. Add to those test the ability to handle the system going in and out of stand-by if you want to be more eco-aware. It might be easier to have a short list of software that pass the tests rather than a long one of software that fail the tests, if my past experience is anything to go by.

As for Windows Pro, but not Home, allowing the option to run a program with elevated privilege: I cannot see why Microsoft persist with that. Why should one be charged extra for the ability to run a program safely on the system? Surely if it were available for XP Home there would be more ability to run less vulnerable systems which would surely be better for Microsoft's image. Maybe they are too focused on things other than customer's security.

Posted by: Steve | May 31, 2006 4:06 AM | Report abuse

Matthew M -- I've had success on my own machine with temporarily allowing write access to a program that gave me trouble. Aside from the alternatives I mentioned (finding an replacement app, going with the dropmyrights program, etc), what would you suggest?

Posted by: Bk | May 31, 2006 7:47 AM | Report abuse

re: The Importance of the Limited User, Revisited Best security advice that I have used in 5 years. Using a limited account hasn't really cramped my style. For users who hate limits, using the fast switching method works well, if you are willing to put up with the minute or so that it takes to go between limited to administrator. Best of all, I don't feel intimidated by spyware/malware anymore

Posted by: nestee90 | May 31, 2006 11:30 AM | Report abuse

Alway good advice, but hard to put into practice due to software that not designed with this concept of least privilege in mind. It can be transparent. Ubuntu Linux has a nice implementation of 'sudo', which prompts the user for the admin password whenever they try to do something that requires it and caches it for a period of time. Very unobtrusive and Windows could implement this pretty easily too.

Posted by: Tim B | May 31, 2006 12:08 PM | Report abuse

Hi Brian. Perhaps you should post a link to the WAMU interview itself? It seems to be available at http://podcastdownload.npr.org/anon.npr-podcasts/podcast/305/510025/5439815/WAMU_5439815.mp3

Mikko

Posted by: Mikko | May 31, 2006 8:54 PM | Report abuse

I may just not understand this:

"XP Pro users... can change the privileges of any program running on their machine by right-clicking on the program icon and assigning 'full control' to the program on its "permissions" tab."

But it sounds wrong to me--that tab assigns rights to filesystem objects, it doesn't affect the security context under which the program runs. If a limited user is having problems running a program, it *might* be because the program wants to write to a part of the filesystem the user is not allowed to touch. But it may just as easily be that it wants to write to a part of the registry the user is not allowed to mess with.

I wonder if Brian meant to indicate the 'Run with different credentials' checkbox you see when you click the 'Advanced' button on a shortcut properties dialog? That would allow you to run a given program under a more-privileged account.

Posted by: Roy Pardee | June 2, 2006 10:23 AM | Report abuse

RE: DropMyRights - Go use StripMyRights instead. StripMyRights is an improvement based on DropMyRights. IMHO, StripMyRights is better and easier to use particularly since StripMyRights will accept parameters while DropMyRights will not accept parameters for the programs you want to run. And with DropMyRights, you get that awful DOS window that opens and closes when run DropMyRights while StripMyRights does have that cosmetic annoyance.

http://www.sysint.no/nedlasting/StripMyRights.htm

http://www.sysint.no/EN/Download.aspx

Posted by: ANON | June 3, 2006 7:16 PM | Report abuse

RE: DropMyRights - Go use StripMyRights instead. StripMyRights is an improvement based on DropMyRights. IMHO, StripMyRights is better and easier to use particularly since StripMyRights will accept parameters while DropMyRights will not accept parameters for the programs you want to run. And with DropMyRights, you get that awful DOS window that opens and closes when you run DropMyRights while StripMyRights does NOT have that cosmetic annoyance.

http://www.sysint.no/nedlasting/StripMyRights.htm

http://www.sysint.no/EN/Download.aspx

Posted by: ANON | June 3, 2006 7:26 PM | Report abuse

they are 2 admin accounts on my pc and i would like to know how i am able to change the other one 2 limited account although it is the administrator account? is there away in which i can prevent one admin to change the settings of the other admin espectially in terms of changing the type of account.

Posted by: jism_7@yahoo.com | June 22, 2006 8:31 PM | Report abuse

they are 2 admin accounts on my pc and i would like to know how i am able to change the other one 2 limited account although it is the administrator account? is there away in which i can prevent one admin to change the settings of the other admin espectially in terms of changing the type of account.

Posted by: Anonymous | June 22, 2006 8:41 PM | Report abuse

If you are logged in with a limited user account, and wish to make an administrative change without logging out or switching users, the free "MakeMeAdmin" tool is excellent. It can be downloaded from

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

Users may also be interested in a free tool written by me to be used in conjunction with MakeMeAdmin. It is called "Launch Admin" and it can be downloaded from

http://launch-admin.sourceforge.net

Posted by: Patrick Rynhart | June 23, 2006 6:39 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company