Running as limited user - the easy way

[polonus]

Hi forum folks,

In Vista it will be a normal standard feature, surfing with limited rights, more secure against malware. But it can be easily done also for XP: http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html


polonus

[bob3160]

Isn't this basically what we've been doing right along by utilizing the following???
http://forum.avast.com/index.php?topic=7204.msg128315#msg128315

[polonus]

Hi Bob3160,

Of course, the strength of educating lies in the the strenght of repeating. So now it can be entitled "a banana problem".

polonus

[bob3160]

So now it can be entitled "a banana problem".

But this one has whipped cream on it.....

[DavidR]

This Limited user function of MS Vista and Protected-Mode IE will obviously take some time.

In the meantime, Microsoft's DropMyRights and now Mark Russinovich's 'Process Explorer’s Run as Limited User' (nice looking interface) is another option until Vista and IE7 (vista version) come along.

There is also another method, start as a limited User and either use the Run As context menu shortcut or use a little program RunAsAdmin.

But there really is no excuse not to restrict the rights of programs that access the internet, unless it absolutely has to have admin privileges like windows update.

[polonus]

Hi DavidR,

I still have a little question, when I look at what is going on in the settings through IbProcMan I see that on a Windows XP SP2 system runs as superuser . System account overrules the admin account even, all users and groups trust system.  In howfar is this a threat towards malware vectors, and how to counter that one? If I can run system on a box I own it. Look for some on this here: http://www.grc.com/dos/sockettome3.htm and here:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Utilities/XPschtaskscommandlineutilityreplacesAT.exe.html


polonus

[DavidR]

I haven't looked into it that deeply (too scary), but I would have to assume the logic that System is always going to over rule an admin user and an admin user has a higher privilege than a superuser, etc.

I don't know if this would also be true of 'The Administrator' account or how difficult it would be to have malware get system privileges, or what level of protection there is to stop this happening.

[polonus]

Well DavidR,

I posted about this thing before here in the forum, about giving your scan some bite, I think there was not much changed after this trust dependencies came in with Windows NT. And thinking about it that is why automatic installs, updates, plug and play, host memstick use functionality are that dangerous, at least could mean a threat.

This should not be as default configuration. see here for my contribution, all that can be used for a good purpose can also be used for malicious purposes. See: http://forum.avast.com/index.php?topic=14363.0

To dwell a bit more on privilegers here, just have to set a process to Äct as a part of the Operating System"privilege using the Local Security Settings, and then reboot the system. In other way to get this result is to modify machine.config by setting the username attribute equal to "system" in the ProcessModel element, and then reset ISS. Else things do not work and you will get an exeption (Sigh of relief here). To get to the privilege lower than the mentioned one we have to set it to Äct as part of Operating System"privilege using Local Security Setting.

polonus

[DavidR]

Yes, possible but not easy and in the example you use there would need to be an element of user co-operation/interaction.

Unless of course it would be possible to create a batch file or a program that would have the privileges and could replicate these actions.

It's at times like these that I'm really glad I have a back-up/recovery strategy that if the worst came to the worst, restoring a disk image would take a few minutes.

[polonus]

Yes I agree on that one, but then you must start from a point where your OS was in a non- compromised state If you are not aware of that and a compromised situation has endured and you do not know how long, you can't be sure what exactly was backdoored or altered on your machine, and the onlt safe thing to be able to fully trust it again was a re-install.

What LSA privilege can do, see here:
http://www.codeproject.com/csharp/lsadotnet.asp

polonus

[DavidR]

Thanks for that.

I said it was scary when you start to delve you don't feel so secure.

Fortunately this is way over my head to realise just how scared I should be

[polonus]

Hi DavidR,

See this analysis of adware:
http://www.virusbtn.com/virusbulletin/archive/2005/06/vb200506-standing-the-privilege-attack

greets,

polonus

[DavidR]

Thanks polonus, I will print that off and save it for a little light bedtime reading, certain to get me off to sleep