Re: How good is Comodo Internet Security?
- From: VanguardLH <V@xxxxxxxxx>
- Date: Wed, 24 Dec 2008 22:13:45 -0600
Ansgar wrote:
nik wrote:
Wolfgang Kueter wrote:
nik wrote:
but then hopw will I be able to install new application if iam on
LUA mode?
Just the normal way: - log out as user - log in as administrator,
install the software - log out as administrator - log in as user
and use the software
It will be a tedious task having each time iw ant to install an app
logging out and logging in again 4 times.
"Fast User Switching" or "Run As..." come to mind ...
Providing the host has enough memory to accommodate leaving all the
processes running from the limited account so you can switch to another
admin-level account. Fast User Switching leaves all the processes
running. Plus is isn't just software installs for why users may need
to be logged under an admin-level account. Fast User Switching (FUS)
will add 10MB of memory consumption to each context (each active
account), and then there's the memory consumed by each application you
run in the other concurrent active account. That 10MB can vary widely
greatly depending on how many startup programs are loaded when you open
the other account through FUS (Startup folder, Run registry key,
winlogon events, and other startup locales in the registry); however,
you really shouldn't be loading much in your admin-level account but
even the security programs will consume memory.
There are also some applications that won't run under Fast User
Switching (because they won't run concurrently under multiple active
Windows accounts). Some clipboard manager utilities come to mind. They
weren't designed to have multiples of themself running as the same time,
especially under different accounts with different privileges
(policies). The were designed to run under an NT environment but not
under a multi-user environment. The user would have to ensure that such
programs did not get loaded on login for the admin-level account to
prevent the duplicity. Yeah, you could get rid of this software but it
might be something you really want or truly need to do your work. The
point of the computer is to do the tasks that you want. You pick your
applications based on your needs and then choose the OS. The other way
around has you selecting the OS and using its security features but
maybe losing critical applications because they won't work under
concurrent active accounts. You need the application first (to do your
required tasks), not the OS (which is just the plate on which you serve
the meal). Also, in the KB 294739 article below, you might have
installed (or you might later install) an app that interferes with Fast
User Switching (FUS). There have been many users that complained that
they were using FUS and then it stopped working. I believe another
reason FUS stops working is if the user enabled offline files
(http://support.microsoft.com/kb/307853). It is also possible to
programmatically enable/disable FUS or do it via a registry edit, which
means malware can do it, too.
There is also the problem of trying to share resources across the
multiple active accounts. An open file handle for a file in folder
could cause problems in the other account that wants to delete the
folder or have write permission to that file.
Remember that Fast User Switching is *not* available when connected to a
domain for Windows XP (it is available when on a domain when using
Vista). It is only available in a workgroup setting because it only
lets you switch between local accounts. nik never mentioned WHICH
version of Windows that he is using, or if he is logging onto a domain
or logging on locally (into a workgroup). Read
http://support.microsoft.com/?kbid=294739 and
http://windowsitpro.com/article/articleid/27402/under-what-conditions-is-fast-user-switching-available-in-windows-xp.html.
As I recall, if Fast User Switching is enabled, you're stuck having to
use the Fisher-Price Welcome Screen in order to select the other account
to switch to. This is one of the first tweaks I do after a WinXP
install to get rid of the Fisher-Price fluff crap. Note that you should
NEVER use the Administrator account even to do admin tasks. Always
create another admin-level account (i.e., in the Administrators group)
and use that one. If your Administrator profile gets corrupt and you
cannot load its desktop, you're screwed, so use a secondary admin-level
account and leave the Administrator account completely alone except in
case of extreme emergency. The Administrator account will disappear
from the Welcome Screen once you define another admin-level account (a
registry hack can put it back, or twice tap the Ctrl+Alt+Del key combo
to bring up the classic login screen).
When using the Welcome Screen, you divulge half your logon credentials
to anyone that can see that screen, like when letting other users use
your host (even when using their own accounts). Besides trying to get
my password, I'd also like to make they try getting my logon name.
Some users like to leave the password blank to their account for ease in
logging in although it removes a major security feature of NT-based
Windows. FUS requires that at least one of the accounts between which
you are switching has a non-blank password.
Be careful of locking yourself out of your accounts. A security policy
locks an account if too many unsuccessful logon attempts are executed
against an account. You can see these values in the group policy editor
(gpedit.msc) or local security policy editor (secpol.msc). If you are
the only user of your host, this probably won't happen. If you let
others share your host and they use FUS to try cycling to another
account and do it enough times then they could lockout your account(s).
If you share and use FUS, you might want to reconsider the current
settings for the lockout security policies (to shorten the lockout
period and the number of bad attempts). If you're on a domain, you
don't get to modify those policies that get pushed to your host (unless
you have an admin login on the domain that gives you privileges to your
own host to make registry edits using .reg files in your Startup
folder).
Many software installs that require admin privileges to complete will
also require a reboot. That means you will be slamming your other
account that you switched away from but which may still have
applications running and open files. Make sure to close all apps in the
other non-admin account before you permit the reboot for the install in
the admin account (hopefully the install will prompt for a reboot
instead of just doing it without permission).
I haven't bothered to investigate into any security vulnerabilities of
using Fast User Switching simply because I don't use it myself (i.e.,
for me, any vulnerabilities would be a non-issue).
There can be advantages to Fast User Switching. There can also be
disadvantages and pitfalls but if you can avoid them without losing any
tasks that you need to perform then it's one way to do most of your
tasks under a limited account and have an admin-level account within
easy reach.
.
- Follow-Ups:
- Re: How good is Comodo Internet Security?
- From: Ansgar -59cobalt- Wiechers
- Re: How good is Comodo Internet Security?
- References:
- How good is Comodo Internet Security?
- From: nik
- Re: How good is Comodo Internet Security?
- From: VanguardLH
- Re: How good is Comodo Internet Security?
- From: nik
- Re: How good is Comodo Internet Security?
- From: Wolfgang Kueter
- Re: How good is Comodo Internet Security?
- From: nik
- Re: How good is Comodo Internet Security?
- From: Ansgar -59cobalt- Wiechers
- How good is Comodo Internet Security?
- Prev by Date: Re: How good is Comodo Internet Security?
- Next by Date: Re: How good is Comodo Internet Security?
- Previous by thread: Re: How good is Comodo Internet Security?
- Next by thread: Re: How good is Comodo Internet Security?
- Index(es):
Relevant Pages
|
