Re: How good is Comodo Internet Security?



nik gr <nikos1337@xxxxxxxxx> wrote:
"Ansgar -59cobalt- Wiechers" <usenet-2008@xxxxxxxxxxxxxxxx> wrote:
VanguardLH <V@xxxxxxxxx> wrote:
A process can be made to run under a LUA (limited user account)
token. That is, the process will have the same privileges as that
token. Since the token has the limitation of a standard user
account, that process is also limited. But that only applies when
you run that process under the limited environment. When using
DropMyRights, SysInternals' psexec, or other such utilities that run
the child process under limited privileges, only the process they
start is limited. So if you use them to start the web browser, that
instance of the web browser is limited and you get more protection.

Since Microsoft has documented that the *desktop* not the process is
the security boundary with Windows, that's most definitely *not* what
you want to do.

I didn't understand these sentense. Can you please put it simpler?

No.

Instead you want to create an LUA, do your everyday work with that
account, and only switch to an admin account to do administrative
work.

But as an aswer to me in a previous post in this thread you said that
administrative tasks can be done with ease by selecting "Run as..."
within a LUA. Correct?
So, why switching back and forth from LUA to admin-level when he can
do out admin task within our LUA enviroment?

My wording was probably misleading here. Sorry. I meant "switching" in a
broader context here. Not only logging off and back on with an admin
account, but also by using FUS or executing a program via "Run As..."
under an admin account.

However, RunAs is only a workaround, because programs will share the
same desktop, meaning they may be susceptible to something like shatter
attacks carried out by malware running with reduced privileges. The
advantage is, that you limit the time programs with elevated privileges
are exposed. The better (more secure) way is to log off, log on as an
admin to do your admin tasks, then log off and back on with your normal
user account. Yes, that's not necessarily convinient.

With Vista Microsoft seems to have introduced some additional kind of
access control, so that shatter attacks may not be an actual problem
in this scenario anymore. However, I don't know enough about this new
system to make any statement about its reliability. Conservative
approaches like logging off and back on are virtually always the safest
bet when it comes to security.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.



Relevant Pages

  • Re: Standard user or administator account
    ... Since there seems to be so much mis-information about these account types, ... standard user account is definitely NOT the same as an unelevated ... Administrator, then he is able to make changes. ... administrator is that when the need to elevate to admin ...
    (microsoft.public.windows.vista.general)
  • Re: Local administratotor rights on target machines
    ... Your users X can be a limited account in the domain, ... an admin on a selected set of client machines. ... I gave X more privileges than required. ...
    (microsoft.public.windows.group_policy)
  • Re: Vista so secure it doesnt need Anti-Virus
    ... has no special privileges in and of itself. ... Which is just another way of saying that it has Admin privileges. ... ability to request privileged operations utilizing the root account. ... Administrator - Administrator on Windows systems. ...
    (comp.sys.mac.advocacy)
  • Re: O.T. - Combat Flight Simulator wont play?
    ... without admin privileges. ... select your other account that has ... privileges, and type in the password for that account (the admin ... Let us know if you find out from Support how to get the installer to ...
    (microsoft.public.windowsxp.general)
  • Re: Could not perform this operation because the default mail clie
    ... but I don't know how to fix it other ... than replacing that limited 'Main' account with a quasi-admin ... one is the admin. ... standard user account. ...
    (microsoft.public.windows.vista.mail)