Re: How safe is a "Limited" XP account?

From: André Gulliksen (andre.gulliksen_at_start.no)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 19:53:05 +0100

John Brock wrote:
> I do notice that when I see lists of recommendations for securing
> Windows PCs Limited accounts are often not even mentioned, and I've
> wondered why that is. Maybe it's because some old or poorly designed
> software won't run properly, and because you can't install most
> software.

This probably has more to do with history and habits than the actual
security. In UNIX limited user accounts is the rule rather than the
exception. But Windows has a history based upon single user operating
systems, which has later had functionality added to emulate multi user
support. Of course, NT was a huge step in the right direction, but software
designed for NT 3.x/4.0/2000 still had to be designed to also run on Windows
3.x/9x/ME. So it was easier to assume that the user would run under
administrative privileges than to make support for limited users under true
multi user environments.

Even today all accounts created in XP are administrator accounts by default.
And worse; Windows happily accepts blank passwords for all users, including
'administrator'. Even if limited accounts became the norm, it would probably
be easy to spread a worm that runs itself with administrator privileges
simply by guessing that the administrator password should be blank.

> Maybe it's assumed that the typical user can't be trusted
> to understand and use a Limited account.

Now, _this_ makes no sense to me. The question should rather be how can a
typical user be trusted with a _non_-limited account.

> Or maybe it just doesn't
> add as much security as I think it does.

It's not likely to be bulletproof, but it does add security. If the goal is
ultimate security then limited user accounts is one of several mandatory
steps.

Relevant Pages

  • RE: Minimum password requirements
    ... Consider disabling accounts as the first measure of inactivity, ... although many security experts would recommend a minimum ... In Windows, you also need to create a policy for dealing with password ... Attend a course taught by an expert instructor with years of in-the-field ...
    (Security-Basics)
  • Re: windows groups and users
    ... > said i would help setup a win 2003 server for someone but to be honest ... > accounts and he only wants to keep the most esential of accounts. ... all security hotfixes and updates to insure any known exploitable ... Microsoft Windows MVP - Windows Server - Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: I want controll!
    ... Do not use control userpasswords2 to create accounts if you are using XP ... Microsoft Windows XP Home Edition and in Microsoft Windows XP Professional ... implemented for the sake of security and I appreciate the thought. ... you wouldn't expectan OS to automatically load a browser ...
    (microsoft.public.windowsxp.general)
  • Re: insufficient permissions-office diagnostics
    ... If I select the event viewer in the console tree, it shows log files in the ... it shows that the security log is 512 kb. ... access to the Microsoft Windows ... Guest accounts and user accounts with ...
    (microsoft.public.office.misc)
  • Re: different user groups with different security settings and windows environment
    ... Microsoft MVP (Windows Security) ... >> to all accounts. ... >>> Options working with User Groups. ...
    (microsoft.public.windowsxp.security_admin)