Re: Admin user vs. Power user

From: Chris Jackson (chrisjATmvpsDOTorgNOSPAM)
Date: 02/03/04 

Date: Tue, 3 Feb 2004 10:33:32 -0500

To understand the security implications of local privileges, you must
understand exactly how applications are run. Every application that is
launched is launched with the user credentials of the user who initiated the
program. If you are running as a local admin, and you start a program, that
program can do absolutely anything you can do (which is, if you are an
admin, absolutely everything). It can install new software, it can delete
files, it can read your email, it can do whatever an admin can. Consider an
email virus: if a user double clicks an attachment, now that program has
admin rights on your computer, and can install backdoor software and do
anything else. If that user is NOT a local admin, then not only can the user
do less damage (by installing software that may be ill behaved) but the
software they run can do less damage. I never run as a local admin - I don't
even run as a power user - and yet I still manage to crank out many lines of
sweet, sweet code and get my work done with only the occasional
inconvenience (driven mainly by other developers who DO run as local admin,
and as a result create software that only works if you also run as a local
admin, which is because they are bad). 

-- 
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
-- 
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
-- 
"cb" <spam-nospam@niagaramasters.org> wrote in message 
news:u$EqzSm6DHA.2576@TK2MSFTNGP11.phx.gbl...
>A security checklist suggested that we move many of our users from Local
> Admin to power users on their machines. I am trying to figure out exactly
> how this will improve security... will it stop adware from installing?
> Viruses from changing systems files.
>
> I appreciate information people pass along, but please be sure to include
> URL's or other resources so I can read up further - thank you.
>
> ~CB
>
>

Relevant Pages

  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.security.misc)
  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Food for Thought
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... that telling the reader to do a Google search for sources isn't going to ... it's probably an admin who has ...
    (microsoft.public.win2000.security)
  • Re: [Full-Disclosure] Support the Sasser-author fund started
    ... >> Windows security problems could be avoided by ripping out the network ... a user is expected not to be able to install a complex ... > configuration right is the job of the system admin, ... security critical stuff!), so you have to go and lock it down. ...
    (Full-Disclosure)
  • Re: permissions in widows xp home edition
    ... This would be done by the admin just ... >>after the install, and it grants the Users group change ... >>the tightened security of W2k and now XP, ... >>> edition is not the easiest to use for permissions. ...
    (microsoft.public.windowsxp.security_admin)
Quantcast