Re: firewall on budget ?

jameshanley39@xxxxxxxxxxx <jameshanley39@xxxxxxxxxxx> wrote:
On Jul 25, 7:26 pm, Ansgar -59cobalt- Wiechers wrote:
Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1] http://www.planetcobalt.net/sdb/submission.shtml

You reference currently only brings up or redirects to a welcome page.
I don't see what article has the relevant info.

The URL worked with Mozilla, but apparently not with other browsers.
Fixed.

For what I called running as guest, I had in mind limited user account
or non-admin account...

Guest is something completely different from LUA. Don't confuse the two.

But it's quite a nuisance. For reasons mentioned . Maybe ok for an
end user that doesn't need administrative rights very often. Or for a
techie using the family machine (not commonly experimenting on it
putting servers on or amending the firewall settings, installing other
programs)

Once a box is set up properly, people do not need administrative rights
very often. BTDT.

An obvious nuisance is you can't get the date up by double clicking
the clock. That can be sorted out. Under 'local security policy'.

Exactly.

You can't write a little file like c:\a.txt, ok, that can be sorted..
you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt

Ummm... normal users are not supposed to create files in C:\. Users have
full write access in their %USERPROFILE%, which is the place where they
are supposed to create their files (preferrably either in the "My
Documents" subfolder or %TEMP%).

Besides, I don't see any reason at all why non-administrative users
should be allowed to create anything (be it files or folders) in C:\ in
the first place. Which is why I restrict limited users to read-only
access to C:\ on all systems I set up.

Installing a program, getting an error, then doing the run as, can be
a nuisance. If I was installing many programs, trying loads out, over
a few days, and I wanted to browse the internet and do other things.
It'd be too much hassle doing so from a limited account. It's a good
reason why a techie's computer may most practically be best off
running as administrator all the time.

I've been doing exactly what you call "too much hassle" for years now,
without any problems. If you need to grow progress bars while doing
other work as a limited user, you just start your preferred file manager
via runas and run all setups from there. Problem solved.

My experience is that you can't burn a CD from a limited account. I
tried with a few different pieces of software. nero, cdburnerxp, and
prob another one. I guess maybe your reference would work for that.

Install Nero Burn Rights and put the users that should be able to burn
CDs into the group "Nero" (works for other burning software too). Or use
a different program. Deep Burner for instance works just fine as a
limited user here.

Logging off and on is a hassle in time, and especially moreso if it
means closing your programs. Is a bit off-putting too. If you're busy
with all these windows up.

Then use runas. It's only the second best option, but an option
nonetheless.

Furthermore, if one had a P2P app it means they'd end up far away in
the queue..

I'm running a BitTorrent client on this Win2k box as a limited user
without any problems. Your point being? It's not like somebody's forcing
you to use crappy P2P software.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.

Relevant Pages

  • Re: I thought user security was a holy grail
    ... ' in this example the command prompt is being run as the administrator ... The next step is to save and make a shortcut in the limited user account ... > sub, "Programs" sub sub, and "Startup" sub sub sub. ... >>using an admin account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: I thought user security was a holy grail
    ... Hi Kevin, I was wondering if I could get you to contact me offline. ... > ' in this example the command prompt is being run as the administrator ... > The next step is to save and make a shortcut in the limited user ... >>>using an admin account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Security problem - Limited user can access administrator file with Adobe Photoshop Album?
    ... limited user but also pictures contained in folders to which the limited ... it will communicate to the search service - and the search service has to ... Next I moved the pictures I wanted to protect from general access over to the administrator user but obviously the catalog entries were not deleted automatically. ...
    (microsoft.public.windows.vista.security)
  • Re: Limited User Problem
    ... On my grand daughters PC I set up her mother as Administrator and ... down-graded her to limited user. ... If mom logs on with her Administrator ... Who knows how I became 'illegal' after installing and ...
    (microsoft.public.windowsxp.general)
  • Re: Types of users
    ... XP Home only recognizes Administrator and Limited User ... The Limited User account does not have the necessary access to parts of the ... MS-MVP Windows XP/ Windows Smart Display ...
    (microsoft.public.windowsxp.security_admin)