Re: Using Same Account as both Admin and Limited User
- From: Robert Carnegie <rja.carnegie@xxxxxxxxxx>
- Date: Sat, 8 Aug 2009 18:06:10 -0700 (PDT)
What is actually needed on a one-per-desk computer is a way to prevent
access to system files when in 'normal mode' so as to offer better security
against malware, and to allow such when in 'maintenance mode.'
What happens instead is that all system configuration is done under an
entirely different collection of settings, and any changes to the settings
are thrown-away when returning to normal mode. This causes extreme
awkwardness (in fact it means that most apps have to be configured
twice-over) and is the main reason most people don't run as a limited user.
Well, that's why Microsoft made Windows Vista. Uh, wait...
You can do several useful administrative things from a limited user
desktop with right-click "Run As..." to select your administrator
account. Other things you can't do at all, and some you can do by
using "Run As..." in an indirect way. I think that's a way to run
hard disk maintenance tools, for instance - through "Computer
Management". But Windows Explorer, and "Windows Update" inside
Internet Explorer, seem to be out.
Administrator is always present and active in your computer but may
not be talking to you.
On the other hand, "Ordinary user" could be compromised while
administrator is not - or so we're told. And yet frequently we hear
of a Windows Update that stops a malicious exploit that invades as
"Ordinary user" and then escalates to administrator. Which is not
even needed if /you/ escalate "Ordinary user" to administrator
status. I'm sure there are exploits that just assume that, like very
many users even today, the victim is an administrator.
As it happens, I'm looking for advice on securing an XP Home netbook I
just got. Is there a good FAQ?
Let's say my administrator account is named "Arthur" and the everyday
user is named "Galahad" - although that's not leading anywhere. Now
for instance there's a "real" Administrator that only works in safe
mode, right? Apparently with no password as default? On the WWW I
can find people telling me to rename /that/ administrator, delete it,
change the password. Does any of that stuff matter if the account
isn't accessible except for explicitly invoked mainenance?
Also, I've apparently been silently but legally supplied with Norton
Internet Security 2008 on hard disc, but not configured. But I favour
F-Secure's products, and I want to upgrade protection on other systems
I own, too. Also, my employer uses F-Secure. Still, I have this one
copy of Norton for free - temporarily, I expect, a limited-time
update_for_norton_internet_sec.html> (Brian Krebs) repeats but
disagrees with criticism: "NIS has earned a bad rap over the years for
being a slow, resource-hogging beast of an anti-virus program, but
when I trialed the program for a few months, I found NIS2009 to be
very fast and unobtrusive." He doesn't mention it being hell to remove
from a system, which I've also heard. So I guess it could be (1) best
avoided or (2) too late, since it's kind of there.
- Prev by Date: Re: Windows XP Hpme Folder Access Problem
- Next by Date: Re: Foistware takes-on a new pervasiveness..
- Previous by thread: firewall shutting down and not starting up
- Next by thread: Re: RDP File Access...