Security running as Administrator in XP

Just how much of a security risk is running Windows XP as
administrator? I know this is severely frowned upon in Unix/Linux,
yet Microsoft don't seem to want to admit that there could be a risk
here.
I've been running XP for the past year as sole user Admin, and if
there is a risk my problems would be:
What would happen to all of the programmes I've installed in that
time.
If I set up a user with limited rights, would that user be able to
access all of the software?

I did look up past postings on this NG and there did not seem to be
any consensus of opinion on this topic. I hope I haven't opened a
"can of worms" here. Any advice appreciated.
--

Peter James
Change AT to @ to reply

Peter James

"Peter James" <> wrote in message
news:...
> Just how much of a security risk is running Windows XP as
> administrator? I know this is severely frowned upon in Unix/Linux,
> yet Microsoft don't seem to want to admit that there could be a risk
> here.

Whether this is factually right or wrong, I think of it in terms of what
would happen if I was to get infected by a virus or trojan whilst running
with full administration privileges. This unwanted foreign body would I
think be able to assume the same level of control over the computer as the
Administrator him/herself.

If no other safeguards were in place (anti-virus, firewall, properly
configured that is) then my computer could in theory then be 'owned' by that
foreign body. (I'm trying not to say 'malicious' here ... doh ..)

Now if I was to run as a normal user or one with less power than an
administrator, then the risk decreases. That's all it is for me. It's not
perfect, but it just decreases the possibility of a total system take-over,
if it's used in conjunction with security-concious computer housekeeping.
Notice I didn't say 'security-minded' ... ugh ...bugger.

I don't understand where you're coming from with the sentence 'yet Microsoft
don't seem to want to admit that there could be a risk here'.

> I did look up past postings on this NG and there did not seem to be
> any consensus of opinion on this topic. I hope I haven't opened a
> "can of worms" here. Any advice appreciated.

I'm interested in other peoples opinion on this too. And yes, you probably
have ...

Regards,

Pete.

Pete

On Sun, 4 Jan 2004 11:54:40 -0000, "Pete" <> wrote:


>snipped
>I don't understand where you're coming from with the sentence 'yet Microsoft
>don't seem to want to admit that there could be a risk here'.
>
Maybe my choice of words was unfortunate. What I meant was, if there
is a security problem, it's not one that Microsfot publicises.
Linux/Unix on installation go all the way to ensuring that the user
sets up an Administrator and User, and ensures that the user is aware
of the security issues. That doesn't seem to be Microsoft policy on
this issue.
--

Peter James
Change AT to @ to reply

Peter James

Peter James wrote:
> Maybe my choice of words was unfortunate. What I meant was, if there
> is a security problem, it's not one that Microsfot publicises.
> Linux/Unix on installation go all the way to ensuring that the user
> sets up an Administrator and User, and ensures that the user is aware
> of the security issues. That doesn't seem to be Microsoft policy on
> this issue.

I have noticed this also. Having set up Win2K/XP many times, I have long
known that you are "Administrator" by default, but Microsoft at no point in
the setup program advises you to switch to a "User" account. My conclusion
is that it makes installing programs too difficult for most people, and MS
does not want to grapple with the support problems.

Now for your other question, you will in many cases have to allow additional
security rights to a program to get it to run in a User account. Just
right-click on the folder in Program Files, and set it with the same rights
as Power User, which works in most cases. Sometimes you have to go into the
registry (using regedt32, not regedit) and grant additional permissions to
the software group in question under either Current User or Local Machine,
if I remember correctly. However, a few utilities may not work at all no
matter what permissions you give, or else work with limited functionality.
In that case, use the "runas" command to run as Administrator each time you
start the program. One little-known trick in WinXP is that you can get
Runas to remember you Administrator password; use the "/savecred" switch. A
comparable effect can be had in Win2K by using the Sanur utility
(http://www.commandline.co.uk/sanur/). You can also run as a service using
FireDaemon (http://www.firedaemon.com/).

I am not a programmer, so I have had to figure these out myself over a
period of time. But if everyone used them, at least 90 percent of the
trojan and virus problems would be solved with no additional software
whatsoever, at zero cost.

James H. Fox

"Peter James" <> wrote in message
news:...
> Just how much of a security risk is running Windows XP as
> administrator? I know this is severely frowned upon in Unix/Linux,
> yet Microsoft don't seem to want to admit that there could be a risk
> here.
> I've been running XP for the past year as sole user Admin, and if
> there is a risk my problems would be:
> What would happen to all of the programmes I've installed in that
> time.
> If I set up a user with limited rights, would that user be able to
> access all of the software?
>
> I did look up past postings on this NG and there did not seem to be
> any consensus of opinion on this topic. I hope I haven't opened a
> "can of worms" here. Any advice appreciated.
> --
>
> Peter James
> Change AT to @ to reply

with XP you can setup access rights and groups for software and files, you
can also run admin privelaged programs from a limited account by right
clicking, run as... choose user and input password. Just like su.

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

"Peter James" <> wrote in message
news:...
> On Sun, 4 Jan 2004 11:54:40 -0000, "Pete" <> wrote:
>
>
> >snipped
> >I don't understand where you're coming from with the sentence 'yet
Microsoft
> >don't seem to want to admit that there could be a risk here'.
> >
> Maybe my choice of words was unfortunate. What I meant was, if there
> is a security problem, it's not one that Microsfot publicises.
> Linux/Unix on installation go all the way to ensuring that the user
> sets up an Administrator and User, and ensures that the user is aware
> of the security issues. That doesn't seem to be Microsoft policy on
> this issue.
> --
>
> Peter James
> Change AT to @ to reply

Microsoft like to employ a technique of eye candy over security

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

"Administrator" is a known user name on most computers.
Anyone hacking in, is going in as "administrator" .. not some
unknown user. Malicious code is not going to run at the user
level either .. maybe some, but not the bad stuff. If you are
located in an office, and others can wander in and play
around on your computer, then don't leave it on. What I've
noticed is that most users who run as administrator simply
don't care if their systems are trashed, and most won't even
use a password .. especially in XP or '98. I can't really write
down what I think of these individuals, but they deserve what
they get ... and WORSE ... we don't deserve what they cause.
What is going to happen is ... just like getting your drivers
license, you are going to have to train to be ALLOWED to
use a computer. And, just like driving the streets, you are
going to have to obey the laws of Computerdom, or get
hauled into Computer Court and fined ... possibly lose
your computer license .. or WORSE. Hmm, thinking .....
what is a suitable punishment for being a Stupid User ???

johns

johns

How about sending them to Stupid Jail
On Tue, 6 Jan 2004 14:27:48 -0800, "johns" <> wrote:

>"Administrator" is a known user name on most computers.
>Anyone hacking in, is going in as "administrator" .. not some
>unknown user. Malicious code is not going to run at the user
>level either .. maybe some, but not the bad stuff. If you are
>located in an office, and others can wander in and play
>around on your computer, then don't leave it on. What I've
>noticed is that most users who run as administrator simply
>don't care if their systems are trashed, and most won't even
>use a password .. especially in XP or '98. I can't really write
>down what I think of these individuals, but they deserve what
>they get ... and WORSE ... we don't deserve what they cause.
>What is going to happen is ... just like getting your drivers
>license, you are going to have to train to be ALLOWED to
>use a computer. And, just like driving the streets, you are
>going to have to obey the laws of Computerdom, or get
>hauled into Computer Court and fined ... possibly lose
>your computer license .. or WORSE. Hmm, thinking .....
>what is a suitable punishment for being a Stupid User ???
>
>johns
>

stew

James H. Fox wrote:
> Peter James wrote:
>
>>Maybe my choice of words was unfortunate. What I meant was, if there
>>is a security problem, it's not one that Microsfot publicises.
>>Linux/Unix on installation go all the way to ensuring that the user
>>sets up an Administrator and User, and ensures that the user is aware
>>of the security issues. That doesn't seem to be Microsoft policy on
>>this issue.
>
>
> I have noticed this also. Having set up Win2K/XP many times, I have long
> known that you are "Administrator" by default, but Microsoft at no point in
> the setup program advises you to switch to a "User" account. My conclusion
> is that it makes installing programs too difficult for most people, and MS
> does not want to grapple with the support problems.
>
> Now for your other question, you will in many cases have to allow additional
> security rights to a program to get it to run in a User account. Just
> right-click on the folder in Program Files, and set it with the same rights
> as Power User, which works in most cases. Sometimes you have to go into the
> registry (using regedt32, not regedit) and grant additional permissions to
> the software group in question under either Current User or Local Machine,
> if I remember correctly. However, a few utilities may not work at all no
> matter what permissions you give, or else work with limited functionality.
> In that case, use the "runas" command to run as Administrator each time you
> start the program. One little-known trick in WinXP is that you can get
> Runas to remember you Administrator password; use the "/savecred" switch. A
> comparable effect can be had in Win2K by using the Sanur utility
> (http://www.commandline.co.uk/sanur/). You can also run as a service using
> FireDaemon (http://www.firedaemon.com/).
>
> I am not a programmer, so I have had to figure these out myself over a
> period of time. But if everyone used them, at least 90 percent of the
> trojan and virus problems would be solved with no additional software
> whatsoever, at zero cost.
>
>
It doesn't really matter if you run in "user" mode or "administrator" if
so many processes are owned by "system."

John Larger