meddlingBanter

Note: Since writing this up I’ve been running as a limited user for a while so I think I’ll be writing another follow up post to A) revise some things that are incorrect in this post and B) comment on the troubles I’ve been having. Running as a limited user on my linux box is much easier. Hopefully Vista will be better about that sort of thing.
A couple weeks ago at work I got to attend the Microsoft Security Matters conference at The Rock Financial Showplace in Novi. As the name suggests it was all about securing your Windows environment using technologies built into Windows. I must say I was quite impressed with the various discussions ranging from securing your wireless with WPA2 to using IPsec to secure communication between clients and servers. In addition to the talks given they provided a lot of literature and resources to start implementing the various technologies into your network. This was a side of Microsoft I never thought I’d see. One of the speakers even went as far as to say Microsoft is a lousy operating system, at least in the past. He did suggest however that it can get better, and they were there to show you how.

During the keynote at the end of the conference the speaker asked the room how many of each admins users run as a limited user, very few admins raised their hands. In a room of a thousand people, governing at leat 50 employees each, probably more, that can ad up. If any of those users accounts were compromised, or code was executed running as the system administrator, well pretty much anything can happen. Plain and simple, its a bad idea for security. There speaker mentioned that by the time Vista comes out that should all change. Default users on a Vista machine will be with a limited user account, which should significantly reduce security issues on Windows machine right out of the box. Why wait for Vista though, run as a limited user now and save yourself all the headaches Windows gives you.

Things to know Before You Do This

Running as a limited user restricts you in terms of installing programs, editing the registry (I think), and editing the system directory and system files. Most spyware/adware these days tries to alter one of those three things to achieve their desired effect, generally to cause you hours of frustration. Because each new user in XP is automatically an Administrator you have three strikes against you as soon as you turn on your computer for the first time, not exactly great odds for success. So now you know, now lets get started.

Setup Your Admin Account

Note: I’m not sure if things are different on XP pro or home, but I’ll keep things as general as possible so this works on both.

If you’re going to run as a limited user, you’ll need to have an Admin account on your computer for things like installing programs or editing system files, but only during those times, the rest of the time you’ll run as a limited user. By default the Admin account on an XP home or Pro machine is named Administrator. On an XP home machine you’d probably never know you had an Administrator account, but trust me it’s there. It’s a good idea to change this name, as its an easy target for anyone wanting to get on your machine. This is especially true on a XP home machine where this account has no password by default. Follow these steps to change the name of the administrator account.

1. Go to Control Panel (Start, Control Panel)

2. Administrative Tools (Make sure you’re at the classic Control Panel)

3. Double click Local Security Policy

4. In the left menu go to Security Settings>Local Policies>Security Options (Refer to the picture of you’re having problems.)

5. On the right hand side look for the setting that says Accounts: Rename administrator account, double click this setting and type a new name. I suggest you don’t use admin instead of administrator, something less obvious but you won’t forget is a good idea. Remember anytime you want to install a program you’ll need to know this name. Click OK when you’re finished and exit out of Local Security Settings.

Change the Way Users Log On and Off

Note: If you already use the classic log on skip this part.

On a XP home machine or even some XP pro machines you may notice you log on automatically and you never have the option to log on as the administrator of the system. Two things are wrong here. The obvious one being you have no password for your account. The other problem is (not exactly a problem, but a “feature”) you have the Welcome Screen as your log on Screen. Do yourself a favor and make a password for your account (admin account as well) and switch to the classic login (at least until you change your account to a limited account).

1. Go to the Control Panel again and select User Accounts.

2a. Set passwords for your account by selecting change an account>click the user account to change>change my password (could be add a password if you don’t have one yet) Skip this if you already have a password.

2b. At the main User Accounts page select Change the way users log on or off.

3. Finally uncheck Use the Welcome screen.

Now you’re ready to make the final change to be a full time Limited User.

Change to a Limited User

This can only be done from the Administrator account, or any account that is an administrator that isn’t currently logged on. Here’s how to do it.

1. Log off your current account.

2. At the classic log on screen type your new administrator user name and pass. They password might be blank. If you use a blank password follow parts 1 through 2a in the previous section to set the password on the administrator account.

3. Go to the Control Panel then to User Accounts again. Select the account you want to make a limited account.

4. Select Change account type

5. Click the Limited radio button and then click Change Account Type.

6. Optional: Turn the Welcome screen back on. From the main User Accounts page select Change the way users log on and off again, check the User the Welcome screen box again and then log off the admin account.

Now What?

Now that you’re a limited user what do you do? How do you install a program? You’ll need to become familiar with the Run As command. Installing a program now requires you to right click an exe file, and select Run As to install. A user name and pass box will pop up, here you’ll enter the new Admin name you created and password. One extra step isn’t so bad to be running a lot more secure. Now if any malicious software tries to install itself you’ll be prompted for a user name and pass and or denied the ability to install a program, keeping you safe. One problem this has is for the spyware/adware and virus’s already on your PC, it won’t stop them. This is best to do on a fresh XP install. I’m gonna give this a shot for a while and see how things go. My Linux box, like most if not all Linux OS’s, is setup to run in much the same fashion by default. At least with Vista Microsoft finally figured this is a good idea.

Blogged with Flock