Running As Non Admin

From Digital Dad [131.107.71.225] - 3/30/05 10:08 AM

My wife has her XP machine set up this way for about a year - adware/spyware/etc no problem.  It can be frustrating from time to time to get around some of the glitches mentioned on this site but overall the safety factor makes it worth it.  My toddlers who play old Win95 poorly written CD based games have their own (older) machine and know not to touch Mom's machine.  I can flatten and reinstall the kids machine if it gets too bad without worrying about losing any important data.  They only visit PBS and NickJr websites but I got a decent Linksys router with hardware based parental control filtering so they've got the ad sites and nasties blocked out before they even get to the computer.   The only time I've had to use the scorched earth policy on the kids computer was when they put in a junkmail AOL CD and managed to click through the entire sequence and installed a mountain of bloatware on their computer and rendered it unusable for them for a day or so.  It's pretty funny because now whenever they get a new CD they ask me if it's going to ruin their computer before putting it in.  My daughter still tries to stick paper and toys into the drive but she won't put an unknown CD in there. :)

From Experience with Limited User Accounts [68.251.190.232] - 6/25/05 8:39 PM

I am a Network Admin and computer consultant and here are my experience with removing Admin priviledges in a Windows environment.

The Good:
1.  Users cannot install non-licensed software without some with Administrative access approval.
2.  If the Administrative user accounts are protected by decent passwords, then it is harder for malware to get installed.


The Bad:
1.  Limited Users cannot defrag their computers
2.  Dealing with user profiles are a pain -- i.e. lots of software that needs to be used by multiple users installs into just one profile by default.  It usually takes manual intervention to get the info to all profiles
3.  The run as command often causes problems during use because it doesn't seem to use all the environment variables needed by some programs to properly operate.  Some programs can allow users to "shell out" and achieve un-authorized admin priviledges.
4.  Internet Explorer still seems to be vulnerable to malware.  My best experience to protect against spyware is to replace IE with Firefox.  This causes problems with maintaining settings across user profiles because there is no group policy management of Firefox at the system level. 
5.  Lots of common business apps require users to have full control access to the computer or to data files in order to work properly.  For example, Palm's software just won't work without administrative control and will only install to 1 user profile.  Kodak easy share software will not work properly without full administrative control, and FoxPro applications require users to have full control permissions to the database files in order to work, and many require a mapped drive in My Comptuer to the data files.  This last example is especially scary because it just takes 1 disgruntled employee a couple clicks to delete a whole day's worth of work and bring a department to its knees.

From Henk Poley [80.126.114.182] - 6/27/05 4:07 AM

About not being able to defrag your drives. You can Buzzsaw available from http://www.dirms.com/

From 156.153.254.67 - 6/29/05 12:54 PM

Well some of this information is a start, but I would like to begin to break down the problems in a more fundamental matter.

Microsoft sells XP Pro and XP Home. The Home edition creates more problems because of critical functionality that is cut out. I will list a few items, more could be entered.

1. Home only has Administrator and Limited classes of privilege levels. Yes one can assign some specific task priveleges but these limited number of privelege levels create problems. An illustration of this can be found with Internet Secruity products from Symantec and McAfee. While both vendors are not very clear on the matter, Power User is a minimum privelege level for these products to update their rules. So periodically, daily, the updates tools should run, but only at Administrator levels under the Home edition. If you have the regular user run at the LUA, then they must login as Admin, run updates, and get back out. This is a losing scenario with no transparency. While not as severe under XP Pro because of the Power User level, the fundamental problem still exists, updates of critical infrastructure such as Virus rules should be automatic. Oh and call either of the two vendors above and they do tell you that there is no fundamental way to run updatesat LUA levels. Is this true? I hope not.

2. Home edition enforces file and folder ownership while giving no tools to change ownership. I find it completely mind boggling that this is missing. Home edition should be interpreted literally, for the Home, implying family, mulitple accounts.  At times one can  install software etc and find nearly unsolvable problems with respect to one user account can not access a program because of file owneship issues. Microsoft's older Office products exhibited this problem on the Home edition. Under XP Pro yes there are tools to change ownership but they are often obscure and sometimes expose hidden constraints when trying to loosen either ownership or read/execture priveleges on folders. Pehaps a Wizard?

3. As others have noted game installation can be a problem. Good pratice would imply installing software as admin and then let ordinary accounts run. Using admin for installs demonstrates problems  that occur with a number of games. The problems range from  ownership to profiles associated with the game in the registry. This issue exists under any edition of XP.

I could go on of course. Don't use Home edition is part of the solution, which I have avoided for several years now except for a refurb laptop for my wife. But an expensive upgrade should not be the answer. Also the hacks that have been mentioned are useful with a certain level of expertise they are hardly the answer in the general. A better solution should be delivered by Microsoft now to owners of both editions. No waiting for Longhorn.

Quite frankly it is amazing that some of the issue are extant, solutions in other OS's have existed for years, yet Microsoft had to invent an entirely different methodology. Of course NIH, Not Invented Here, we are smarter than the other guys. Sorry not in this instance.

From NetWork Dude [68.248.152.196] - 7/4/05 10:28 AM

It's true that BuzzSaw and Dirms will allow regular users to run defrags, and an organization could go out and purchase Diskeeper or Perfect Disk.  But all of these solutions miss the point.  Microsoft should ship an OS that comes with everything it needs out of the box to maintain the OS and manage its use of the hardware.  More importantly, it should automatically perform these tasks in the background regardless of who is logged on, and how those tasks are run should be able to be completely controlled by a local or domain admin.  Requiring users to purchase additional software from either Microsoft or a third party should not be part of the solution.  Microsoft needs to ship a complete and fully functional OS.

Microsoft should set their Operating Systems up so that all software is installed by an Administrator account and then it is available to all users to use.  It's crazy that 1/2 to 3/4 (guess) will only install in 1 profile and require the Administrator only to run correctly.  Here's a list of software that I can think of off the top of my head that requires either full Administrative control or at least full control access to the root of the c: drive (both huge security risks):  Pitney Bowes CASS certification software, some Visual FoxPro Applications, QuickBooks, McAffee and Norton consumer editions, Palm Software, Kodak Easy Share, most games, and on and on.

In addition to requiring Administrative Access to install correctly,  I've seen several software packages that just won't install right unless the actual user Administrator installs the software. 

Speaking of Administrator and security.  An administrator should be allowed to disable the default Administrator account and create a replacement, not just rename that account.  If the Administrator account could be disabled and another account created to replace it, then the default SID would no longer be a security issue. 

Also, the default situation for the server server service on a Windows install should be:  not installed.  By default there should be no c$, ADMIN$, or other hidden shares on a Windows machine.  If I want an administrative share, I'll create it myself.  The default NTFS permissions for a hard drive should be:  Administrators Full Control and System Full Control.  Authenticated Users should have read only access to the Program Files Directory and full control over their user profile.  Everyone should have no access to anything by default.

By default, remote registry editing, remote desktop access, and universal plug and play should be disabled. 

If MS would fix these problems they would have a descent product.  As it is now, I cringe every time I need to prepare a new XP or 2000 or NT4 (yes, some of my clients still use NT4 because it performs the tasks they need done) for rollout.  There are so many unneeded services and incorrectly configured (from a security perspective) items on these machines that it's hard to remember to secure them all.

Finally, people in Microsoft training classes really need to be taught the implications of each Microsoft service and the implications of leaving the default sharing, etc operational.  Sure, some of those things may make machines easier to manage, but they also make them much easier to compromise.  The average MCSE or MCSA is clueless.

From red [70.179.130.224] - 8/22/05 3:55 AM

Defragging as a limited user?

I'm sorry, but you have to draw the line somewhere. Otherwise, you may as well just be running as admin. Need to defrag as admin? runas /user:administrator dfrg.msc, *or* configure the Windows Defragmenter link the in the start menu to automatically prompt for credentials. When I need to run multiple ultilities, I open up a command prompt as admin. If I want to manage the computer, I type "compmgmt.msc", or if I want to defrag, I would type "dfrg.msc" (though I use a 3rd-party defragger and have configured the shortcut to automatically prompt for alternate credentials.) Change my network settings? "control panel" Mine doesn't run as a service either. Then I close the command-prompt when I am finished.

Basically, you don't have access to change/delete/move all system files, which is the way it should be.

You do, however, want an AV to update/scan as SYSTEM. Currently Norton does not exhibit this, but Kaspersky and AVG do. Mostly the problem with 3rd party apps is that they exhibit poor design, that is, they do not follow the Windows Logo program which specifically outlines where limited users can write: HKEY_CURRENT_USER in the registry (except the policies), a subfolder in the root of the drive, and anywhere in their profile folder. Don't blame Microsoft!

From Jeff Brand [66.67.213.237] - 12/17/05 8:57 AM

Apple's OS X has the right idea - when an application needs administrator privledges, it prompts for the admin password. If successful, the application has admin privledges until it exits. This means that:

1. Users know when they're doing something that requires special privledges

2. They don't have to start a new user profile just to setup their app

3. They avoid issues raised by software that doesn't deal well with multi-user installs

RunAs does the same thing, but try telling the average user to type in that command-line.. Besides, this offsets the responsibility of knowing when to raise privledges to the developer and OS, not the user. I know it can be done - I've seen this behavior before. I just don't see it often enough.

  - Jeff

From RaFi [213.238.93.137] - 12/29/05 9:49 AM

The security of this great proposal depends on one setting, so please verify this setting:

 START -> Run -> GPEDIT.MSC  and then  Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Limit local accounts use of blank passwords to console logon only", you want to have it Enabled.

(I have WinXP Pro, not Home) 

From coley - 2/23/06 10:37 AM

Usb Devices for Non-Admin Accounts??

I work for a university, and all of our student accounts are simply 'users' and I definatly do not want to change this, but ... we are encouraging them to use usb pens, usb hard drives etc, to carry personal audio/video files around that they are working on, but .. a majority will not install as a user, and we have to log out the student, log in as an admin, connect their device and then they can log back in.

have you any ideas how I can make a script to help this situation? makemeadmin, looks good, but I dont know how I can apply this to a usb device that they are plugging in?

All of the web searches, seem to come up with lots of ways to stop usb, but none to allow??

any ideas?

many thanks