April 22, 2006
Running as admin
Getting on a network like the Internet as an administer is frowned upon by many. You should be using an account with lower privileges-- aka Limited User Account (LUA). The administer account has very few limits about what it can do. If you get a virus when you are an administrator, the virus will have no limits to your computer. In fact, most malware today would not be able to install or do the damage without the admin account. But avoiding the administrator account is not easy in Windows. Some older programs and stupid new ones force you to run as an administer. One option is to just log off a LUA and log on as the administer. It is time consuming and you end-up with a bunch of folders/files/registry-keys that are owned by the administer so your limited account can't access them. The command RUNAS and the "fast user switching" option (FUS) are supposed to help but they are a real pain to work with. RUNAS has the same problems locking users-out of files as logging off/on, and doesn't play well with the Internet Explorer. FUS overcomes that problem but it is not available all the time. Michael Howard (an employee at MS) wrote a program, DropMyRights, that lets you run as an administer to do specific tasks with limited rights. Mark Russinovich (remember the SONY rootkit?) from SysInternals has put that same capabilities in his process explorer or PsExplorer. He mentions that this is not the best of solutions and that running as a limited account is much better. But there are situations that you need these abilities. Aaron Margosis (another employee at MS) has come-up with a batch file that goes through the complicated log on/off process for you and it doesn't cause the problems with objects ownership. His BLOG explains this process well. On my own computers I always use a LUA for daily tasks, browse the Internet, or read email or newsgroups. If I need to do some administrative task I use MakeMeAdmin. Then I have a sandbox (covered last month) for the times I'm in the administer account and want to browse the Internet. Links: www.blogs.msdn.com/aaron_margosis (author of MakeMeAdmin) www.sysinternals.com/Blog/ (author of PsExec) www.blogs.msdn.com/michael_howard (author of DropMyRights)
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader