| Detailed
Information
|
"Drive by installations"
Windows XP and older operating systems install by default with an ADMINISTRATOR
level account. What a mistake! The new Vista corrects
this and the default installation is a limiter user account by
default.
Microsoft developers had not expected nor
envisioned the level of threats that exist today assaulting their
operating system defaulting to Administrative permissions.
Visiting bad web sites using a computer with unrestricted access allows potential evildoers the opportunity to run
hidden scripts in their web site and make software modifications and installations to your computer without your awareness or permission. Any virus or spyware programs that infect your system will also have unrestricted access to do anything they wish while you are logged in with full administrator permissions.
Malicious scripts can turn off your antivirus and antispyware
protection and then hide "underground" in stealth mode. Serious
compromise makes it uneconomical to dissect and clear out the
changes - reformat and reinstall of the system is the only way to
have confidence the threat is gone.
Avoiding use of an account with Administrative
level permissions is the #1 way to harden your system against
everyday attacks! |
 |
Create and use an
LIMITED USER ACCOUNT (LUA) - Don't use your default
Administrator account for regular computer use! It is DANGEROUS! |
Examples of the
difference between the two account types and security threats:
|
Security Threat |
Vulnerable if
Admin Account? |
Vulnerable if
Limited Account? |
|
You click on a
hyperlink in an email from someone you recognize and are taken to a
web site that tries to install a virus program. |
Yes |
No |
|
You download and
run an email attached file and it tries to install a keylogger program
to capture your passwords and send to an email address. |
Yes |
No |
|
You insert a
thumbdrive, diskette or CD from another person that has a spyware
infection that wants to infect your system files. |
Yes |
No |
|
You download
software from a web site that is malicious and tries to change your
system HOSTS file to redirect your browser to an imposter web site. |
Yes |
No |
|
You run a Trojan
infected file that tries to rename your antivirus, firewall or
antispyware program files to disable them on next boot up. |
Yes |
No |
|
You open a file on
a CD you bought on eBay and it attempts to install a stealth Trojan
Rootkit program underneath your operating system to hide from
detection so it can then steal personal information and send it to an
email address behind the scenes. |
Yes |
No |
|
Your instant
messenger pops up a message from someone you think you know, but due
to an exploit hole found in the messenger program by a hacker, an
attempt is actually being made to install a program which can turn
your computer into a “zombie.” Under control of the hacker, your
computer can then be used to transmit this threat to other people in
your contact list with the goal to create a network of "zombies" used
to perform malicious deeds over the internet. |
Yes |
No |
|
You want to
perform an audit of your system security log using the system
Administrator tool and you go there and notice the log tracking has
been turned off - you see no events over the past month recorded. |
Yes |
No |
|
You use
SpywareBlaster to add a list of known, bad web sites, to the
restricted list in your browser. One day you look at this list and
notice there are fewer site addresses than before. This indicates a
change to your system registry – where these lists in your browser
configuration are stored. |
Yes |
No |
Installing
the LUA account
When you install Windows XP or 2000, you are by default the administrator with all privileges and access to install or change your software and operating system files and configuration. For greater security, you should next add a LIMITED USER ACCOUNT (LUA) that has restricted access to modify your operating system and program configurations. This LUA account is especially important to use when:
• Browsing an unfamiliar web site
• Downloading an email attachment
• Downloading free software
• Inserting "foreign media" from others - into your drives or USB
ports
The above instances are when I would definitely be logged onto my LUA account. Any malicious program won’t be able to install anything harmful or change my
setup. An infected file can still be downloaded by me and deposited onto
my hard drive - a potential security risk if I run the file later. That
is why we have antivirus and antispyware scanning. After downloading any software or being given something from
someone else's computer, be sure to do a quick Anti-Virus scan on the file, diskette, CD or thumb drive prior to accessing the contents. Your antivirus program usually defaults to do a quick-scan when opening any file or diskette. You may also right-click on a file and select to perform a scan with most programs.
But if I do execute an infected file that has not been detected as
malicious, at least the effects of the threat are greatly diminished
when the program does not have permissions to make system changes.
What is an Administrator?
First, let’s define terms. This may be oversimplifying, but for the purpose of this discussion there are only two types of users: Administrators, and Users. They are essentially distinguished by membership in the “Administrators” and “Users” local groups. “Administrators” have complete and unrestricted access to the computer/domain. “Users” are prevented from making accidental or intentional system-wide changes. Non-Admin, Limited User and Least-privileged User Account (LUA) are all the same - accounts lacking Administrator privileges.
Narrowing down to two user types is not entirely arbitrary. In fact, this is exactly how Windows XP Home Edition distinguishes users. Under the hood, its Computer Administrators and Limited Users are members of Administrators and Users, respectively. And besides, membership in groups such as “Power Users” or “Backup Operators” is tantamount to being an Administrator. When I talk about running as non-admin, I am not suggesting running as Power User instead.
OK, so if you are one of those people who is allowed (or required) to administer your own computer, why wouldn’t you just want to log on as an admin all the time?
Well, if you were a surgeon, would you always want to hold an unsheathed scalpel in your hand? Or would you prefer to keep it in a safe place until you actually need it?
Running as a non-admin LUA greatly limits your
risks.
When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access. A corporate firewall is only partial protection against the hostility of the Internet: you still browse web sites, receive email, or run one or more instant messaging clients or internet-connected games. Even if you keep up to date on patches and virus signatures, enable strong security settings, and are extremely careful with attachments, things happen.
Let’s say you’re using your favorite search engine and click on a link that looks promising, but which turns out to be a malicious site hosting a zero-day exploit of a vulnerability in the browser you happen to be using, resulting in execution of arbitrary code. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only limited user privileges. If the exploit happens to be written so that it requires admin privileges (as many do), just running as User stops it dead.
But if you’re running as admin, an exploit can:
• install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
• install and start services that provide hackers more tools to exploit you with
• install ActiveX controls for your IE browser and shell add-ins – commonly used by spyware and adware)
• find and access data belonging to other users on a network you belong to
• cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
• replace legit system and other program files with trojan horses
• disable/uninstall anti-virus and firewall programs
• delete and cover its tracks in the security and system event logs
• render your machine unbootable
• if your account is an administrator on other computers on the domain network, the malware gains admin control over those computers as well
Why isn’t LUA part of the out-of-the-box-experience for XP?
As I understand it, there simply wasn’t time in the XP development timeframe to address all the issues to make Limited-User-by-default satisfy user expectations and provide a good user experience out of the box. There is always a balance between security and usability, and at that time, usability would have suffered too much for too many people. Remember that the vast majority of home users were using Windows 98 and Windows ME (“the last version of MS-DOS,” I call it), and apps designed for that platform. I think we can expect that it will be a lot better in Longhorn. It also would have been a mistake to change the administrative defaults without giving software developers ample lead time. There's a whole ecosystem that needs to be educated and that can take a long time. There are a lot of games that update themselves online and a lot of them write files into the program files directory. Developers need to write programs that do not write files to the program files directory because that is a protected location and you have to be logged on as admin to locate files there. When you're dealing with a product to be used by 100 million customers, you have to give developers lead time. They have to see what's coming down the pike so they can make the appropriate changes.
Why are users reluctant to implement LUA at home?
Most people assume Microsoft knows what they are doing and the default
installation should be the way to do it. And just reading through this discourse and spending time implementing these changes can be intimidating and daunting to the average home user.
It also may sound cynical, but the moment one application doesn't work properly, the user gets turned off. Another problem is the myth that
using a non-admin accounts breaks programs.
|
Consider the damage that can be done by the following Trojan horse infection currently in the wild:
Trojan.Tooso.B Trojan Discovered on: February 28, 2005
Source
Trojan.Tooso.B is a Trojan horse that attempts to disable security-related software by terminating processes, stopping services, removing registry entries, and deleting files. Here is a rundown on what this Trojan does:
1. It disables services of many popular firewall and anti-virus programs.
2. It attempts to delete many registry entries, which prevent security related programs from running when Windows starts.
3. It starts a thread that attempts to delete all instances of files related to security and anti-virus programs installed on all fixed drives.
4. It starts a thread that attempts to terminate processes related to upgrades to firewall and anti-virus programs.
5. It starts a thread that attempts to download files from 153 web sites. The first attempt occurs when the Trojan is launched and subsequent attempts occur at six-hour intervals. Degradation in System and Network performance results.
6. It overwrites the hosts file, %System%\drivers\etc\host, with 123 lines of all the major firewall and antivirus company sites so as to disable access to these security-related web sites.
7. It attempts to find the explorer.exe process (your files and folders EXPLORER program) and inject wiwshost.exe into it. All subsequent actions are taken by wiwshost.exe and will appear to be taken by explorer.exe.
If your current login account does not have administrative access, then 6 of the 7 steps above cannot be performed by this Trojan! If you are logged in as the administrator when this Trojan runs, you have a big mess to clean up!
|
Even moderate infections and compromise by common Trojans today require
a wipe and reinstall of the operating system and programs to be safe to
use again as a trusted computer for your financial and personal
protected use.
Microsoft has changed course
Microsoft has now moved to position to make the
default account in the next Operating System VISTA a limited account.
Vista's User Account Control (UAC) marks the first time that Microsoft
has attempted to create an operating system on which the user is
supposed to run with limited local rights rather than with administrator
credentials.
Vista Security
Check: This Time Microsoft Means Business
User Account Control.
This has received the most attention of security features in Vista: The
standard user account is now a restricted account that can't do dangerous
things like install applications. When elevated privileges are required
(yes, this is basically just like in Mac OS X) the user is prompted for
credentials of an account with sufficient privileges.
|
For more details about VISTA and the new User
Account Control UAC, see Vista.
Will using my computer when logged in using a LUA account cause me to any problems using my programs?
Unfortunately, there are some programs that are not fully windows compliant and may not run under the LUA account’s restrictions. These are usually older programs although some current programs are still written without total compliance to Windows operating system standards. The most common problem is that a program tries to record information, temporary files, configuration changes and log files to the protected program folder in Windows. They should only be storing data and log files in the user area, not the program area.
This will cause a problem for that program to run properly under LUA.
When running as a USER, a program cannot write to the protected program folder nor make changes to the registry that requires full administrative type permission.
Here are sites listing programs that do not work properly while run under
LUA:
http://pluralsight.com/wiki/default.aspx/Keith.HallOfShame
and http://www.threatcode.com/.
Microsoft provides a list of applications that do not work properly when run as a LUA account: See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307091
Characteristics of programs that are not
totally Windows compliant and misbehave under LUA are:
• The program does not run.
• The program stops responding (hangs).
• You receive notification of run-time error 7 or run-time error 3446.
• The program does not recognize that a CD-ROM is in the CD-ROM drive.
• The program does not allow you to save files.
• The program does not allow you to open files.
• The program does not allow you to edit files.
• The program displays a blank error message.
• You cannot remove the program.
• You cannot open the Help file.
| In my experience
of using LUA the past 2 years, most new programs run fine as LUA. I install them using the Admin account, and they work under the LUA account just fine. Folks using just the basic MS Office and a few other major popular programs should have little problem running as LUA. If a favorite program does not work under LUA, you can also log out as LUA and back in as ADMIN and run your program that way. |
The key security feature is that one should never browse the internet running as ADMIN. Follow this precaution and you will be spare many a headache with malicious programs!
What exactly can an administrator account do on a computer?
The administrators group grants special rights to perform many administrative tasks, defined by whether the computer is local or on a network active directory domain.
On a local computer at home, the administrator group grants the highest level of administrative access to the local computer. Examples of administrative tasks that can be performed by members of this group include installing programs; accessing all files on the computer including the private “My Document” data folder for all user accounts; auditing and security access control; editing the system services and registry database and creating, modifying, and deleting local user accounts.
In an Active Directory domain network environment such as a business office or advanced home network - the administrators group grants members the highest level of administrative access in the corporate domain. Examples of administrative tasks that can be performed by members of this group include setting domain policy; assigning and resetting domain user account passwords; setting up and managing domain controllers; and creating, modifying, and deleting domain user accounts. Logging in as an administrator in a domain makes the larger network system vulnerable to Trojan horses - a program that masquerades as another common program in an attempt to receive information. An example of a Trojan horse is a program that behaves like a system logon to retrieve user names and password information that the writers of the Trojan horse can later use to break into the system. The simple act of visiting an Internet site or opening an e-mail attachment can be damaging to the system. An unfamiliar Internet site or e-mail attachment may have Trojan horse code that can be downloaded to the system and executed. Security breaches and infections can transmit to everyone on the larger network.
The Administrator account is the account you use when you first set up the computer in Windows NT, 2000 and XP. You use this account before you create any additional accounts.
On a new computer installation, administrators should immediately create and use an LUA - an account with restrictive permissions to perform routine, non-administrative tasks, and use an account with broader permissions only when performing specific administrative tasks.
Difficulties setting up LIMITED USER ACCOUNT, (LUA)
Unfortunately, not all non-Microsoft, commercial and freeware programs that operate today in Windows work successfully if run within the
LUA. If they were truly Windows compliant, they should. Instead, some
programs insist on creating temporary files, log files, configuration
files - in protected folders (such as c:\Program Files) instead of the
user's data folders.
In an April 2004 article written for the Microsoft Developer Network, security consultant Keith Brown points out, "you can't install 90 percent of today's software unless you're an administrator," adding, "70 percent of software won't run properly unless the user is an administrator, and that's an optimistic number."
My experience is a lot more optimistic. In earlier tests in March 2005, my son’s Windows 2000 computer at college
ran everything under the limited account except a few antispyware and security update programs.
He now uses XP and has very positive results using LUA. My daughter’s Laptop with XP
is similar. We log into the administrative account periodically to run some antispyware programs and to update antivirus or windows critical updates and do scans. So the LUA does work well in most cases. But understand that the LUA/Administrator two account approach isn't yet supported well enough for it to be completely reliable for all programs. It may be possible if you run nothing but Windows and Microsoft Office applications. But some people run independent applications that make a pure, LUA approach
sometimes challenging for the casual, non-technical user. But you could simply fall back to running these programs using the administrator account when necessary.
So I find no real excuse for delaying in implementing the LUA account
for general use.
In Summary, use of the LUA in Windows operating systems works well and
definitely reduces your exposure to many security threats. You may have to temporarily grant the LUA needed admin privileges to install a few programs and run the program once and then remove the admin privileges from the LUA. Some programs store log or configuration files in the C:\Programs\applicationX folder instead of with the LUA user profile location and you will need to grant specific folder read/write privilege to the LUA. But all Microsoft programs and many major programs are “Windows friendly” and run fine under the
LUA.
You will need to perform most maintenance duties like antivirus and antispyware scans and patches while logged in as administrator because any changes to the system – like removing a spyware item in the registry - requires this access.
So I leave periodically leave my computer logged in as administrator, running over night
, and have many of my maintenance programs scheduled to run their updates and scans during the night. Then I log in as LUA during the day to use my programs, email and Internet.
Monthly, I log in as administrator and do any other maintenance work that cannot be scheduled; perform audits to make sure all my security-related program configurations are still in place as I last configured them; and check logs to spot any unusual events or activities.
Creating LUA accounts in Windows XP
Windows XP:
To open the User Accounts tool, open Control Panel from the Start menu, and then double click User Accounts.
Then, to Create a New User Account:
1. Click Create a new account in the Pick a task list box.
2. Type the name that you want to use for the account, and then click Next.
3. Select the desired account type, and then click Create Account.
To Make Changes to an Account
1. Click Change an account in the Pick a task list box.
2. Click the account that you want to change.
3. Select the item that you would like to change:• Click Change the name to change the name that appears on the Welcome screen for the account.
• Click Change the picture to change the picture that is used to represent the user account. You can use any image file on the computer for the user's picture.
• Click Change the account type to change the account type to increase or decrease the user's rights on the computer.
• Click Create/change the password to create or change the password for the user and create or change the password hint.
• Click Delete the account to delete the user account from the computer. When you delete the account, you are given the option to save the user's files on the computer.
Notes:
• You can not delete the account for a user that is currently logged on to the computer.
• Avoid renaming or deleting the Admin accounts. This can cause weird problems!!!
Creating LUA in Windows 2000 Pro:
Right click My Computer
Select Manage
Expand Local Users and Groups
Right click Users
Select New User...
Type in required information
Click Create
To change membership of the user:
Right click user name
Select Properties
Select Member Of
Add groups as desired
Click OK
Summary of Windows 2000 account Types – for information – (the true LUA should be USER level):
Administrators
You should rarely, if ever, have to give someone else Administrative access to your computer. A person assigned to this group has total freedom to change Windows 2000 system settings. An Administrator can view the personal information and files of other users with accounts on the computer, create new user accounts, and modify existing accounts (including removing accounts and changing passwords). An Administrator can install any Widows-compatible software on the computer.
While an Administrative account gives a user maximum freedom, it also carries some risk. While logged in as Administrators, people can make any changes to system settings-- even if those changes could damage data files, programs, or the operating system.
The account created for you when you got your new computer (or when you upgraded to Windows 2000) is an Administrative account. You should keep this account to ensure that you can install and run software as needed, but remember that making changes to system settings can be risky. When in doubt about whether or not you should perform a task that modifies the Windows system, contact your Help Desk for advice.
Power Users
You will probably assign most people to this group. A Power User can do nearly as much as an Administrator, but with a limited ability to change system settings in ways that could cause harm to the operating system.
A Power User is able to perform everyday computing tasks and can also perform some administrative-type tasks, like creating and managing user accounts, or connecting to a network printer. Note, however, that Power Users cannot assign themselves or anyone else to the Administrators group. A Power User can install some kinds of software, but most applications will require Administrative permissions to install.
Unlike Administrators, Power Users do not have access to the data and files of other users, unless those users decide to grant them access.
Users
It is nearly impossible for members of the Users group to damage the Windows 2000 operating system and installed programs. A User can run any certified Windows 2000 program, and has full control over their own data files, but cannot make any changes to system files or to program files. While a User account provides the most security, it can sometimes be overly restrictive, and prevent someone from performing necessary tasks. For example, a User cannot run most software programs that were written for Windows 95 or 98.
If you would like to grant someone only minimal access to your computer--for example, to create a word processing document-- start by assigning them to the Users group. Keep in mind that Users are unable to run most programs that were written for earlier versions of Windows-- if you want someone to be able to run older Windows programs, you should assign them to the Power Users group.
|
Here’s how I set up home computers using LUA |
1. Create a Computer Administrator account called “Admin”. Set No password. (Read on before you flame.)
2. Create a Limited User account for each person who will be using the computer. No passwords.
(Enable the Guest account ONLY if it is anticipated that visitors may need to go online. Otherwise, keep GUEST account disabled.)
3. I instruct all concerned that the Admin account is to be used only for installing software, and to use their individual accounts for all day-to-day use, including web, email, IM, etc. also for antivirus, antispyware and firewall periodic updates.
4. I also like to make the admin desktop noticeably different from normal user desktops, to help prevent accidental use. For example, use the Windows Classic theme instead of the XP default, set a red background, or
use a desktop wallpaper that has a bright red background and states
“SECURITY WARNING! You are logged in as
an ADMINSTRATOR. Avoid browsing the Internet or opening untested files
until you return to using a Limited User Account.”
See how to do this here.
NOTE: When you create a new LUA account - DON'T
set up a password!
OK, I know you’re bursting already: “No password?!?! Are you insane?!?!” Cool down, now. Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password. By default, an account with a blank password can be used only for logging on at the keyboard console. It cannot be used for network access, and it cannot be used with RunAs. The user experience of just clicking on your name to log on can’t be beat for simplicity. If you can trust everyone who has physical access to the computer not to log on as someone else or abuse the admin account, this is a great way to go. If in a more public place like a dorm, you can always enable passwords. You can also enable the BIOS password that will thwart people at bootup from easily accessing your computer in your
absence. See All About Password Safety for
many tips.
|
