Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Malware and administrative rights

  • Comments 6
  • Likes

For about a year I have been telling a story to highlight how users running as administrators are much more likely to get malware installed on their systems than users who run as normal users. The story is actually in Protect Your Windows Network if you wanted to see it. The conclusion was that if you let your users run as admins, prepare to spend a lot of time removing malware from their systems.

Recently eWeek did some empirical testing on that type of claim. Their results are presented at http://www.thechannelinsider.com/print_article2/0,1217,a=166172,00.asp. Basically, they verified the same thing we already know: no persistent malware showed up on the system where the user was not an administrator (note that I consider Power User privileges to be functionally equivalent to Administrators but eWeek separated the two).

It is really interesting reading. Take a look at it.

Comments
  • ok, i here this again and again, but no where, i see anyone explaining how to move from admin user to non-admin user.
    a step by step guide that explains how and all the possible gotchas.

    i run my home computer with just one account that has the admin rights, no password. i am on DSL, my compuer is always on. i have personal firewall, antivirus, antispyware all running and protecting me. i have with XP SP2 with its autoupdate on. i run Firefox. i get zero , thats right zero malware. still lets say i want to move to non-admin user, where is the guide? what happens to all my softwares?

    i guess little guidance will go long way of making security advisors dream a reality.

    thanks.

  • The following ZDNet blog entry mentions that Windows Vista's User Access Protections (UAS) promises to make running Windows as a non-admin user much easier, and provides a link to an article on how - until then - you can make web surfing and email reading safer when running as an Admin user under Windows XP:

    http://blogs.zdnet.com/Ou/?p=105

    Quoting from that blog entry:
    "The best thing we can do is to make sure we're not running Windows as an Administrator no matter which browser we use. This may be a little hard before Windows Vista UAP (http://blogs.zdnet.com/microsoftvistas/?p=33) arrives because some applications break in user-mode, but even then there are alternatives like DropMyRights (http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp) that allow you to individually neuter applications even when you're running as an Administrator. Keep in mind that non-administrative mode only reduce the security issues so it's no substitute for staying up to date with security patches."

  • One other potential approach to make operating as a non-admin user in Windows somewhat less painful:

    http://labmice.techtarget.com/windows2000/Administration/runas.htm

    "It is good practice for administrators to use an account with restrictive permissions to perform routine, non-administrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To accomplish this without logging off and back on, log on with a regular user account and use the runas command to run the tools that require the broader permissions. ..."

    And now the jackpot: Aaron Margosis' blog entries offer a large number of resources on this topic, not only regarding RunAs but also a "MakeMeAdmin" script, Fast User Switching, the PrivBar toolbar (also highly recommended by Jesper), and many more tools and techniques for running as a non-admin user in Windows 2000 and XP:

    http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

    I'm only a casual and rare user of Windows, but solely from casual observation these suggestions appear to be well considered and clearly written. Under Mac OS X, it's relatively painless to routinely work as a non-admin user, and Fast User Switching, sudo (in shells), and the Pseudo shareware app pretty much facilitate the occasional needs for admin-level access that aren't already handled by OS X's built-in equivalent to Vista's UAP (typo'd as "UAS" in my post above).

  • <duh duh da da duh duh music playing in the background> Your job, Mr. Phelps is to devise a way

  • One of the reasons that people kick and scream about Vista is that they have been "ADMIN" for

  • One of the reasons that people kick and scream about Vista is that they have been "ADMIN" for

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment