Getting Through Life on a Limited User Account
RTA Information Technology, Tempe, Arizona
The day after the Windows WMF exploit hit, I decided to live my life on a Limited User Account. Although this wouldn't have prevented a WMF hit on my personal PC, it would have minimized the damage. I've seen the effect of a trojan hit on a user with Local Administrator rights on his PC, and the results aren't pretty. I always recommend giving limited rights to my clients. But I thought I should live with those same, limited, rights.
In the world of Windows XP, 2000, and 2003, there are two sets of accounts that we deal with. The first are Local Accounts. Local Accounts are created inside the local PC's Windows installation. A Local Account only applies to that PC and the Account has no visibility on other PCs or on the business' Domain.
The second set of accounts are the Domain Accounts. These are created and stored on the Domain Controllers (such as Small Business Server 2003). A Domain Account's properties are valid on any PC in the Domain. Even if a PC is taken off the network, it will still remember the last version of properties that a Domain Account possesses (credential caching).
When you log onto a PC on a workgroup, the only option is to log into a Local Account. But when you log onto a PC on a Domain, you have the choice of logging in as either a Local Account or a Domain Account.
Within the local computer, you can also set Domain accounts to have Local rights. You can make a Domain Administrator, for instance, have the rights of a Local Administrator. It's common for a Domain user with low rights (a Domain User) to have Local Administrator rights on the PC. That combination allows the user to install programs and perform other administrative actions on the local PC, but limits his rights on the rest of the network. But Local Administrator rights really hurt when a trojan or virus strikes.
Many common actions on a local PC require Local Administrator rights. You need Local Administrator rights to install or remove many programs. You need those rights to change networking properties. You need Local Administrator rights to delete many files on a PC. These same priviliges also allow a trojan or virus free reign over your PC if you accidentally run them.
The lowest (and best, from a safety standpoint) set of User rights is:
Local User = User
Domain User = User
As an IT consultant, working as a "User" is an especially tough decision. I frequently view and change the networking properties of my PC. I provide help to clients and I need to view the settings control panels. It's impossible to remember every single detail of every control panel. Most "normal" users don't need to change these items all day long, like I do.
And I install programs on my PC. No, I don't add a lot of junk to my PCs. I stopped doing that many years ago. If I feel the need to install something, I'll do it on another PC if possible. Or I'll do it in a Virtual PC window, isolating it from my personal PC. But still need to install and remove programs on occasion.
Right now, I'm evaluating Microsoft's Business Contact Manager (Version 2). And I'm having problems. For the life of me, I can't get it to run properly without having Local Administrator rights on my PC. The MSDE database won't allow me access to create a new Contact. I'm waiting for a Microsoft BCM expert to get back to me on that one.
But I'm deciding that even an IT Pro CAN live as a Limited User. With some tricks. I'll list some below.
My best friend is the "Run as....." command. This option is available with a right-mouse-click on many programs. You can use it from the Start menu. You can even use it to open a Command Prompt (DOS) window.
When you select "Run as....", you are given the option to execute a program using user credentials different than those you selected at Log On. You can choose to be a Local or Domain Administrator, if you know the account name and the password. Or, you can select lower rights than you normally have.
"Run as..." has been a Linux staple for years. It's used to give temporary "Root" rights to an administrator, while letting him work normally with lower rights on his PC. This same option has been available to Windows users for years, but has been pretty much ignored.
Sometimes, though, the "Run as...." command doesn't work as expected. A program install may appear to finish, but may not work as expected. You just have to try it to see what happens.
How do you examine and set User rights?
Well, first, you guessed it.....you have to be an Administrator!
Locally, log in as Local Administrator and set the Local rights of the various accounts.
Local Accounts are best managed in the "User Accounts" control panel of your PC.
You'll have to give Local Administrator credentials when you open this control panel.
If you examine the properties of a user, you can choose which Security Groups the user is a member of. The most commonly chosen options are "Users", "Power Users", and "Administrators".
You can view and change the rights of various Local and Domain accounts. You can, for instance, give a Domain Administrator only limited rights on your PC. Remember, we are setting the LOCAL rights of both Local and Domain Accounts. You can only log onto a PC with either a Local Account or a Domain Account, not both. Your rights on the Domain will be set on the Domain Controller. You rights ON THE LOCAL PC will be set by the Local PC, using this control panel.
Note that the Standard User group is the "Power Users Group", giving access to many system settings and allowing installation of programs that don't affect Windows System files.
Double check your work. It's easy to let an account end up with Local Administrator rights when you thought you'd turned them off. A quick check is to go into the local "Add or Remove Programs" control panel. If you are a Local Administrator, you'll have the right to "Remove" all of the intalled progams. A Local User won't have "Remove" rights for many programs.
The day after the Windows WMF exploit hit, I decided to live my life on a Limited User Account. Although this wouldn't have prevented a WMF hit on my personal PC, it would have minimized the damage. I've seen the effect of a trojan hit on a user with Local Administrator rights on his PC, and the results aren't pretty. I always recommend giving limited rights to my clients. But I thought I should live with those same, limited, rights.
In the world of Windows XP, 2000, and 2003, there are two sets of accounts that we deal with. The first are Local Accounts. Local Accounts are created inside the local PC's Windows installation. A Local Account only applies to that PC and the Account has no visibility on other PCs or on the business' Domain.
The second set of accounts are the Domain Accounts. These are created and stored on the Domain Controllers (such as Small Business Server 2003). A Domain Account's properties are valid on any PC in the Domain. Even if a PC is taken off the network, it will still remember the last version of properties that a Domain Account possesses (credential caching).
When you log onto a PC on a workgroup, the only option is to log into a Local Account. But when you log onto a PC on a Domain, you have the choice of logging in as either a Local Account or a Domain Account.
Within the local computer, you can also set Domain accounts to have Local rights. You can make a Domain Administrator, for instance, have the rights of a Local Administrator. It's common for a Domain user with low rights (a Domain User) to have Local Administrator rights on the PC. That combination allows the user to install programs and perform other administrative actions on the local PC, but limits his rights on the rest of the network. But Local Administrator rights really hurt when a trojan or virus strikes.
Many common actions on a local PC require Local Administrator rights. You need Local Administrator rights to install or remove many programs. You need those rights to change networking properties. You need Local Administrator rights to delete many files on a PC. These same priviliges also allow a trojan or virus free reign over your PC if you accidentally run them.
The lowest (and best, from a safety standpoint) set of User rights is:
Local User = User
Domain User = User
As an IT consultant, working as a "User" is an especially tough decision. I frequently view and change the networking properties of my PC. I provide help to clients and I need to view the settings control panels. It's impossible to remember every single detail of every control panel. Most "normal" users don't need to change these items all day long, like I do.
And I install programs on my PC. No, I don't add a lot of junk to my PCs. I stopped doing that many years ago. If I feel the need to install something, I'll do it on another PC if possible. Or I'll do it in a Virtual PC window, isolating it from my personal PC. But still need to install and remove programs on occasion.
Right now, I'm evaluating Microsoft's Business Contact Manager (Version 2). And I'm having problems. For the life of me, I can't get it to run properly without having Local Administrator rights on my PC. The MSDE database won't allow me access to create a new Contact. I'm waiting for a Microsoft BCM expert to get back to me on that one.
But I'm deciding that even an IT Pro CAN live as a Limited User. With some tricks. I'll list some below.
My best friend is the "Run as....." command. This option is available with a right-mouse-click on many programs. You can use it from the Start menu. You can even use it to open a Command Prompt (DOS) window.
When you select "Run as....", you are given the option to execute a program using user credentials different than those you selected at Log On. You can choose to be a Local or Domain Administrator, if you know the account name and the password. Or, you can select lower rights than you normally have.
"Run as..." has been a Linux staple for years. It's used to give temporary "Root" rights to an administrator, while letting him work normally with lower rights on his PC. This same option has been available to Windows users for years, but has been pretty much ignored.
Sometimes, though, the "Run as...." command doesn't work as expected. A program install may appear to finish, but may not work as expected. You just have to try it to see what happens.
How do you examine and set User rights?
Well, first, you guessed it.....you have to be an Administrator!
Locally, log in as Local Administrator and set the Local rights of the various accounts.
Local Accounts are best managed in the "User Accounts" control panel of your PC.
You'll have to give Local Administrator credentials when you open this control panel.
If you examine the properties of a user, you can choose which Security Groups the user is a member of. The most commonly chosen options are "Users", "Power Users", and "Administrators".
You can view and change the rights of various Local and Domain accounts. You can, for instance, give a Domain Administrator only limited rights on your PC. Remember, we are setting the LOCAL rights of both Local and Domain Accounts. You can only log onto a PC with either a Local Account or a Domain Account, not both. Your rights on the Domain will be set on the Domain Controller. You rights ON THE LOCAL PC will be set by the Local PC, using this control panel.
Note that the Standard User group is the "Power Users Group", giving access to many system settings and allowing installation of programs that don't affect Windows System files.
Double check your work. It's easy to let an account end up with Local Administrator rights when you thought you'd turned them off. A quick check is to go into the local "Add or Remove Programs" control panel. If you are a Local Administrator, you'll have the right to "Remove" all of the intalled progams. A Local User won't have "Remove" rights for many programs.
posted by Myron Johnson | 3:16 PM
0 Comments:
Post a Comment
<< Home