Whilst running as such is always a good idea, as I suspected it does not prevent malicious code from executing. At least 4 of the latest M$ 'patch tuesday' XP patches are to close vulnerabilities that would still execute even on a non-admin account. The serious hackers are, I suspect, well over that little hurdle.

Caveat emptor.

BOAC,

There's still a difference between "executing" and "installing".

My kids can run programs but sure as hell can't install any (normal user accounts).

Remember that applications that execute do so with the security privileges of the account running them.

A nasty may run while they are logged in, but can't install itself (other than to areas to which they have write access (their own profiles), so a reboot later they are not there for any other user.

I had exactly this problem as a short while ago one child had gotten one of these anti-malware nasties - problem solved by deleting their account (of course data was already backed up).

PC otherwise clean (Sophos, Spybot and Anti-malwarebytes sweeps clean).

SD

Yes, I know, but you cannot convince me that the 'nasties' have not worked their way around this in order to be able to plant a 'bomb' that goes off next time you run as admin.

I have read nothing yet that tells me that viruses / malware can defeat user privilege levels.

You are welcome to your opinion and "suspicions", of course.

SD

BOAC,

To a large extend I've got no issues with what SD says. It's simply not feasible for anything to install itself .... and viruses/trojans/spyware all rely on installation in order for them to do their deeds.

Of course, there are one or two possible exceptions ... such as a buffer overflow attack. However new features such as DEP and ASLR (given we're talking about Windows here) have made significant moves in the right direction to mitigate remaining risks.

In any event. All computer users, irrespective of operating system, should seek to do their day to day work on the principle of "least privilege" and then escalate privilieges only as and when necessary.

If you remain truly paranoid, take a look at Faronics Deep Freeze ...... one reboot and you're back to a clean state. It's been thoroughly field tested in schools, libraries and ohter "high risk" environments ...... so by all accounts it works......

Faronics Deep Freeze Windows Editions - ABSOLUTE System Integrity (http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeEducation.aspx)

Well, I see this as a small step 'on the way': to me it means there is a way in somewhere.

Microsoft Security Bulletin MS10-021 - Important

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)

Published: April 13, 2010
Version: 1.0
General Information

Executive Summary

This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

On the face of it, that's quite a clever one.

However, it still relies on you downloading and running something you shouldn't..... "they" can't run it for you.

GPEDIT trusted paths / trusted executables if you don't want to rely on your AV program entirely.... :ok:

An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

So if you allow hackers physical access to your PC you should be worried. Otherwise not.

That's quite a requirement, that logging on locally bit.

NB - given physical access to a Windows PC or server (not domain controller) even I can hack the system and change the admin password.

SD

I think we will have to disagree on this. I simply do not share your complete trust in the M$ code.

I simply do not share your complete trust in the M$ code.

Let's make one thing absolutley clear. I DO NOT have any trust in M$ security .... that applies for their whole product portfolio.

I'm just saying that if Microsoft Windows is your weapon of choice, then you should make use of all the security measures available, no matter how much you doubt their effectiveness.

it used to take us 5 mins from getting a machine through the door to raping it of all passwords of every network it had ever been logged into. We had the password for the US mil network for 6 days until someone phoned them up and told them that we had it. Domain controllers used to take 10 mins once we had physical access and I used it many times to save a network from an admin that went rabid just before they left.

And to note it was the desktop general admin password we got for the US mil, not the secure networks. Thankfully they use unix for proper security and blokes with guns stopping you getting near the servers. Once you have physical access to a server you are knackard.

Mixture - that was not aimed specifically at you, more MY opinion of the state of play of the modern hacker v those who think limited user is fireproof. Having seen the skills of these ***** in producing stuff that hides itself from most 'looks' and the rate of progress in trojan/virus writing I remain unconvinced and yes, re your last para, not just my 'weapon of choice'. but of many, and even Linux, mobiles and Mac are getting hit. I think all we can do is

limit access
protect as best we can
learn how to 'clean' when it happens

This is not specifically an anti-M$ swipe either, just that it is the logical target given the general dislike of its 'position' in the community, its wide spread and the way its code is written.

To note if you have access to the hardware unix is just as easy to get into as microsoft