Windows limited user
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Windows limited user
Whilst running as such is always a good idea, as I suspected it does not prevent malicious code from executing. At least 4 of the latest M$ 'patch tuesday' XP patches are to close vulnerabilities that would still execute even on a non-admin account. The serious hackers are, I suspect, well over that little hurdle.
Caveat emptor.
Caveat emptor.
Spoon PPRuNerist & Mad Inistrator
BOAC,
There's still a difference between "executing" and "installing".
My kids can run programs but sure as hell can't install any (normal user accounts).
Remember that applications that execute do so with the security privileges of the account running them.
A nasty may run while they are logged in, but can't install itself (other than to areas to which they have write access (their own profiles), so a reboot later they are not there for any other user.
I had exactly this problem as a short while ago one child had gotten one of these anti-malware nasties - problem solved by deleting their account (of course data was already backed up).
PC otherwise clean (Sophos, Spybot and Anti-malwarebytes sweeps clean).
SD
There's still a difference between "executing" and "installing".
My kids can run programs but sure as hell can't install any (normal user accounts).
Remember that applications that execute do so with the security privileges of the account running them.
A nasty may run while they are logged in, but can't install itself (other than to areas to which they have write access (their own profiles), so a reboot later they are not there for any other user.
I had exactly this problem as a short while ago one child had gotten one of these anti-malware nasties - problem solved by deleting their account (of course data was already backed up).
PC otherwise clean (Sophos, Spybot and Anti-malwarebytes sweeps clean).
SD
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Yes, I know, but you cannot convince me that the 'nasties' have not worked their way around this in order to be able to plant a 'bomb' that goes off next time you run as admin.
Spoon PPRuNerist & Mad Inistrator
I have read nothing yet that tells me that viruses / malware can defeat user privilege levels.
You are welcome to your opinion and "suspicions", of course.
SD
You are welcome to your opinion and "suspicions", of course.
SD
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
BOAC,
To a large extend I've got no issues with what SD says. It's simply not feasible for anything to install itself .... and viruses/trojans/spyware all rely on installation in order for them to do their deeds.
Of course, there are one or two possible exceptions ... such as a buffer overflow attack. However new features such as DEP and ASLR (given we're talking about Windows here) have made significant moves in the right direction to mitigate remaining risks.
In any event. All computer users, irrespective of operating system, should seek to do their day to day work on the principle of "least privilege" and then escalate privilieges only as and when necessary.
If you remain truly paranoid, take a look at Faronics Deep Freeze ...... one reboot and you're back to a clean state. It's been thoroughly field tested in schools, libraries and ohter "high risk" environments ...... so by all accounts it works......
Faronics Deep Freeze Windows Editions - ABSOLUTE System Integrity
To a large extend I've got no issues with what SD says. It's simply not feasible for anything to install itself .... and viruses/trojans/spyware all rely on installation in order for them to do their deeds.
Of course, there are one or two possible exceptions ... such as a buffer overflow attack. However new features such as DEP and ASLR (given we're talking about Windows here) have made significant moves in the right direction to mitigate remaining risks.
In any event. All computer users, irrespective of operating system, should seek to do their day to day work on the principle of "least privilege" and then escalate privilieges only as and when necessary.
If you remain truly paranoid, take a look at Faronics Deep Freeze ...... one reboot and you're back to a clean state. It's been thoroughly field tested in schools, libraries and ohter "high risk" environments ...... so by all accounts it works......
Faronics Deep Freeze Windows Editions - ABSOLUTE System Integrity
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Well, I see this as a small step 'on the way': to me it means there is a way in somewhere.
Microsoft Security Bulletin MS10-021 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
Published: April 13, 2010
Version: 1.0
General Information
Executive Summary
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Microsoft Security Bulletin MS10-021 - Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
Published: April 13, 2010
Version: 1.0
General Information
Executive Summary
This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
On the face of it, that's quite a clever one.
However, it still relies on you downloading and running something you shouldn't..... "they" can't run it for you.
GPEDIT trusted paths / trusted executables if you don't want to rely on your AV program entirely....
However, it still relies on you downloading and running something you shouldn't..... "they" can't run it for you.
GPEDIT trusted paths / trusted executables if you don't want to rely on your AV program entirely....
Spoon PPRuNerist & Mad Inistrator
An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
That's quite a requirement, that logging on locally bit.
NB - given physical access to a Windows PC or server (not domain controller) even I can hack the system and change the admin password.
SD
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
I simply do not share your complete trust in the M$ code.
I'm just saying that if Microsoft Windows is your weapon of choice, then you should make use of all the security measures available, no matter how much you doubt their effectiveness.
Join Date: May 2001
Posts: 10,815
Likes: 0
Received 0 Likes
on
0 Posts
[QUOTENB - given physical access to a Windows PC or server (not domain controller) even I can hack the system and change the admin password][/QUOTE]
it used to take us 5 mins from getting a machine through the door to raping it of all passwords of every network it had ever been logged into. We had the password for the US mil network for 6 days until someone phoned them up and told them that we had it. Domain controllers used to take 10 mins once we had physical access and I used it many times to save a network from an admin that went rabid just before they left.
And to note it was the desktop general admin password we got for the US mil, not the secure networks. Thankfully they use unix for proper security and blokes with guns stopping you getting near the servers. Once you have physical access to a server you are knackard.
it used to take us 5 mins from getting a machine through the door to raping it of all passwords of every network it had ever been logged into. We had the password for the US mil network for 6 days until someone phoned them up and told them that we had it. Domain controllers used to take 10 mins once we had physical access and I used it many times to save a network from an admin that went rabid just before they left.
And to note it was the desktop general admin password we got for the US mil, not the secure networks. Thankfully they use unix for proper security and blokes with guns stopping you getting near the servers. Once you have physical access to a server you are knackard.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Mixture - that was not aimed specifically at you, more MY opinion of the state of play of the modern hacker v those who think limited user is fireproof. Having seen the skills of these ***** in producing stuff that hides itself from most 'looks' and the rate of progress in trojan/virus writing I remain unconvinced and yes, re your last para, not just my 'weapon of choice'. but of many, and even Linux, mobiles and Mac are getting hit. I think all we can do is
limit access
protect as best we can
learn how to 'clean' when it happens
This is not specifically an anti-M$ swipe either, just that it is the logical target given the general dislike of its 'position' in the community, its wide spread and the way its code is written.
limit access
protect as best we can
learn how to 'clean' when it happens
This is not specifically an anti-M$ swipe either, just that it is the logical target given the general dislike of its 'position' in the community, its wide spread and the way its code is written.