Does anyone here run Windows XP on a limited account?

jazzboy

Senior member
May 2, 2005
232
0
0
Hi everyone.

Was wondering how many of you, if any, run windows using a limited (or even guest) account as opposed to having an admin account.

I've looked at a lot of security advice throughout the internet and one of the big pieces of advice often given, is that it's best to run on a limited account. I'm basically wondering if any of you feel that it's worth it, considering possible programme incompatibilities and any other downsides etc.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Yes, I made our whole IT department run as limited users starting a little over a year ago.
 

scottws

Senior member
Oct 29, 2002
468
0
0
I used to, but I had all kinds of trouble with Azureus and Macromedia Homesite+, so I made myself a Power User.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
There's poll results in this archived thread. About 1/3 of us use Limited accounts, according to the results there. There's hope yet. :D

Edit: yes, I would say it's worth it, especially after seeing the WMF zero-day exploit getting its payload stopped cold by my Limited account (in deliberate testing). Everyone at work has a non-Admin account too.
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
All users have limited accounts, but all IT staff has admin accounts. I've tried to get this changed, but the IT director refuses it. I've set myself up to use a limited account with a seperate account for when I need admin rights. I never have any problems with my PC, the other guys complain about flakey problems with their computers often and the IT director, OMG I spend like 25% of my time just fixing his computer. Of course they always complain to me because I'm the server admin, and they seem to think _every_ problem is caused by the servers.

If I'm lucky they don't try to fix it on their own:
"Hey Brazen, I couldn't open jpegs on my pc so I changed some registry settings on the domain controller and now nobody can get their email... I may have made some changes on the email server, too."
 

ivwshane

Lifer
May 15, 2000
32,517
15,399
136
I tried using limited accounts on my clients systems but due to software issues I had to elevate them to power users.

For me personally I run as admin since I run a tight ship and very rarely get spyware let alone viruses.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Yes, on most of my systems for most things. There are a couple of things I can't do without admin privs though, unfortunately.

I've also retired my home Windows system for most tasks. It'll be for a couple of non-online games and work related things and will be in "stand by" mode at all other times. Everything else I do will be on Mac OS X, OpenBSD, Linux, NetBSD, FreeBSD, or DragonflyBSD.
 

TechnoPro

Golden Member
Jul 10, 2003
1,727
0
76
Originally posted by: spyordie007
Yes, I made our whole IT department run as limited users starting a little over a year ago.

Have you noticed a decrease in security incidents as a result? Any problems?
 

ProviaFan

Lifer
Mar 17, 2001
14,993
1
0
I have a limited account for 99% of what I do; occasionally it's a pain but the added security is worth the trouble, IMHO.
 

jazzboy

Senior member
May 2, 2005
232
0
0
Originally posted by: Brazen
All users have limited accounts, but all IT staff has admin accounts. I've tried to get this changed, but the IT director refuses it. I've set myself up to use a limited account with a seperate account for when I need admin rights. I never have any problems with my PC, the other guys complain about flakey problems with their computers often and the IT director, OMG I spend like 25% of my time just fixing his computer. Of course they always complain to me because I'm the server admin, and they seem to think _every_ problem is caused by the servers.

If I'm lucky they don't try to fix it on their own:
"Hey Brazen, I couldn't open jpegs on my pc so I changed some registry settings on the domain controller and now nobody can get their email... I may have made some changes on the email server, too."

Blimey, I wonder if your so called "IT director" has ever considered not being one!
 

djdrastic

Senior member
Dec 4, 2002
441
0
0
Being an IT Director , does not require any IT knowledge , rather it requires these few things

1)Driving in a late model 3 Series
2)Banging Some 26 Year Old Admin Assistant
3)Spewing phrases from Your Obscure Buzzwords Quarterly Magazine
4)Having the Firm belief , that you have been hand picked by the creator as "special"
5)Having the Inability , to say say the following phrases "Sorry" , "Excuse Me","I'm Wrong","I'm Wrong , You're Right","I have made a mistake"
6)The ability to argue about a technical problem with either a
* Certified Technician
* Author of Software
* Experienced System Administrator
* GOLD/Emergency Level Telephonic Support
* Expert in Field
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Originally posted by: TechnoPro
Have you noticed a decrease in security incidents as a result? Any problems?
It's hard to judge what kind of a decrease in security incidents are related. I've don?t a lot of work the past couple of years getting our staff to follow better security practices as well as securing up a lot of our services/components. There has been a reduction but it's hard to say just how much of it is based on simply removing IT admin privileges.

The biggest change that we can track back to it is much less "mistakes" by IT staff performing regular job functions. For example since they are a regular user on network shares they can?t do things like delete or move high-level folders that they might have been able to as an admin (which happens more frequently than they?d like to admit).

What we?ve done is to create 2 user accounts for all of our IT staff. Their ?normal? account has (basically) the privileges as a regular user, their second account we refer to as their ?admin? account which carries the higher level of privileges on the network that they need to do their job (Client Admins, Account Operators, Domain Admins, etc.). Typically the apps that they need to run as an admin are launched with their admin account?s credentials by a run-as.

Also keep in mind that running as a "non-admin" isn?t as black and white as a lot of people want to make it. The principal of least privileges is a lot more than just removing your account from admin and calling it good.

Also I have to post it because it?s about the single best resource out there; Aaron Margosis?s blog is a great resource:
http://blogs.msdn.com/aaron_margosis/default.aspx

Erik
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Originally posted by: djdrastic
Being an IT Director , does not require any IT knowledge , rather it requires these few things

1)Driving in a late model 3 Series
2)Banging Some 26 Year Old Admin Assistant
3)Spewing phrases from Your Obscure Buzzwords Quarterly Magazine
4)Having the Firm belief , that you have been hand picked by the creator as "special"
5)Having the Inability , to say say the following phrases "Sorry" , "Excuse Me","I'm Wrong","I'm Wrong , You're Right","I have made a mistake"
6)The ability to argue about a technical problem with either a
* Certified Technician
* Author of Software
* Experienced System Administrator
* GOLD/Emergency Level Telephonic Support
* Expert in Field
Oh come on now, just like any management position there are those who do good at it and there are those who do not. Obviously the good ones understand that they dont know everything and defer to their engineers who do.

I've been on both sides of the table, managing IT people (especially those with a high level of technical knowledge) is not an easy task. Unfortunetly I never got a assitant to bang :D

Off to dilbert.com I go...
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
I tried using limited accounts on my clients systems but due to software issues I had to elevate them to power users.
You're better off just making them administrators, because at least you know what you're getting. Power Users are just users who haven't elevated themselves to administrator yet, as Jesper Johansson is fond of saying. And Mark Russinovich has a blog posting today showing exactly how you can elevate from PU to admin.
 

Varun

Golden Member
Aug 18, 2002
1,161
0
0
Out of sheer laziness I still run as admin, however any computer I build for family has individual accounts for each family member as limited, and a password protected admin account if they require installing software.

I figure if I mess up it's my problem, but if they mess up it's my problem too so it's best to keep them locked down as much as possible.
 

Link19

Senior member
Apr 22, 2003
971
0
0
If you are the sole owner and single user of a computer, miswell run as an admin all the time as long as you have good consistently up to date AV software and a firewall in place.
 

kylef

Golden Member
Jan 25, 2000
1,430
0
0
Originally posted by: Link19
If you are the sole owner and single user of a computer, miswell run as an admin all the time as long as you have good consistently up to date AV software and a firewall in place.

I disagree. It's too easy to screw things up as an administrator, and MUCH easier to be susceptible to trojans. Trojans aren't always caught by AV software anyway.

The best policy is to run with least privilege, elevating only specific programs as necessary. Most common tasks should not require elevated privileges.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
Originally posted by: kylef
Originally posted by: Link19
If you are the sole owner and single user of a computer, miswell run as an admin all the time as long as you have good consistently up to date AV software and a firewall in place.

I disagree. It's too easy to screw things up as an administrator, and MUCH easier to be susceptible to trojans. Trojans aren't always caught by AV software anyway.

The best policy is to run with least privilege, elevating only specific programs as necessary. Most common tasks should not require elevated privileges.
I agree with Kylef; the best way (and the only way you can be certain you are safe) is to not get the machine "infected" in the first place. Using the practice of least privilage is a good way to mitigate a lot of risk.
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
Originally posted by: spyordie007
Originally posted by: kylef
Originally posted by: Link19
If you are the sole owner and single user of a computer, miswell run as an admin all the time as long as you have good consistently up to date AV software and a firewall in place.

I disagree. It's too easy to screw things up as an administrator, and MUCH easier to be susceptible to trojans. Trojans aren't always caught by AV software anyway.

The best policy is to run with least privilege, elevating only specific programs as necessary. Most common tasks should not require elevated privileges.
I agree with Kylef; the best way (and the only way you can be certain you are safe) is to not get the machine "infected" in the first place. Using the practice of least privilage is a good way to mitigate a lot of risk.

Once your box gets owned (look at zero hour exploits, there are plenty) and realize, once it happens, the only way to be "sure" is to nuke it from orbit.
 

Fizziks

Junior Member
May 1, 2006
1
0
0
My experience in running with limited user wasn't good. Some programs out there although great don't work properly in multiuser. I think I need to learn how to set privileges.
 

ivwshane

Lifer
May 15, 2000
32,517
15,399
136
Originally posted by: stash
I tried using limited accounts on my clients systems but due to software issues I had to elevate them to power users.
You're better off just making them administrators, because at least you know what you're getting. Power Users are just users who haven't elevated themselves to administrator yet, as Jesper Johansson is fond of saying. And Mark Russinovich has a blog posting today showing exactly how you can elevate from PU to admin.

Maybe but I know my users and they aren't smart enough to "hack" the system let alone know what a hack is.


Have you noticed a decrease in security incidents as a result? Any problems?

Yes I have. Before setting them up as power users I was constantly battling spyware as well as program installs like IM programs and viruses here and there. Now when a spyware scan is ran I'll be lucky to have one piece of spyware detected and I have yet to get any viruses.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Maybe but I know my users and they aren't smart enough to "hack" the system let alone know what a hack is.
That's not the point. They don't need to know how or even have the desire to know how. But someone else can trick them into doing it, and then your network becomes someone else's network.

Before setting them up as power users I was constantly battling spyware as well as program installs like IM programs and viruses here and there.
?? There's nothing stopping a power user from installing an app like an IM program.