Running as Administrator all the time

[AShadeOfClear]

What's so bad about running under the Administrator account in Windows 2000 all the time given these conditions: I am the only person that uses this system & the other two systems on my home LAN. I have a DSL connection shared with a router, have a software firewall on each system. I am very judicious about what I download and install. I only install applications that can be fully trusted (I have another system reserved for those that I have doubts about). I keep my OS & Antivirus updated.

Someone suggested that I become a Power User for a daily-use account. I can get used to the slight inconvenience of having to switch to Administrator now and then, but I'm really curious about what "bad things" could happen? I mean, wasn't I running as "Administrator" full-time under Windows 9x?

 

[Dragon23]

I don't see a problem running in admin. I run my system that way on all my systems and I am set up with dsl and router and firewall. The only thing you have to be careful with is if there is a chance that your network has open sockets that are not secured behind your firewall. Please remember it is just my opion and some one else my differ and my info that I don't know of yet.

 

[Nothinman]

Everything you run can do absolutely anything to the system, if you run it as a regular user the damage is contained. And since most Windows programs lately have been very untrustworthy, it's not a very good idea unless you like to blindly trust all the programs you run.

Use the "Run As" feature if you need admin rights, 99% of the time you don't anyway. And Win9X is a terrible comparison to NT, it's got no concept of security at all.

 

[q2261]

Ive been running all my rigs as admin ever since I migrated to 2k from NT4
Never had problems in over 2 years now.

 

[Workin']

Originally posted by: q2261
Ive been running all my rigs as admin ever since I migrated to 2k from NT4
Never had problems in over 2 years now.

I've been running with scissors since I was a little kid and have never stabbed myself. And I had a BB gun and never put an eye out...

It's just good advice - just because nothing bad has happened YET doesn't mean something bad CAN'T happen!

Just wait until some night you are really tired and accidentally do something stupid, not having admin priviledges could really save your bacon, so to speak.

 

[n0cmonkey]

Originally posted by: Workin'I've been running with scissors since I was a little kid and have never stabbed myself.

bwahahahahaha! 😛

Perfect 😀

 

[cleverhandle]

Eh... I don't find running as admin a big deal in Windows, provided you trust the programs you run. Even late at night, I'm just not going to accidently browse into my system directories and delete a few key dll's. With *nix, it's a different story, because I'm more likely to use the CLI, where a misplaced space or ? can cause serious problems. I recognize that running under a limited account is safer in an absolute sense, but I don't think the magnitude of the effect is significant for Windows.

 

[n0cmonkey]

Originally posted by: cleverhandle
Eh... I don't find running as admin a big deal in Windows, provided you trust the programs you run. Even late at night, I'm just not going to accidently browse into my system directories and delete a few key dll's. With *nix, it's a different story, because I'm more likely to use the CLI, where a misplaced space or ? can cause serious problems. I recognize that running under a limited account is safer in an absolute sense, but I don't think the magnitude of the effect is significant for Windows.

How can you trust a program when you cant verify its integrity at the source level? md5 sums and pgp keys would be a start.. But then you still have to trust the person distributing the executable. And how many viruses have come out recently that you didnt actully have to do anything to run them?

 

[JellyBaby]

How can you trust a program when you cant verify its integrity at the source level?

Even as Admin you can't even fully trust MS's own software add-ons. MS assumes they can fiddle with the system without any explicit permission being given. I'd be more worried about MS than some rogue program doing harm.

If you choose to stick with Admin, change the name to something weird and use a strong password. Keep the Guest account disabled, raise the firewall, don't enable sharing, etc. Should be reasonably safe.

 

[cleverhandle]

How can you trust a program when you cant verify its integrity at the source level? md5 sums and pgp keys would be a start.. But then you still have to trust the person distributing the executable.

You can't, of course. But just how much this is an issue really depends on what kind of system and on what programs you're running. If you run a lot of little programs and utilities you find on the web, then this is a legitimate concern. I don't, and I'd say that most people don't either - especially on Windows. The programs on my Windows machine are mostly major applications - office, games, GPS software - that I'm getting from a CD. I trust those. The few downloaded apps are major ones - stuff like Sandra and Powerstrip that many thousands of people use. Could someone conceivably hack the distribution site and insert a trojan into the executables? Sure, though it's pretty darn unlikely, this happened with some BSD or Linux proggie a while back - I don't remember which. An MD5 sum helps with this, but even without one, I'll take a chance on my home system. Were I administering a large network with important customer or business information, I'd be more paranoid.

And how many viruses have come out recently that you didnt actully have to do anything to run them?

Hmm... probably lots, but I honestly haven't kept up on the virus scene, since I haven't been doing much with that at work lately. I know that on my home machine, I've never been infected. Again, this depends on your usage - if you know you will receive lots of email attachments or participate in similar "high-risk" activities, it might be a serious issue. As with downloaded programs, it could just happen that I hit a bad webpage or receive an infected attachment before NAV gets updated, but the chances, and the damage potential, are small enough that I'm not worried about it.

I don't mean to attack established wisdom on security. It comes from professionals (many of them on these boards) who administer large, complex, and very important systems, and there's no doubt that any networked computer can be made more secure by following that advice. But I do think that that advice has to be kept in perspective, and we need to keep in mind the cost in time, money, and convenience of higher security. My apartment is not as secure as Fort Knox - but I'm OK with that. The same reasoning applies to computers - consider the combination of cost, risk, and damage potential that's appropriate to your situation.

 

[n0cmonkey]

Originally posted by: cleverhandle

How can you trust a program when you cant verify its integrity at the source level? md5 sums and pgp keys would be a start.. But then you still have to trust the person distributing the executable.

You can't, of course. But just how much this is an issue really depends on what kind of system and on what programs you're running. If you run a lot of little programs and utilities you find on the web, then this is a legitimate concern. I don't, and I'd say that most people don't either - especially on Windows. The programs on my Windows machine are mostly major applications - office, games, GPS software - that I'm getting from a CD. I trust those. The few downloaded apps are major ones - stuff like Sandra and Powerstrip that many thousands of people use. Could someone conceivably hack the distribution site and insert a trojan into the executables? Sure, though it's pretty darn unlikely, this happened with some BSD or Linux proggie a while back - I don't remember which. An MD5 sum helps with this, but even without one, I'll take a chance on my home system. Were I administering a large network with important customer or business information, I'd be more paranoid.

dsniff, irssi, and maybe bitchx, not sure on the last one.

And how many viruses have come out recently that you didnt actully have to do anything to run them?

Hmm... probably lots, but I honestly haven't kept up on the virus scene, since I haven't been doing much with that at work lately. I know that on my home machine, I've never been infected. Again, this depends on your usage - if you know you will receive lots of email attachments or participate in similar "high-risk" activities, it might be a serious issue. As with downloaded programs, it could just happen that I hit a bad webpage or receive an infected attachment before NAV gets updated, but the chances, and the damage potential, are small enough that I'm not worried about it.

I don't mean to attack established wisdom on security. It comes from professionals (many of them on these boards) who administer large, complex, and very important systems, and there's no doubt that any networked computer can be made more secure by following that advice. But I do think that that advice has to be kept in perspective, and we need to keep in mind the cost in time, money, and convenience of higher security. My apartment is not as secure as Fort Knox - but I'm OK with that. The same reasoning applies to computers - consider the combination of cost, risk, and damage potential that's appropriate to your situation.

Yes, keep it in perspective. This is something small someone can do to *help* protect their systems. A simple run as gives users access to the few things admins cant do. I didnt see your post as an attack, just another arguement I wanted to refute 🙂

 

[ultimatebob]

Ummm... you worry too much. Although the guidelines that some people are stating would work well in a UNIX setting, Windows workstation security simply doesn't work as well as UNIX security does. Most Windows applications run under the assumption that they have administrative privledges, and therefore often do things like install services, update/modify windows system files, and make changes to the registry when they are installed and executed. Although many of them can be installed with administrator and ran with a user account, you'll always run into problems when you have to install helper applications and silly little things like browser plugins. For personal use, it usually isn't work the trouble.

NOW, if you're dealing with a multi-user system, it's a different story. Sometimes other users (People like Mom, Dad, a little sister, a stupid roommate, or nosey co-worker) like to play with things that they shouldn't be touching. In that case, you'll want to LOG OUT whenever you're finished using your computer, and give them a restricted user account to use.

 

[Sunner]

At home I use the admin account all the time, cause Im lazy, and frankly don't have all that much important stuff on those boxes, at least nothing I can't get back.
Under *NIX I never run as root though, but "Run as" just doesn't work nearly as well as "su -".

 

[n0cmonkey]

Originally posted by: Sunner
At home I use the admin account all the time, cause Im lazy, and frankly don't have all that much important stuff on those boxes, at least nothing I can't get back.
Under *NIX I never run as root though, but "Run as" just doesn't work nearly as well as "su -".

You shouldnt use su much either 😛

 

[Sunner]

Originally posted by: n0cmonkey

Originally posted by: SunnerAt home I use the admin account all the time, cause Im lazy, and frankly don't have all that much important stuff on those boxes, at least nothing I can't get back.Under *NIX I never run as root though, but "Run as" just doesn't work nearly as well as "su -".

You shouldnt use su much either 😛

Well, I assume you have a better way to install programs, new kernels, etc then 😉

 

[DeepSparklePupa]

I use su twice every day:

su root
cp /etc/rc.d/gaming.firewall /etc/rc.d/rc.firewall
/etc/rc.d/init.d/firewall restart
exit

su root
cp /etc/rc.d/tight.firewall /etc/rc.d/rc.firewall
/etc/rc.d/init.d/firewall restart
exit

If there were another way... check that - if there were ANY danger, I'd not do it.

DSP

 

[Nothinman]

I use su twice every day:

su root
cp /etc/rc.d/gaming.firewall /etc/rc.d/rc.firewall
/etc/rc.d/init.d/firewall restart
exit

su root
cp /etc/rc.d/tight.firewall /etc/rc.d/rc.firewall
/etc/rc.d/init.d/firewall restart
exit

If there were another way... check that - if there were ANY danger, I'd not do it.

DSP

Since it's the same things over and over you could write suid scripts to do it for you, or write scripts and execute them via sudo. Or if you do them at the same times every day put them in root's crontab to have them run automatically.

 

[DeepSparklePupa]

Actually, those are both EXCELLENT ideas!

Yahoo! More scripting! 🙂

 

[n0cmonkey]

Originally posted by: Sunner

Originally posted by: n0cmonkey

Originally posted by: SunnerAt home I use the admin account all the time, cause Im lazy, and frankly don't have all that much important stuff on those boxes, at least nothing I can't get back.Under *NIX I never run as root though, but "Run as" just doesn't work nearly as well as "su -".

You shouldnt use su much either 😛

Well, I assume you have a better way to install programs, new kernels, etc then 😉

sudo

 

[ElFenix]

how do i disable the guest account in 2k?

 

[NogginBoink]

I used to run as admin all the time... until I clicked a malware link and my system went belly up.

I've made too many stupid mistakes, and fat fingered too many commands, and finally learned (the hard way) the wisdom of running as non-admin for day to day use.

So far, it's kept me from inadvertently blowing up my box. I can usually use runas to run something as admin without logging off.

It serves me well.

 

[Sunner]

Originally posted by: n0cmonkey

Originally posted by: Sunner

Originally posted by: n0cmonkey

Originally posted by: SunnerAt home I use the admin account all the time, cause Im lazy, and frankly don't have all that much important stuff on those boxes, at least nothing I can't get back.Under *NIX I never run as root though, but "Run as" just doesn't work nearly as well as "su -".

You shouldnt use su much either 😛

Well, I assume you have a better way to install programs, new kernels, etc then 😉

sudo

I knew someone was gonna say that 😛

But considdering Im too lazy to bother setting up a Power User account under Win2K, do you really expect me to mess with sudo when I can simply run su? 😉

 

[n0cmonkey]

Originally posted by: Sunner

Originally posted by: n0cmonkey

Originally posted by: Sunner

Originally posted by: n0cmonkey

Originally posted by: SunnerAt home I use the admin account all the time, cause Im lazy, and frankly don't have all that much important stuff on those boxes, at least nothing I can't get back.Under *NIX I never run as root though, but "Run as" just doesn't work nearly as well as "su -".

You shouldnt use su much either 😛

Well, I assume you have a better way to install programs, new kernels, etc then 😉

sudo

I knew someone was gonna say that 😛

But considdering Im too lazy to bother setting up a Power User account under Win2K, do you really expect me to mess with sudo when I can simply run su? 😉

Of course not. Why try?

 

[Sunner]

Of course not. Why try?

Cause I have su.

Of course, we use sudo rather than su at work, but at home, demands aren't quite the same, and hence the lazyness wins out 😉

Seriously, on my box at home, I see no point in setting up sudo, unless you do something ultra sensitive on it for some reason, it's not worth the hastle.

 

[n0cmonkey]

Originally posted by: Sunner

Of course not. Why try?

Cause I have su.

Of course, we use sudo rather than su at work, but at home, demands aren't quite the same, and hence the lazyness wins out 😉

Seriously, on my box at home, I see no point in setting up sudo, unless you do something ultra sensitive on it for some reason, it's not worth the hastle.

Your OS doesnt come with it insalled? All I had to do was x a hash 😀

And with recent events Ive been a little more paranoid than usualy about my home machine... Its going to be a good thanksgiving...