What protection do limited accounts offer?

[ManBearPig]

Any specific reasons? thanks

 

[jondercik]

Limited accounts cant make system wide changes and have less access to right to the registry and files.

 

[ManBearPig]

Originally posted by: jondercik
Limited accounts cant make system wide changes and have less access to right to the registry and files.

ive heard that alot of viruses/hackers and stuff just target the admin account, is that true?

 

[cleverhandle]

Originally posted by: Heen05
ive heard that alot of viruses/hackers and stuff just target the admin account, is that true?

Most viruses try to do things (change reg keys, etc.) that are only allowed with Administrative privileges. If you're on a Limited Account, the virus will simply fail because the system won't let "you" (the virus, really) make the changes you're trying to.

 

[spyordie007]

There are some viruses/hackers/etc. that specifically target the admin account; however the issue is (generally) running code as any administrative account (as opposed to a specific account).

A lot of attacks are run as the logged in user, if you are logged in with admin privages and the route of attack is through code you are running than that attack has unrestricted access to the system.

For this reason I recommend loging in as a restricted user account and only pulling out administrative accounts for specific sanctioned tasks (i.e. installing trusted software). This will signifigantly limit any damage that viruses/malware/etc. can do if their route of attack is via. your account.

 

[ManBearPig]

wow. thanks guys.

 

[nweaver]

If www.maliciauscode.com has an IE hack that downloads and registers a program, there are 2 things that can happen

a- Limted user: Site visited, IE downloads and tries to execute the code, but fails, because the registered user can't register the app, write the registry changes, edit the file, etc
b- Admin user: Site visited, box bent over and owned, because your IE is running as admin, and has FULL system acess.

 

[Nothinman]

Running as a limited account is mostly to protect you from yourself, it's much less probable that you'll break your system if you have to go through an extra step or two do it.

Technically most malware could be 'fixed' to work within the constraints of a limited account. Most of them don't need to do anything that requires administrative rights besides registering themselves to startup automatically and even that could be worked around by setting them to startup when the current account logs in, it won't be as good as system startup but it'll probably be 'good enough'.

 

[mechBgon]

Here's one bit of firsthand testing I did recently: Limited account 1, WMF exploit 0 (bottom of the four links there, and the others might interest you too). With screen-capture video.

Against that sample, the Limited account was effective damage containment. The exploit still ran, if no other protection was in place, but its payload fell flat for lack of Admin privileges.

The Limited account also would safeguard your security software. Deleting the security software's files and Registry entries and pooching your HOSTS file is a common MO, and one that a Limited account would not have the ability to do on a normal WinXP setup.

If your Admin account has a blank password, then AFAIK on a WinXP SP2 system, it's safe from being used via secondary logon, because that's one power that was taken away in SP2 (or maybe SP1?). If it has an idiot password like "password," then it might be exploited. If it has a strong password like Heen05@ATForums then you've defeated the let's-try-the-likely-ones approach.

 

[stash]

A limited account will do diddly for the stuff you most likely care the most about...your files. Doesn't matter what OS you run, Linux, Mac, Windows, whatever.

 

[spyordie007]

Originally posted by: STaSh
A limited account will do diddly for the stuff you most likely care the most about...your files. Doesn't matter what OS you run, Linux, Mac, Windows, whatever.

True, but it ensures you cant do damage to other users' files

 

[stash]

I don't care about other users Other users don't use any of my machines, for the most part.

 

[cleverhandle]

Originally posted by: STaSh
A limited account will do diddly for the stuff you most likely care the most about...your files. Doesn't matter what OS you run, Linux, Mac, Windows, whatever.

True, but that's what backups are for. If my user account were to get utterly hosed by a virus/exploit, I could wipe the account, restore my files, and have my desktop/apps mostly reconfigured in an hour or less. That's a lot better than having to reinstall the whole OS or spend an afternoon cleaning up a system-wide infection.

Of course, you could backup the whole system and solve that issue too. But that's a bit more demanding on disk and time resources than just backing up my documents.

 

[stash]

Of course, backups are a good idea. I know this. You know this. A lot of people reading this thread know this.

Not everyone knows this.

Running with least-privilege is an excellent idea. But trust me, when Vista comes out, there will be a lot of "wait a minute, I'm running Vista and I still lost all of my crap!?! WTFBBQ????"

Guaranteed.

Malware will always adapt. And so will security, but backups will always be paramount.