Using Same Account as both Admin and Limited User

Hi Anteaus, and thanks for replying.

On Sat, 18 Jul 2009 11:34:01 -0700, Anteaus wrote:

>Look for a script callled MakeMeAdmin.

I don't think I want to make it too easy to switch the account back
and forth between LUA and Admin rights. There's no time pressure to
produce, so I'd want to do it deliberately (in the sense of 'not
spur-of-the-moment'), with plenty of thought involved.

>BTW, I have long thought that what you say is correct. The lack of
>understanding, if any, lies in people who insist on applying 1960's
>shared-access mainframe principles to a personal computer.

Well, I do buy into the whole security thing: run as a LUA account,
only use Admin rights when absolutely necessary, make it tough - or,
more correctly, not as easy - for the bad guys to mess with you.
Practice safe hex. I believe in that, just like the folks who replied
to me earlier do, and they're right - you risk getting taken to the
cleaners if you play fast and loose. What seemed to concern them the
most was that I would forget to switch back to LU mode without some
sort of visual reminder of where I was. I make no claim about having
a mind like an elephant, but if said pachyderm were to find itself
stuck with a human-type mind, I submit it could do worse than mine
<g>.

>What is actually needed on a one-per-desk computer is a way to prevent
>access to system files when in 'normal mode' so as to offer better security
>against malware, and to allow such when in 'maintenance mode.'
>
>What happens instead is that all system configuration is done under an
>entirely different collection of settings, and any changes to the settings
>are thrown-away when returning to normal mode. This causes extreme
>awkwardness (in fact it means that most apps have to be configured
>twice-over) and is the main reason most people don't run as a limited user.

I believe the two preceding paragraphs to be correct; in fact, it is
that exact scenario that has caused me the most trouble in XP, and
I've been surprised that this way of handling it hasn't gotten more
air time, so to speak. I've tried it, carefully, on two or three
occasions, and it seemed to work - at least, nothing blew up. So,
I'll keep looking for technical reasons to avoid this method, but I
won't keep looking too much longer. It feels too "right" to not make
use of, barring good reasons not to.

Cordially,

Walt

Anteaus wrote:
> What is actually needed on a one-per-desk computer is a way to prevent
> access to system files when in 'normal mode' so as to offer better security
> against malware, and to allow such when in 'maintenance mode.'
>
> What happens instead is that all system configuration is done under an
> entirely different collection of settings, and any changes to the settings
> are thrown-away when returning to normal mode. This causes extreme
> awkwardness (in fact it means that most apps have to be configured
> twice-over) and is the main reason most people don't run as a limited user.

Well, that's why Microsoft made Windows Vista. Uh, wait...

You can do several useful administrative things from a limited user
desktop with right-click "Run As..." to select your administrator
account. Other things you can't do at all, and some you can do by
using "Run As..." in an indirect way. I think that's a way to run
hard disk maintenance tools, for instance - through "Computer
Management". But Windows Explorer, and "Windows Update" inside
Internet Explorer, seem to be out.

Administrator is always present and active in your computer but may
not be talking to you.

On the other hand, "Ordinary user" could be compromised while
administrator is not - or so we're told. And yet frequently we hear
of a Windows Update that stops a malicious exploit that invades as
"Ordinary user" and then escalates to administrator. Which is not
even needed if /you/ escalate "Ordinary user" to administrator
status. I'm sure there are exploits that just assume that, like very
many users even today, the victim is an administrator.

As it happens, I'm looking for advice on securing an XP Home netbook I
just got. Is there a good FAQ?

Let's say my administrator account is named "Arthur" and the everyday
user is named "Galahad" - although that's not leading anywhere. Now
for instance there's a "real" Administrator that only works in safe
mode, right? Apparently with no password as default? On the WWW I
can find people telling me to rename /that/ administrator, delete it,
change the password. Does any of that stuff matter if the account
isn't accessible except for explicitly invoked mainenance?

Also, I've apparently been silently but legally supplied with Norton
Internet Security 2008 on hard disc, but not configured. But I favour
F-Secure's products, and I want to upgrade protection on other systems
I own, too. Also, my employer uses F-Secure. Still, I have this one
copy of Norton for free - temporarily, I expect, a limited-time
subscription.
<http://voices.washingtonpost.com/securityfix/2009/07/
update_for_norton_internet_sec.html> (Brian Krebs) repeats but
disagrees with criticism: "NIS has earned a bad rap over the years for
being a slow, resource-hogging beast of an anti-virus program, but
when I trialed the program for a few months, I found NIS2009 to be
very fast and unobtrusive." He doesn't mention it being hell to remove
from a system, which I've also heard. So I guess it could be (1) best
avoided or (2) too late, since it's kind of there.