From: njem on
I'm trying to move workstaions in our office to non-admin logons for
better virus protection. Man, what a pain. The complications seem to
be unending. So now I want to verify that it's even worth it. Who
understands how viruses infect well enough to really know (not just
have heard) that not having an admin logon as the normal user logon
actually makes it harder for viruses? None of my stations are logged
on as "Administrator" just as some user that is an admin. And it's a
mix of XP and W7 stations and I _think_ that makes a difference. I
have a vauge idea that under XP if the user is an admin they, or a
virus, can do pretty much anything with no need to give permission. So
maybe on an XP station it's worse. On a W7 station even if they are an
admin level user (and UAC is at default level) you'll get an ask
dialog if a virus wants to install something, I think. But would a
virus infection really trigger a "you don't have permission" message
if on XP a user was not an admin? Would it trigger a UAC confirmation
box in W7? Or do they manage to bypass all that? (I know if a scam can
trick a user into clicking okay all bets are off.)

Thanks
From: Shenan Stanley on
njem wrote:
> I'm trying to move workstaions in our office to non-admin logons for
> better virus protection. Man, what a pain. The complications seem to
> be unending. So now I want to verify that it's even worth it. Who
> understands how viruses infect well enough to really know (not just
> have heard) that not having an admin logon as the normal user logon
> actually makes it harder for viruses? None of my stations are logged
> on as "Administrator" just as some user that is an admin. And it's a
> mix of XP and W7 stations and I _think_ that makes a difference. I
> have a vauge idea that under XP if the user is an admin they, or a
> virus, can do pretty much anything with no need to give permission.
> So maybe on an XP station it's worse. On a W7 station even if they
> are an admin level user (and UAC is at default level) you'll get an
> ask dialog if a virus wants to install something, I think. But
> would a virus infection really trigger a "you don't have
> permission" message if on XP a user was not an admin? Would it
> trigger a UAC confirmation box in W7? Or do they manage to bypass
> all that? (I know if a scam can trick a user into clicking okay all
> bets are off.)

Is it worth it? Yes.

Inexperienced users with full rights to the machine *(even through a UAC
prompt) can cause more damage in a short period of time than you think. It
is not necessarily just for viruses, spyware, adware and other malware -
although that is a great reason to switch to it (you'll still have to
cleanup some user-only messes.) For the most part, if the user *can*
install - they will. It may not be on purpose - but it will likely happen.

What you want when managing many computers is as much homogeniality between
the machines as possible. It makes your job much easier and keeps the
computers running better because there is no doubt what should/should not be
on the machine, what might conflict with what, etc.

What happens when someone installs 'coupon printer' and suddenly their
actual printer starts printing garbage instead of that presentation that
have to give in an hour? They install some java-based weather application
and suddenly the java-based web interface for the accounting application
your company uses ceases to function (happens to work great when the weather
app isn't running?) What if you have to have a specific version of java
installed for certain apps but when the popup came up for them to upgrade -
they did now... uh oh. The antivirus kept popping up warning them of an
issue, so they right-clicked and disabled it so they could get their work
done, then forgot about it and went browsing the web.

The question should not be "Is non-admin worth it?" it should be, "Why'd
they ever have administrative rights anyway when the idea that one should
not run daily with admin rights has been around for a *LONG* time?"

Let me address this part, "None of my stations are logged on as
"Administrator" just as some user that is an admin. And it's a mix of XP and
W7 stations and I _think_ that makes a difference."

In the long run.... wait, what? If you have administrative rights, you have
administrative rights. Period. Doesn't matter if your username happens to
be "administrator" and associated with the built-in SID/original
administrator account or not. Yes - the UAC is nice, it does pop up an
additional warning. That's it though - really - a warning. It can (and
does - from my experience with home users and repairing their machines)
become just another click that the end-user will barge through to get to the
part they are interested in (damn the consequences.) It's not a cure-all.
Truthfully - neither is limiting their rights because they can (and most
likely will) still get themselves in trouble. Malware can be tricky enough
to infest just a user's account if it cannot infest the entire machine (many
try to do both, probably don't even check if they succeed, but who knows -
some might even check.) However - cleaning up an individual account versus
a whole machine or network of machines - I'll trade happily.

And - with a little decent programming/scripting skills - you could probably
convince a end-user to unwittingly turn off any protections you think you
have... Unless they don't have the rights to do so. ;-)

It's only a pain because it was done incorrectly in the first place. It
does get easier - although there *will be* things that pop up where you
think, "If they had admin rights..." - but guess what - that's what your job
is. To administrate the machines so they don't have to (I usually stop at
"don't") and ensure the end-users can smoothly do their job without worry
over things that are *not* their job. ;-)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


From: "FromTheRafters" erratic on
"njem" <njem(a)q.com> wrote in message
news:40b09124-ad29-4031-b585-3a63feb5dd53(a)u19g2000prh.googlegroups.com...

> I'm trying to move workstaions in our office to non-admin logons for
> better virus protection. Man, what a pain. The complications seem to
> be unending. So now I want to verify that it's even worth it. Who
> understands how viruses infect well enough to really know (not just
> have heard) that not having an admin logon as the normal user logon
> actually makes it harder for viruses?

Forget viruses for this discussion, concentrate on malware and users.

> None of my stations are logged on as "Administrator" just
> as some user that is an admin.

In XP there is no difference there.

On W7 not being "Administrator" would mean that integrity levels come
into play. Integrity levels are involved in triggering UAC prompts. This
is not enough securitywise, as there is no security boundary implied in
UAC consent prompt in the "protected admin" (Admin Approval Mode)
account. To get that security boundary, the UAC generated credentials
prompt from within a standard account is the way.

> And it's a mix of XP and W7 stations and I _think_ that makes a
> difference.

No difference, every user should only have the amount of power that they
*need* and no more (Principal of Least Privilege)
I
> have a vauge idea that under XP if the user is an admin they, or a
> virus, can do pretty much anything with no need to give permission.

Correct, they *have* permission - no need to ask for it. Malware running
in a limited account will have limited power and scope.

> So maybe on an XP station it's worse. On a W7 station even if they are
> an
> admin level user (and UAC is at default level) you'll get an ask
> dialog if a virus wants to install something, I think.

If malware tries to do something outside of the standard user's scope
(even the admin level account (AAM) functions as a standard account), A
UAC prompt is invoked. In XP, the admin level account has the
administrators token on his keychain. In W7, the admin level account has
the standard users token on his keychain, and the admin token in his
back pocket for easy access.

An attack against a standard user will be limited in scope (sorry, I
don't have the admin keys), as will an attack against the admin level
user (unless the attacker picks his pocket - which *might* be possible).

> But would a virus infection really trigger a "you don't have
> permission" message
> if on XP a user was not an admin?

It depends on the malware, you could get a "silent failure" in some
cases, messages in others.

> Would it trigger a UAC confirmation box in W7?

It depends on what it is trying to do, some malware might not try to do
anything outside of its scope.

> Or do they manage to bypass all that?

Not all kinds of malware are trying to sink their teeth deep into the
host system. Viruses in particular don't really need any power that is
not normally granted to standard users (which is why I suggested not
considering viruses in this discussion). Most other malware will have a
desire to "get themselves started" after a reboot (a virus can be
perfectly content to run when it's host program does). Most often, the
methods they use to start themselves (run/runonce keys, BHO's path
hijacking) can be fortified against such misuse by making them require
admin level permissions to use them.

> (I know if a scam can trick a user into clicking okay all bets are
off.)

That is but one way to pick a pocket. There *might* be a way through
software as well. It is still best to make use of the security boundary
offered by separate accounts so there is no "token in pocket" to pick.


From: njem on
Well you've given me lots of good info and I appreciate it.

I inherited this particular facility and it is a loose arrangement.
Fortunately I haven't run into anything like updating java and
something doesn't work, or a print driver that messes up the others.
Most of the users are either fairly savvy or so scared of anything
unusual that when the anti-virus pops up a message that it needs to
update itself the get worried and call me.

The gottchas of non-admin have been many and time consuming. An Access
run time that won't run as non-admin (I think because it has to access
a back end, still sorting that one out). A user's outlook couldn't
open their PST because I'd made the mistake of moving it into place as
admin, so it had admin ownership. A backup program that needed "run
as" established in three different places. The same program shows as
being in demo mode and about to run out if I don't register it. Etc.,
etc.

So I'm back to my main questions. In XP if a logon is non-admin, there
is no UAC question, does a virus trigger a "you don't have permission"
message? Or they go ahead and get infected but only their user area
(as you implied)? If it's W7 and they get a UAC question at an odd
time, when they haven't attempted to install anything, if they don't
okay it (or give admin logon and address) then the virus can't do
anything? Or do viruses manage to infect anyway. I realize of course
there are all types, which is part of what makes me wonder. Are some
common ones smart enough to get around all this, or is non-admin (if
the user doesn't okay anything) really going to block, or at least
limit it (on XP) to the user area. If that's REALLY the case then it
may be worth the pain. If not it's not.

Thanks

On Mar 24, 8:48 am, "Shenan Stanley" <newshel...(a)gmail.com> wrote:
> njem wrote:
From: Anteaus on
IMLI, non-admin works for sites that have onsite IT staff to handle updates,
etc. For other sites it is too problematic.

There is also no certainty that limited-user working will block malware from
running. In principle, malware could still pinch information belonging to the
logged-on user, such as the addressbook. If the user can access it, so can a
malware process running in that account. It WILL limit the damage that
malware can do, though, and will generally prevent malware from becoming
system-resident.

As an additional (or alternative) protection you might like to look at:

http://sourceforge.net/projects/softwarepolicy

This takes the opposite approach to user restrictions, namely of preventing
software from running from unauthorized locations. Provided the blocked
locations include the temp and download folders, this is pretty effective at
stopping malicious downloads, etc. from launching.

There is also the option of running the most vulnerable apps such as
browsers as a limited user:

http://www.sysint.no/nedlasting/StripMyRights.htm

A combination of these two gives pretty-good protection against malware, and
with very few nags. I run both, and only have to turn the policy off if doing
something major. I can still change the time, display resolution, etc without
nags popping-up, and without the need to go full-admin. But if I
accidentally double-click an executable on a CDR or USB key... nothing
happens. Which is the way I like it.

When online, if the user-permissions of the browser allow an executable to
be downloaded to a folder, the software-policy forbids it from being launched
from that folder. Since processes spawned from the browser have the same
credentials as the browser, this mostly applies to plugins too. (Though you
should possibly be aware of quicktime services, etc which may be running as
an elevated user. Best answer is to remove these, they're not needed anyway.)

If the executable is a legitimate install, you either turn the policy off
while installing, or move it to another folder.

Hopefully the next version of Simple Software Policy will include both
functions, so only one app is needed to cover both aspects.


"njem" wrote:

> I'm trying to move workstaions in our office to non-admin logons for
> better virus protection. Man, what a pain. The complications seem to
> be unending. So now I want to verify that it's even worth it. Who
> understands how viruses infect well enough to really know (not just
> have heard) that not having an admin logon as the normal user logon
> actually makes it harder for viruses? None of my stations are logged
> on as "Administrator" just as some user that is an admin. And it's a
> mix of XP and W7 stations and I _think_ that makes a difference. I
> have a vauge idea that under XP if the user is an admin they, or a
> virus, can do pretty much anything with no need to give permission. So
> maybe on an XP station it's worse. On a W7 station even if they are an
> admin level user (and UAC is at default level) you'll get an ask
> dialog if a virus wants to install something, I think. But would a
> virus infection really trigger a "you don't have permission" message
> if on XP a user was not an admin? Would it trigger a UAC confirmation
> box in W7? Or do they manage to bypass all that? (I know if a scam can
> trick a user into clicking okay all bets are off.)
>
> Thanks
> .
>