I have recently converted my developer workstations over to running as
non-admin. I was inspired to move over to a least-privilege user
account after sitting in on a talk by Randy Hayes – president for the
CMAP (Central Maryland Association of .NET Professionals) user
group. The principle theme of Randy’s talk was about better
protecting your Windows machine from spy ware and viruses by running as
a non-admin.
Since being part of the audience for Randy’s talk I have been preaching
the need to run as a least-privilege user account (LUA) to all my
friends, family and work colleagues, so I decided to write up a post on
the subject.
I am not too proud to announce that Randy’s talk changed the way in
which I think of security on the Windows platform, and this post is
testament to his teaching. With a few exceptions, most of the
details in this post are from Randy’s talk.
The Problem
Your Windows computer is under attack! If you take a fresh
install of Windows XP, sans-service pack and patches, and then connect
it directly to the Internet, within seconds your machine will likely be
compromised by a virus or spy ware applications. Installation of
service packs, use of a firewall and network address translation (using
a router) can all help, but what about malicious code that gets
downloaded to your PC by you?
Each web site that you visit, from your computer, has the potential to
host malicious code, which is downloaded, installed and executed
without you even knowing about it. If you are not careful about
opening email attachments from unknown senders, you could also be
opening yourself up for attack.
I hear the same complaints when I speak to peers and family members –
“My Windows machine is running and slow and/or swamped with
viruses”. Conversely, when I speak to Macintosh and Linux users,
I do not hear quite as many complaints – why is that? The answer
has nothing to do with Windows having a larger user base, but more
likely because Windows is easy to penetrate due to the default user
account holding administrator privileges.
A Potential Solution
Industry has an answer to the mass amounts of spy ware and virus
applications that attack the Windows operating system, in the form of
utilities, which scan your computer and remove malicious code that has
been detected.
There are so many different anti-virus and anti-spy ware utilities to
choose from. Some are better than others, some are free, some are
expensive, some require subscription, some do not, but they all have
suffer from one inherent problem – Utilities are only effective in
detecting known malicious code. So what about malicious code that
we do not yet know about?
As fast as developers can develop code to detect known anti-virus and
spy-ware, the faster new breeds of malicious code are invented and
released on the Internet. This leaves your machine open to attack
while you wait for the next release of service pack.
A Better Solution
A better solution involves lowering that attack service on your
computer – running as LUA. When you operate your day-to-day tasks
under and account with administrator privileges the attack surface
consists of:
• Your operating system files
• Your application files
• Your machine registry
• Your personal files
• Your personal registry
Switching over to a LUA immediately restricts the attack service to the following:
• Your personal files
• Your personal registry
This is because the LUA, by default, does not have write access to operating system and application files.
In an ideal world your personal files and personal registry would be
protected from attack also, however, all is not as bad as it
seems. Most spy ware and virus applications are after attacking
your operating system and applications – rendering your machine
unusable. Personal files can (and should) be backed up, in the
event of machine failure or attack, as can the user registry. In
a worst case scenario, if a virus attacked your personal files and
personal registry all that is required is to delete your work files,
delete the user profile and create a new one. If your operating
system or applications are affected, then you are looking at repaving
your entire machine.
How to tell if you are an admin in Windows:
• Right click the start button, if you see “explore all users” you ARE an admin
• Double click the clock in the system try, if the date/time applet appears the you ARE an admin
• Right click the “My Computer” icon on the desktop,
click computer name. If you see a “change” box then you ARE an
admin
How to run as LUA
• Remove your user account from the
“Administrators” group. If you are using the default
“Administrator” account, then create another low privileged user for
your day to day tasks.
• Never use the “Power Users” group – even though
this group is not the “Administrators” group, users that belong to this
group still have administrative privileges across your machine.
•
If you are part of a corporate domain and the only
administrative account on your machine is your day-to-day user account (many
corps disable the main "Administrator" account) , then be sure to
create a local admin account on your machine before revoking the
administrative privileges of your day-to-day account. This will
ensure that you have at least one an administrative account on your machine, which
can be used via the "run-as" command.
NTFS is your friend
NTFS is a system that manages your file system, and includes management
of file security. If your file system is using FAT/FAT32 you will
need to convert to NTFS to take advantage of file security.
Chances are that you may not have messed with the default security
permissions that were applied to operating system and application files
when Windows was installed. This being the case, your operating system
and application files will be protected from malicious code when
running as LUA. If, however, you have made changes to NTFS
security and wish to restore permissions to the default Windows
installation settings, execute the following statement at a command
prompt:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose /areas FILESTORE
Warning: The
above command will reset all of the file security permissions on your
operating system drive, so you shall need to be running as an
administrator, and be aware that any changes made to file security
permissions after you installed Windows will be lost.
Objections
•
“I do not want to be restricted”
o Neither will malicious code
o You will spend all your time
updating the signatures of your anti-spy ware and anti-virus utilities
•
“Some of my applications do not work as non-admin”
o Find out why, some effort may be
required to get apps to work as non-admin, but the secure peace of mind
pay off is worth the effort.
o Call the manufacturer and DEMAND that they make their application work under LUA
o Avoid software that does not carry the “designed for Microsoft Windows XP”
•
“I hate logging out to install software or perform an administrative configuration”
o Get used to using the “run-as”
option (right click shortcuts with the left shift key down)
o In commercial organizations it
is common practice to log on as a domain admin to install and configure
software, but office users do not all have the
domain password.
•
“Some of my developed code does not execute under LUA”
o This is a good opportunity to
take a look at your code and find out why it requires administrative
rights to execute. If you can get your code to work as LUA then
it will most likely deploy better, and require limited hands-on
installation when moving it to a production environment.
Where can I find out more information?
• Randy Hayes’s presentation slides can be downloaded from
here
•
www.non-admin.com is a new web site being set up by
Randy to educate non-technical readers on configuring their computer as
LUA