Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP's 'Limited' Mode - How to Enable?


  • Please log in to reply
7 replies to this topic

#1 Xsara

Xsara

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kenmore, WA
  • Local time:04:10 AM

Posted 02 September 2004 - 06:16 PM

Hi all,

I have just read a very enlightening article in PC Magazine concerning SP2 Security Center Spoofing Threat - http://www.pcmag.com/article2/0,1759,1639276,00.asp The article says, essentially, that the XP Firewall could possibly be spoofed by malicious script which would tell it to "open the door" for an attack. I am probably not doing the article justice so please read it, as well as Microsoft's response.

I am running XP Pro on one machine only. I am set as the Administrator and the only user. The article says, in part:

"...The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode."

[The question(s) part:] What are the advantages/disadvantages of running XP Pro for a single user in Limited Mode? Where do I go to make the changes?

P.S. This is my first foray into the world of BC outside of the infamous Privacy Tools 2004 thread in the Breaking News - Security Forum.

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:04:10 AM

Posted 02 September 2004 - 08:53 PM

Your question is a good one, Xsara. A part of my present problem is lack of understanding with regards to what I find as a damnable part of winxp pro...the logon feature, and user groups in general. I too use xp pro on one machine only and have found it diffficult to with clarity and foresight manipulate the OS in such a way to accomodate my needs. If you don't mind killin' some time, references to the problems, not the fixes are within this post of mine and links within it:

my problems (in particular, the most recent parts of the thread)

and this, from a post re: freshly installing windows which kinda sums it up:

the questions I had in mind... I've done it a half dozen times (re-installation) and know that variations exist and they do exert influences on the issues of system stability and speed of operation to an extent.
Configuring the OS, especially winxp pro can be done well, or not so well. I'm in between with regards to my own experience.


I'm convinced, from the very start of it's operation, that winxp is more friendly to a large corporation with multiple PC's in multiple locations with multiple users on each one than it is to the single user who initially wanted the extra security features within the file structures themselves and may have been sorta duped by the thought that it was better to get the most advanced operating system so that preparation for the future was assisted, as well.

:thumbsup: Naturally, I'd like to hear more from someone about your question...
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:04:10 AM

Posted 02 September 2004 - 10:11 PM

"Microsoft brings up the point that the user must be in Administrator mode, and the program running on the local machine to get to the WMI. For the enterprise, users may run at more protected levels. But Windows XP home edition installs in Administrator mode, and most end users never change it. So, having administrator mode as the default is a security risk."

Winxp does also, with perhaps some added "level" of involvement. I for one would like it clear why this reference is to only home...also why this...

ME:Logon up to now was as "Administrator...password controled" . So, I went to User Accounts and simply "created user" ... added my username as an administrator. Both appeared at the next welcome screen, and I logged on as "me". Lost all the passwords & Favorites to the limited sites I'd been to up to now. OK, so I'll "switch users". The other administrator account is nowhere to be found. C:\ Documents and Settings has the files, but nowhere in User Accounts itself.

ANOTHER:Regarding the missing Admin account, there is a way to manually enter a username at the login screen in XP.
When the Welcome screen comes up, do a CTRL+ALT+DEL twice, which should bring up the old login box. Type the info there to see if it let's you login with Admin and your old settings.
Not totally sure this will work if the account doesn't show up in Control Panel -> Users, why it disappeared from there is hard to say, but it almost sounds like it was deleted. If you had renamed it to your new account, the settings would have been kept.

ME:The appearance of both was the immediate result of adding a user, something that could have been done at any time and was what the OS loading message was when, during that step at winxp pro, I initially rejected the automatic sceen resolution being done. Not OK button at that point, instead the Cancel button...under constraint of a timed countdown. (If you can see this type...windows will automatically configure your resolution for you. And you have like 20 seconds to accept or change. Remember that step in the load process?) Well, at that point the setup re-routes you to a You Need To Be An Administrator to do this. YOU CAN ALWAYS CHANGE BY GOING TO USER GROUPS, etc. I may be slightly off on it, but I've reloaded often of late, and I recall most of the details.

So, I did it. Add a user. The next screen was the welcome with both Administrator and it's "attached" field to type in the password and right below it the new user name... both shown as "logged on" I clicked my new user name and that was the last I saw of the Administrator.. I didn't delete it. Some other underlying problem exists.

I have searched for the answer to this. In fact a definative discussion of exactly what should be done regarding the Admin vs. Limited issue isn't the same to me as a list of what is done...especially when situations like I have described also result from what appears to be a normal action.

I think what is clear is simply the need exists for both Administrator access level to deal with issues that arise daily here, and also a Limited access, customizable, to run if that becomes appropriate as it appears it may well be as pointed out in the articles and at the security professionals level of opinions. Should ultimately be easy. Why is'nt it? RTFM hasn't done it for me. :thumbsup:

Edited by phawgg, 02 September 2004 - 10:19 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:10 AM

Posted 03 September 2004 - 12:08 AM

THe answer is because Windows is ungodly huge that they lose control over it.

The way XP Home works is that you have two types of user accounts, Limited and administrators. Administrators are the gods and can do anything. Limited can change their password, use apps etc, but can not install new software or update the system.

Now as you can imagine, being a limited user does not work very well. You cant install new drivers, cant install new apps, etc, so basically you are stuck in a cage. That is why most people choose Administrator. If you want to not be affected by these socalled exploits, then use an account that is an account type of Limited instead of administrator. Onlyproblem is that you really are limited.

XP Pro has more user groups to choose from, and its Limited group is the restricted group. Once again though you are really restricted so it makes it almost annoying to be in that group.

I hope this explains some of what they mean by limited group, and at the same tim why their solution is not really a good one

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 03 September 2004 - 11:46 PM

[The question(s) part:] What are the advantages/disadvantages of running XP Pro for a single user in Limited Mode?


I agree with Grinler that running XP in Limited mode is a hassle, but as the article pointed out it can be more secure. That's the advantage. If a hacker/malware gains access to your system it will have the same abilities, or permissions as the logged in user. If you're logged in as a limited user, then the malware can only make limited changes--the damage will be limited. If you are logged in as an Administrator, and an admin can make unlimited changes--system wide--then so can the malware.

XP Pro has another user group, as does Windose 2000, Power User, that is somewhat limited, but is much closer to an Administrator.

So it would be safer to surf the net and do mundane day to day activities as a Limited user and switch to an account with higher permissions when that's called for. It's just not very convenient for a single user. In a business environment, this gives the boss more control over employee computer behavior and security.

Where do I go to make the changes?

Go to Control Panel>User Accounts.

If you want to do this, you can change your account from Administrator to Limited. But I think it would be better to create seperate accounts. I.E., create a Limited account, a Power User account AND an adminstrator acccount. Why you would want to create another Administrator account I'll get into a little later. This way you can experiment with what you can do with each type account, or user group, and can easily switch from one to another simply by logging in to the desired one.

Here's a run down of user groups and their respective permissions:

Administrators:

Can--

Create, modify, and access local user accounts
Install new hardware and software
Upgrade the operating system
Back up the system and files
Claim ownership of files that have become damaged
Do anything a Power User can


Power Users:
Can--

Create local user accounts
Modify user accounts which they have created
Change user permissions on users, power users, and guests
Install and run applications that do not affect the operating system
Customize settings and resources on the Control Panel, such as Printers, Date/Time, and Power Options
Do anything a User can


Cannot--


Access other users' data without permission
Delete or modify user accounts they did not create



Limited Users:

Can--

Create, modify, and delete their own data files
Run system-wide or personally installed applications
Change their personal settings
Install programs for their own use only
Access the network
Print to local or networked printers
Do anything a Guest can



Cannot--

Modify system-wide settings, operating system files, or program files
Affect other users' data or desktop settings
Install applications that can be run by other users
Add printers
Configure the system for file sharing



http://www.wellesley.edu/Computing/WinXP/wxpgroups.html

There is also a Guest account, but it is pretty much useless.

phawgg, have you looked in safe mode for your root Administrator account?

First, let me say that my situation is different than yours and Xsara's. I'm running XP Home in a family setting. The first thing we did when we set up the PC (the OS was pre-installed), was to create accounts for every member of the family--four altogether. So I don't have experience running XP as a single user.

I just noticed this Administrator folder in Documents and Settings directory, but there is no Administrator available to log into at the log in screen. Much later I noticed that when booting into safe mode it is available for log in. This is something I've been curious about--but I think I've figured it out--helped in part by your questions and the thread you linked to (sorry, I've not read it all). The following is partly guessing, maybe you or someone else can point out where I'm wrong.

When you log into your PC for the first time there are no named accounts. You must be logged on as an Administrator to make system wide changes, so how is this possible? You must be logged on to the default or root Account. When you create an account and give it a name (Charly, Administrator; Gloria, Power User; Tim, Limited, etc.), and log into it, the root Administrator is relegated to and only accesssable in safe mode.

I've heard of people with no log in screen. I can only surmise that they have never created a named account and have been using the default Administrative account since day one. I think this is what's alluded to in the article quoted by Xsara.

Edited by Papakid, 04 September 2004 - 12:40 AM.

The thing about people

is they change

when they walk away.--Mipso


#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:04:10 AM

Posted 05 September 2004 - 12:34 AM

phawgg, have you looked in safe mode for your root Administrator account?



Well, thankyou, Papakid, for your inquiring mind... checking your C:/Documents and Settings and finding the Administrator Folder there and pursuit of the logic train... I do believe you are right. Since I have loaded the OS many times, and now thinking that in the early stages I must have been using the default administrator once or twice, probably immediately set up a user name without administrator priveledges once, etc. It would explain it. Please understand that its only been with the last three reloads that I've paid more attention to some details regarding the services and security. (and I do remember how frustrated I was when I lost the entire administrative tools option at one point.) That is why I've found the "whole logon process...damnable" ... ignorance of a fundemental provision of the system inception and the amazing variables that such a few seemingly innocent differences at setup & immediately thereafter can cause!!

As I post this, I haven't yet gone into safe mode. Stay tuned, LOL


When you log into your PC for the first time there are no named accounts. You must be logged on as an Administrator to make system wide changes, so how is this possible? You must be logged on to the default or root Account. When you create an account and give it a name (Charly, Administrator; Gloria, Power User; Tim, Limited, etc.), and log into it, the root Administrator is relegated to and only accesssable in safe mode.



"I've heard of people with no log in screen. I can only surmise that they have never created a named account and have been using the default Administrative account since day one. I think this is what's alluded to in the article quoted by Xsara."

YES, I have also run that way... seems like for the best part of a month at one point and I did not understand why the "slow down" occured and why it was irreversible when I, probably out of curiousity, finally decided to add a user, or something equally as simple. I swear I've read a couple dozen things Microsoft has to say about the issue TO NO AVAIL. ( maybe with this Kernal of advice, I can scour the KB's again and see it)


:thumbsup: A Salute to You, Colonel Papakid :flowers:
patiently patrolling, plenty of persisant pests n' problems ...

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 AM

Posted 06 September 2004 - 01:39 PM

Thanks for posting back, phawgg.

Let me just say that the business about the Administrator account being relegated to Safe mode is just a theory and I'm not sure how accurate it is. Factual input from anyone who knows exactly what is going on there would be appreciated by me as well, and I look forward to what you may find in Safe mode.

I've looked into some of the aspects of initial account setup and see that there is more to it than I thought at first. Damnable is right, there is a lot of fog here to deal with--more added by a difference between XP Home and Pro.

After my last post to this thread, I looked in my Documents And Settings folder again. Not only is there an Administrator folder there, but an Owner folder as well. Doing some research thru Google, I have yet to find a clear explaination of what this folder is, but have been able to piece together a seminal understanding of it.

First it is specific to XP Home. And apparently it is the name of the initial account when first logging on. If a single user never renames this account/folder/profile(?), Owner is the name of the default account. Also apparently, when a new account is created, the Owner account/folder is supposed to be deleted after it has copied standard items (such as the the My Documents folder) to C:\Documents and Settings\Default User.

Well, before I go any further, here are two pages I'm looking at:
http://support.microsoft.com/?kbid=312131
http://www.blackviper.com/WinXP/supertweaks.htm

XP Pro has no Owner account and uses Administrator for initial setup--or the account you would use if you never created another account as a single user.

This problem does not occur on Microsoft Windows XP Professional-based computers because the Administrator account is used during Setup.



It still looks as tho, from what you have written earlier, if you create a new account then the Administrator account disappears from the log in screen. And renaming Owner or Administrator also apparently causes problems. I agree with you, why isn't this clearly stated somewhere? From Black Viper:

Note: If you have previously used the "Owner" or "Administrator" account for "general purpose," your account options could be affected if you rename the accounts. I do not recommend to rename your account in this case. However, if you have not already, you should password them now!


So it looks to me as tho the best practice is to create whatever new accounts you desire during initial setup.

I still wonder why my XP Home has an Adinistrator account only accessable in Safe Mode. Perhaps it is the ultimately safe way (to MS's way of thinking) to make system wide changes. I.E., the most secure way to run XP would be to have any user accounts set up as Limited and Administrative changes could only be done in Safe mode.

Which brings me back to the original question of the advantages/disadvantages of Limited (User) accounts vs. Administrator. Kelly's Korner has an informative page about the different aspects of user accounts/profiles--user accounts the same as a profile?, don't know--more foggification. His is based on Pro, so some of the how to's on that page can't be done in Home, but he reaffirms what I wrote earlier about the security aspects.

The Omnipotent Administrator

When you use Windows XP, you belong to one of two groups: Administrators or Users. Administrators are all-powerful: if you have a so-called Admin account, you can make system wide changes and change other users' accounts. While this power is a boon to the ego, it's also dangerous. If, for example, you encounter a virus, a Trojan horse, or a worm while you're logged on as Administrator, you could wreck all the accounts on your entire system.

Log in as User, on the other hand, and any damage you cause will be less extensive, because ordinary users are prevented from making system wide changes. A word to the wise: Do your everyday computing as a regular user and log on as Administrator only when it's absolutely necessary, such as when adding a new user or changing security settings.


http://www.kellys-korner-xp.com/win_xp_logon.htm

Have a great Labor Day. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:04:10 AM

Posted 06 September 2004 - 07:45 PM

And you as well, Papakid, hava laughing Labor Day! To furthor the fog, way back when I first came to BC, I was trying with Grinler's help to straighten out problems. Early July. One of the factors that led to a decision to reload XP was trying to wrestle control back from a proxy-switch based on a pop-up blocker that wouldn't let the changes I made stick thru re-boots. Made more difficult due to a network ISP connection that:
  • If done via download from the ISP's homepage would cancel two of my tabs in the network connection properties dialog box. Security was one of them.
  • If I set up the account with the connection wizard, no problems occured.
Raw & I worked that one out in chat one night.

The two combined problems led one to inspect (suspect) the system-wide permissions. User group at that time had 7 users, and I tried to straighten out the permissions to no avail. Out of nowhere, it seemed, had come yet another user...Creator, for crying out loud! With administrator priviledges. Not being bold enough to go too far with the services aspect (I'm bolder now, thanks to black viper's continued research, btw) I tried something with the user group that very effectively locked me and anyone else out of the system. Period. A forced reload, in other words. With significant loss of fairly fresh data from concerted online work at the time.

Needless to say, I'm still piecin' this jigsaw puzzle together. I've experienced great strides but the road is long, my friend. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users