Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfing as a standard user rather than administrator


  • Please log in to reply
2 replies to this topic

#1 Friar K

Friar K

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 PM

Posted 16 February 2015 - 08:36 PM

Like most of us, I'm learning about this malware stuff the hard way... by digging myself out of infection.

 

I came across the idea of surfing from a standard user profile rather than an administrator profile to prevent malicious ads and web pages from installing anything.  It seems like a simple idea but it still depends on the oh-so-porous impermeability of Windows. It would also entail switching accounts to install anything. This would mean shutting all programs down then restarting them from a different account.

 

I am the only one who uses my computer so I only have one user account, an administrator. I would have to create a second account to do this. I am hoping that I can get feedback on to what extent this is good practice and common practice. Is it worthwhile?

 

Thanks


Edited by Friar K, 16 February 2015 - 08:37 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 17 February 2015 - 07:47 AM

Using the least possible privilege (limited user account) to perform a task limits the damage that a mistake or malicious software can inflict on a computer. This concept has been around for years and is one reason Microsoft introduced the User Account Control (UAC) (which is enabled by default) starting with Windows Vista. However, a limited user account may reduce your ability to perform effective security scans as removing some malware requires admin rights and other user accounts may not be scanned.

Wikipedia: User Account Control Explained

When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by the Windows operating system to control what resources and tasks the user can access. The access control model in earlier Windows operating systems did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as a "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files, and in some instances, become nearly impossible to remove. Unlike earlier versions of Windows, when an administrator logs on to a computer running Windows 7 or Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user.

What is User Account Control?
User Account Control Step-by-Step Guide

Although it provided security benefits when introduced in Windows Vista, the primary goal of UAC was intended to enable more users to run with standard user rights. Windows 7 carried forward UAC's goals with the underlying technologies relatively unchanged but introduced two new modes that UAC's PA account can operate with and an auto-elevation mechanism for some built-in Windows components.

Despite the added security benefits, UAC was never designed as a cure all safeguard against all malware infection.

Note: The above articles are not intended to infer that UAC is of little benefit. UAC is just another tool in a comprehensive security scheme and as most experts will advise, don't disable UAC.

Related reading resources:

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 AM

Posted 17 February 2015 - 02:03 PM

No, you are certainly not the only one doing this. I started doing this on Windows XP, but back then it was not that easy.

 

It's a good practice that I recommend.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users