Unified Diff

Have you ever been the victim of a computer virus, worm, or other malicious software program? If so, then you understand what a pain it is to recover. Often times, the only way to fix the problems is to do a clean re-install of Windows. Of course you can buy anti-virus and anit-spyware products, but these programs are all meant for after-the-fact. Wouldn’t it be nice to be able to stop malicious software (malware) in its tracks before damage is done?

Enter the “least privilege” security model. This approach to computing is very simple — only give yourself enough privileges to accomplish the task you need to perform. For example: do you need to be able to delete all of your system files while you write a letter in Microsoft Word? The answer would be “no, of course not!” But running with full privileges, you would be able to do so.

This is how malware spreads. Users visit websites that exploit known vulnerabilities in Internet Explorer. Since the default setup in Windows XP is to be an administrator, these programs can freely install themselves without your knowledge or consent. Working least-privileged solves this problem because without the privileges to tamper with system files, malware can’t invade your computer (easily).

Are you sold yet? Great! Now let’s set it up. Traditionally, working with with a non-privileged account has a real pain. But there are some tricks to help you.

 

1. Creating an Unprivileged Account

This step really depends on how you are setup right now. If you already have an account, then we need to adjust your privileges. Either way, you’ll need to logoff (Start > Logoff). Once you’re at the Welcome screen, press and hold the Control and Alt keys and the press the Delete key twice. You should now be presented with a login window. Type “administrator” for the user name and your password (or leave it empty).

Once logged in, pop yourself into the “User Accounts” control panel (Start > Control Panel > User Accounts). Select your own user account and choose “Change my account type”. Select “Limited User” and click OK. If you don’t have a password on your “administrator” account, you will want to set one now.

2. Turn-off Simple File Sharing (Optional)

This may fall more into the category of preference, but I think it makes life easier. Windows manages permission on securable objects (this includes files and folders) with Access Control Lists (ACL). When Simple File Sharing is turned-on, Windows will handle editing these lists for you. Doing this yourself gives you greater flexibility, but can cause you to lose data if you make a mistake.

To do this, open “My Computer”. From the “Tools” menu, choose “Folder Options”. Click on the “View” tab and you should see of list with checkboxes. Scroll to the bottom of this list, uncheck “Use Simple File Sharing (Recommended)”, and click OK.

3. Changing the Default Owner (XP Pro Only)

When a member of the Administrators group creates a file or folder, that user is the default owner. This can cause headaches when running least-privileged because you could end-up with write access to system files. By making the Administrators group the default owner, you eliminate that risk.

To accomplish this, you will need to open the Local Security Policy editor (Control Panel > Administrative Tools > Local Security Policy). In the left-hand pane, choose “Local Policies” and then “Security Options”. In the right-hand pane, find “System objects: Default owner for objects created by members of the administrators group”. Choose “Administrators Group” from the drop-down list and click OK.

4. Secondary Logon Service

What happens when you’re working and you need to make a change? Should you logoff and logon as an administrator? No!… there is an easier way. The Secondary Logon service allows you to run any application as another user by right-clicking on the file and choosing “Run As…”.

This should be enabled by default, but lets just make sure. Run the Computer Management applet (Control Panel > Administrative Tools > Computer Management). Choose “Services & Applications” and then “Services”. In the right-hand pane, find “Secondary Logon”, right-click, and choose “Properties”. Make sure startup type is “Automatic” and then click “Start” if the service is not already started.

5. Elevate Your Own Account (Optional)

Somtimes you need to make changes to your own account, but require administive privileges. You could change your account privileges (using Run As) and then logoff and logon again. But there is an easier way… Make Admin. This program will allow you to change your account privileges on-the-fly for specific applications.

Well, that was relatively painless (I hope). It will take some getting used to, but in the long-run, you’ll be glad you did. Oh, one more tip: you should do this on a clean install of Windows for best results.