다음을 통해 공유


Not running as admin...

The security principle of “least privilege” is well understood:  Software should run with the smallest set of privileges needed to perform its tasks.  Low-privileged processes can do a lot less damage when they are compromised (or just buggy) than processes running at high privilege levels.  Windows has made great strides to run services with lower privilege than in the past.  However, Windows users who are allowed to administer their own machines (including most Microsoft employees) usually run with Administrator privileges all the time.  That is, the account with which they normally log on is a member of the local Administrators group (or worse, Domain Administrators).  Everything they do, from reading email, browsing the internet, instant messaging, writing documents, and writing software, is performed with full (and unnecessary) administrative control over the entire computer.  Email, web browsing, and instant messaging do not require administrative privileges, and are common avenues for malicious code to attack end users’ systems.  To be more secure, users should log on with a Limited (or “Least-privileged”) User account (LUA), and use elevated privileges only for specific tasks that require them.  Linux/Unix users have understood this for a long time, so this remains an area where Microsoft is perceived to lag in thought leadership.  Unfortunately, Windows does not yet make running as non-admin as straightforward as it needs to be.  Hopefully Longhorn will address these shortcomings.  In the meantime, though, there are some neat workarounds that greatly mitigate the inconveniences.

 

In subsequent posts, my plan is first to try to convince you that running as non-admin is the right thing to do, to get you to want to run as a normal User instead of admin.  Next, I'll offer up a collection of valuable tips, tricks and tools to make living as a Limited User as easy as possible.

 

In the meantime, let me know what your pain points are.  Have you tried running as User?  What were the biggest problems?

Comments

  • Anonymous
    June 16, 2004
    >"running as non-admin is the right thing to do"
    I known this to be true for a long time, yet ...
    "get you to want to run as a normal User "
    I think this is the hard part of your admirable quest. But I'm game. Give it a try!

    Perhaps you could enumerate items in the downside. How will running as Admin definately hurt me? How will it potentially hurt me? If there's no actual pain, only potential (and unrealized) pain, why change?

    It's been so long since I ran as a regular user, I've forgotten what most of the problems and pains were ... but here's one.

    Situation: I'm logged in as a non-admin. I need to do some simple admin task. What's the quickest way to just get it done? Are there options besides logging out and logging in as admin?

  • Anonymous
    June 16, 2004
    I think the biggest negative for Windows users to run as a non-admin are applications that simply will not work or install if you are not logged in as an administrator.

    This should gradually change as app vendors start to realise security affects them too, but MS should create the framework to allow this to happen. The Windows installer should know that if an application tries to write to privileged keys, it should prompt the user for admin credentials.

    Instead of just having the run-as command, each application should be allowed to specify that it wants to run as a specific user, even if you are logged in as another user. This includes explorer, internet explorer, etc.

    Allow fast user switching to work in the corp domain environment.

    During a new Windows client install, do not create admin users with blank passwords - duh.

    For every single Windows admin tool, if the tool requires admin privileges and is being run from non-admin account, prompt for admin password. For example, device manager, manage computer, services, etc.

    Look at how MacOSX and Linux do it and then do it better.

  • Anonymous
    June 16, 2004
    Yes, just right click the application and choose Run As...

  • Anonymous
    June 17, 2004
    The comment has been removed

  • Anonymous
    June 17, 2004
    I agree with ray on all points.

    I use the cmd' prompt to open a new cmd' prompt as Administrator' to do stuff I need to do:<br><br>> runas /user:administrator cmd
    Enter the password for administrator:

    Attempting to start cmd as user "THANGORODRIMadministrator" ...

    >'

    But even with cmd (running as THANGORODRIMADMINISTRATOR)' it's impossible to:<br><br>* Run Windows installer (*.msi) packages<br><br>* Install fonts into %windir%Fonts (copying with xcopy' does not seem to install)

    * Open a file manager (Windows Explorer) window

    And it's pretty hard to open the Control Panel applets. For instance, to run Add/Remove Programs' I have to (with cmd' running as Administrator as described above):

    &gt; c:<br>&gt; cd windowssystem32<br>&gt; control appwiz.cpl'<br><br>The Control panel applets don't have Run as...' in their context menus! Arrrrgh! :-)

  • Anonymous
    June 17, 2004
    Good points, Yawar, and I will address each of them in upcoming posts. (Well, I haven't looked into the fonts issue, but I can definitely get you through all the others.) Stay tuned!

  • Anonymous
    June 17, 2004
    James, please contact me directly re Nero, Adobe, etc. Do you have exact repro steps? Any chance they've upgraded to XP yet and could try as User again?
    Thanks.

  • Anonymous
    June 20, 2004
    By the way, you should be able to run msiexec.exe without any problems. According to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_vstechart/html/tchDevelopingSoftwareInVisualStudioNETWithNon-AdministrativePrivileges.asp , you can run "msiexec /I msifile.msi" after you've "runas /user:administrator "cmd.exe"" It claims that "Note This is exactly what Windows does when you double-click an .MSI file." so it should work without any problems. On the page, you'll also find out how to run things such as the 802.11 monitor, add new hardware wizard, power options, ups, and many other commands. For programs that you use often as administrator, you can make a shortcut to the application. To run the application as root, you would then right-click on the shortcut, select "Properties", choose "Run As" and then enter the username and password. Simple enough...

    Also, according to http://www.petri.co.il/run_windows_explorer_as_another_user.htm you can run "explorer.exe" as admin by either: C:>runas /user:pro1Administrator "explorer.exe" or by navigating to your windows folder and shift-right clicking explorer.exe and telling it to run as Administrator.

    PS. I'm not 100% of the above since I just came across the information right now and I'm currently running Linux + I'm too lazy to boot Windows. :D

  • Anonymous
    June 20, 2004
    "HopeICanHelp" - thanks for posting. As a lot of frustrated people will tell you, runas with Explorer does not work - at least not in the default configuration. I'll post more on that very soon - stay tuned!

  • Anonymous
    June 23, 2004
    The comment has been removed

  • Anonymous
    June 23, 2004
    here is an alternative, similar to PA, for Windows 2000/XP/2003. We have developed a solution (and giving it away for free to home users) that adds/removes privileges on the fly to the end user token -- that is -- no need for a second user account like all RunAs-derived solutions required.

    Give it a go .. http://www.neovalens.com

    Cheers,

    Marco Peretti
    NeoValens

  • Anonymous
    June 24, 2004
    Marco, that looks really interesting. When was 1.0 released?

  • Anonymous
    July 06, 2004
    I would add to what James have said that also many other applications require the admin rights to run - also some of microsoft's own products. (for example age of empires II - age of kings)

    how can I let my kids play it without giving them the admin password?

  • Anonymous
    August 12, 2004
    The comment has been removed

  • Anonymous
    April 18, 2005
    Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

  • Anonymous
    May 01, 2005
    The comment has been removed

  • Anonymous
    May 25, 2005
    Using your desktop without admin rights is the only way to use your system. At home every system I have had since Windows NT 4.0 Workstation came out has two accounts, one admin for installations and troubleshooting, one for every day use. In my corporation I forced 200 users not to have admin rights. They all complaint, but when our support team gurantees them their systems are up and running without issues, they are okay with it.

  • Anonymous
    June 10, 2005
    Get your friends and family, all those folks that come to you for computer help once their machines have...

  • Anonymous
    June 10, 2005
    Instead of having to decide which level of corporate employee I'm going to pretend to be as I log on, and staying that way all day, I'd rather set limits on what various apps can do - and it's not as simple as a scale of "0 to 10".

    For example, in a particular hour I may:
    - look up a financial account in a database
    - browse a web site or two
    - read mail and "open" emaul attackments
    - play a quick game or two

    I'd want Internet-facing apps to have zero access to either system or user data, the game to have zero access to anything outside of its own subtree, and my accounting app to have zero access (in either direction) beyond the local PC. I don't see user session rights as delivering this - after all, even the most limited user has the right to edit their own data, so any malware with those rights can trash that data simply by overwriting it.

  • Anonymous
    June 23, 2005
    The main limitation of 'run as' is that it truly assumes that identity. Any changes made to the HKLM tree do so for the assumed ID, not the logged in one. When running an install under 'run as', read/write rights should be given to the logged in user to any folder and registry key subtree created. Does me no good to install as administrator if the user can't use the app.

  • Anonymous
    June 23, 2005
    Serge --
    1. Addressed - see the posts about MakeMeAdmin.
    2. Changes made to HKLM are system-wide - did you mean changes to HKCU?
    3. No, you don't want to grant Write access to the program's install folder or HKLM settings. Those should be Read-only to users. Per-user data should go into the user's profile, not the app install folder.

  • Anonymous
    July 18, 2005
    Execellent topic. I just stumbled upon this by accident and will be following it closely.

    I'm an application packager and SMS admin in a corporate environment, and I face problems with installing and running applications in a locked down environment on a daily basis. I'm also leading a project to move to a more locked down environment. Our current spread is around 50%/25%/25% distribution in user/power user/administrator respecively. We're looking to move to a spread of around 85%/10%/5%.

    Probably the single biggest problem that I face when running apps as a user is with applications that write temp files to unusual locations when running. I've had apps drop temp files into program files, %windows%, the root of c, even the root of documents & settings. I can sometimes get around this by adding the temp file to the installation, but this only works about half of the time.

    I'll be intested to see what you can uncover in an everyone-wants-admin-rights world.

  • Anonymous
    July 18, 2005
    Running as a non-admin for the most part is living in a dream world. Microsofts own apps do not work fully when run as a normal user not to mention a wide variety of non Microsoft apps. I have talked to a number of people who are in the same boat. You have to give users local admin right just to get most apps to run right.

  • Anonymous
    July 31, 2005
    The comment has been removed

  • Anonymous
    August 24, 2005
    The comment has been removed

  • Anonymous
    September 11, 2005
    Yawar, if you open Control Panel, hold the Shift button and then right-click the applets there is an option for "Run as..."

    Also, if you open the Start menu and locate Windows Explorer there, right-clicking the item on the menu will also give you the option for "Run as..." - no need to hold shift in this case.

    - Chris

  • Anonymous
    September 25, 2005
    hi whenever I try running "runas /user:administrator cmd" or "runas /user:computernameadministrator cmd" it opens the command prompt and asks for a password but it seems like the keyboard becomes disabled only at this point. I'm wondering how to do it properly. I hope you can help me out on this one. Thanks!

  • Anonymous
    September 26, 2005
    Pam -
    It's working. RunAs.exe just doesn't echo any characters (not even asterisks) while you're typing the password.
    HTH

  • Anonymous
    August 14, 2006
    good notes in this forum. this debate is really had to establish. Considering Laptop users and Desktop users. I am working to this non-admin direction and the debate is still on-going with some proprietary apps used by only certain people. I will follow this forum and share my opinion on what is happening in the real world vs. lab testing and what a developer proposes. it is always best to look into the user world before you implement or code your application as a regular user in the first place.

  • Anonymous
    October 19, 2006
    I've started using winXP-PRO since SP1a. From the day 0 the everyday work is done in non-admin account. I log as an admin only to do some maintenance. What I miss in windows is the "sudo" - I am very unhappy about "runas" asking me for the admin's password. The *nix's "sudo" is - on contrary - asking for the user's own password and then decides on the contents of the special configuration file (namely - "/etc/sudoers") if the current user's requested action was pre-approved by an administrator. With the current "runas"'s behaviour - winXP is still a single-user OS for me...

  • Anonymous
    October 21, 2006
    Nero works perfectly under Limited user account. All it takes is to download and install "Nero BurnRights" from http://www.nero.com/nero7/eng/Support_Tools.html Tom

  • Anonymous
    December 30, 2006
    The comment has been removed

  • Anonymous
    January 15, 2007
    I am currently running as an Admin with no other users. I tried to set up an LUA but it wouldn't let me until I had set up an Admin Account (even though I already have one). I set one up and then an LUA and ended up with 2 Admins and 1 LUA. Of course all my settings are on the first Admin (e-mail, IE favourites etc.) I tried to change the first Admin to an LUA but couldn't and when I deleted the LUA my first Admin disappeared too leaving me with the 2nd Admin without any of my settings. So... How do I set up just 1 new account (LUA) and transfer all my settings to it from the Admin one? I also then need the e-mail and internet settings to be a mirror on both accounts. Is this possible? TMOF: The built-in Administrator account is hidden from the logon UI unless it is the only admin account left.  XP generally wants to keep that account around in case your "regular day-to-day" (admin) account has a problem.  A bit unfortunate.  Anyway, to transfer Favorites, etc., from your admin account to your new LUA account, I would suggest logging on as the admin, finding the Favorites folder, and copying (not moving) the items to the corresponding Favorites folder of your LUA account.  (If you move the items, they will retain the permissions from the source folder, and the LUA account will not be able to see them.) For email - that will depend on what email program you use.  Outlook Express includes various Export features to simplify transfer of settings, messages, address books, etc.  To transfer email account settings, it's Tools / Accounts / Export...  Put the exported data in a shared location where your LUA account can read them. HTH -- Aaron

  • Anonymous
    April 06, 2007
    PingBack from http://stevenscottwarren.com/eliminate-spywaremalware-from-windows-xp

  • Anonymous
    September 14, 2007
    Table of Contents - blog posts on Aaron Margosis' Non-Admin WebLog

  • Anonymous
    March 28, 2008
    I actually have a question.  I have two computers, both running windows XP.  One has a deskjet printer directly connected that has been up for sharing. On the 2nd I am able to install the printer when logged in as admin, however, my limited user account can not see the printer.  Any suggestions? [Aaron Margosis]  You should be able to browse for and install the printer while logged on as the non-admin account in the same way.

  • Anonymous
    May 01, 2008
    Let me start by saying, I'm one of only 2 techs for a small city of around 250-300 computers and our policies don't allow Admin rights to the end-user.  Not granting Admin rights has consistently been one of the biggest thorns in my side, not viruses, adware or spyware.  If you lock down your network you can keep all that stuff out, but I always have to spend time with the end user to make stuff work as Admin.  An example of that would be our Police Department, They have new video footage they just got from Joe's Mini Mart and now they have to view this video at their PC, but of course the video is proprietary and they have to have software loaded that only Joe or his vendor can provide.  Guess who has to load it? ADMIN!  Doing a RUNAS works only if you're the Admin and if your not you'll have to call someone.  This is only one example of many.  I ran across this blog when I had to setup our GIS user and they couldn't run a program in Corel called Bit Stream Font Navigator that they use to manage their Fonts,  XP only allows Admins that right.  After looking around I found this great utility that allows a end user to run any program as ADMIN and it's freeware, but the Admin still has to do the initial setup. http://www.steelsonic.com/steelrunas.htm The ultimate goal for all techs In my opinion is to be as efficient as possible by addressing all the needs of the end user in a timely fashion, LUAs aren't the way to do that.  The overhead that LUAs cause for techs is HUGE.  I have my opinions on how to make that happen, but I'll refrain :)

  • Anonymous
    December 17, 2008
    I have been running Windows XP SP2 and now SP3 for some time in limited user mode. I managed to get most things to work. There is one thing that I cannot implement. That is to do a custom windows update. The only message I get is during shutdown, when there is the option of either do an auto update during shutdown or no update. There is no custom update option given. Is there some work around for this? Thanks

  • Anonymous
    April 10, 2009
    @ Yawar Amin you can try this to Install fonts without admin. go to fonts folder. follow these links u will understand :) http://4.bp.blogspot.com/_qGrwehdbHLY/SXoB84VwiLI/AAAAAAAAALU/1KRIN3EHyEA/s1600-h/untitled2.JPG http://1.bp.blogspot.com/_qGrwehdbHLY/SXoAZS-3t-I/AAAAAAAAALM/jZm1SnQIMmA/s1600-h/untitled.JPG [Aaron Margosis]  I don't suppose you actually tried that before you went to the trouble of posting it, did you? :)  Try it.  You get a weird error message about the font being in use.  Run Process Monitor and you'll see the "access denied" errors causing the CopyFile operation to fail.