registry hacked under XP limited account



lecter
07-09-2005, 11:52 PM
I have a computer run under winxp system. And one day I found that
the registry was modified and I couldn't run any .exe file! (the
problem have been solved by input a registry key.)
The thing I want to know is that the registry can be modified
under winXP limited account?

__
Lecter
- "Trust No One!"

Karl Levinson, mvp
07-09-2005, 11:52 PM
"lecter" <2@2.com> wrote in message
news:kvfg91p7db9bm491idlkjnlobvkp3eo21h@4ax.com...
> I have a computer run under winxp system. And one day I found that
> the registry was modified and I couldn't run any .exe file! (the
> problem have been solved by input a registry key.)
> The thing I want to know is that the registry can be modified
> under winXP limited account?

Very very easily. Running as limited account does VERY LITTLE to stop
viruses. Anyone who tells you any different is mistaken. Even well-known
people at Microsoft have this misconception.

Running as limited user does prevent much spyware and adware today, but only
because the authors of that malware see no need to make their programs work
as limited users. This tactic will NOT be effective against future malware.

Malware running as limited user can do anything that you can do. If you
were able to change the registry and fix the problem while logged in as a
limited user, then malware would have the same permissions. You can see the
permissions of that registry value by clicking Start, Run and typing
REGEDT32. Also, many viruses use buffer overflows or could theoretically
use other exploits like local privilege escalation to gain full System
privileges, regardless of the permissions of the currently logged-in user.
If the registry value you fixed did not give Write permission to your
limited account [or to the Users or Everyone groups], then I would go to
http://windowsupdate.microsoft.com to check to make sure your system has all
its critical Windows patches to prevent remote buffer overflow viruses.

If you have multiple user accounts sharing one machine, logging in as a
limited user may prevent malware from loading and running when other people
log in. If you are the only user of your machine, however, that limitation
means absolutely nothing. Even if multiple people use the same system, they
can all become infected if they all happen to run a shared infected file,
for example.

What running as limited user does primarily is prevent the user from
changing the system configuration too much, mainly to implement change
control within an enterprise. It also makes it harder for malware running
under your account to do some things like create new login accounts. It's
also a security best practice, but not really because of viruses or malware.
Running as limited user does not prevent you from becoming infected, sending
out infected emails or packets, infecting other systems, deleting all your
data, searching your data for credit card numbers and passwords, running a
listening service, etc.

Note also that "Power User" is really not a very limited user. It is easy
to escalate privileges to Administrator. Also, most accounts in the Guests
group are not as limited by default as you might think.

RUNNING AS LIMITED USER DOES LITTLE OR NOTHING AGAINST VIRUSES. Spread the
word.

Stefan Kanthak
07-09-2005, 11:52 PM
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote:
>
> "lecter" <2@2.com> wrote in message
> news:kvfg91p7db9bm491idlkjnlobvkp3eo21h@4ax.com...
> > I have a computer run under winxp system. And one day I found that
> > the registry was modified and I couldn't run any .exe file! (the
> > problem have been solved by input a registry key.)
> > The thing I want to know is that the registry can be modified
> > under winXP limited account?
>
> Very very easily. Running as limited account does VERY LITTLE to stop
> viruses. Anyone who tells you any different is mistaken. Even well-known
> people at Microsoft have this misconception.

Right so far: EVERY piece of code that comes to execution (intentionally
or not) has exactly the same rights/privileges as you. It can trash ALL
your files (remember: on NTFS the owner has full access; on FAT: forget
ANYTHING about security then) and write garbage everywhere you are
allowed to write to. This specifically includes your userprofile (your
registry hive beeing a part of) and your home directory.

BUT: as long as your account has no administrative rights and NO debug
privilege logging out will terminate all processes you started.

AND: running with administrative rights is a VERY BAD HABIT.
Multiuser operating systems are about 50 years old, Unix about 30 years,
and one of the first rules a novice system administrator will learn is:
NEVER work with administrative rights if you don't do administrative
tasks! You get your own limited account and use it for your daily work.
This will LIMIT any damage: just try an RMDIR /S /Q %SystemDrive% with
your limited account and then with administrative rights.

> Running as limited user does prevent much spyware and adware today, but only
> because the authors of that malware see no need to make their programs work
> as limited users. This tactic will NOT be effective against future malware.

WRONG: running as limited or restricted user on a properly setup XP or
2K system prevents malware from infecting or compromising the system
itself or other user accounts.
Malware can do anything you are allowed to do on your account, but cant
compromise other accounts or write itself to %ProgramFiles%, %SystemDrive%
or %SystemRoot% and beyond. It can do anything with [HKCU], but nothing
in [HKLM] and the registry hives of other users.
.... except when using a (not yet fixed) security hole.
Up to now I don't know malware that used a (remote) exploit before the
fix was available.

If you're in doubt how to setup a system properly: Microsoft, the
No Such Agency, the NIST and some others published detailed guides how
to "harden" a system. Have a look at the (high) security templates in
%SystemRoot%\System32\Security\Templates\ and use them (carefully).
If you have XP home: turn OFF that dumb "simple file sharing" and
answer the question whether the user profiles should be secured from
other access with YES!

If you don't know how to properly setup a system: go and hire someone
who is able to do this right (but beware).

BUT: when you have a window displayed on your desktop that runs in a
higher privileged process (MOST, if not ALL of those pseudo^Wpersonal
firewalls and some virus scanners do so) then it's possible to attack
that process and perform a privilege escalation.
That's a PRINCIPAL problem of Windows and well known as shatter attack
and should BY ALL MEANS be avoided (don't use such software, and don't
buy such crap).

> Malware running as limited user can do anything that you can do. If you
> were able to change the registry and fix the problem while logged in as a
> limited user, then malware would have the same permissions. You can see the
> permissions of that registry value by clicking Start, Run and typing
> REGEDT32.

Correct. But since you are owner of [HKCU] you have full access to any
of your registry entries (or can get it), so this advice ain't so very
useful...

> Also, many viruses use buffer overflows or could theoretically
> use other exploits like local privilege escalation to gain full System
> privileges, regardless of the permissions of the currently logged-in user.
> If the registry value you fixed did not give Write permission to your
> limited account [or to the Users or Everyone groups], then I would go to
> http://windowsupdate.microsoft.com to check to make sure your system has all
> its critical Windows patches to prevent remote buffer overflow viruses.

TOTALLY RIGHT.
The least you can and should do is to patch your system timely. Up to now
the exploits came all after the fixes...

> If you have multiple user accounts sharing one machine, logging in as a
> limited user may prevent malware from loading and running when other people
> log in. If you are the only user of your machine, however, that limitation
> means absolutely nothing. Even if multiple people use the same system, they
> can all become infected if they all happen to run a shared infected file,
> for example.

But then that infected file must have been written (itself?) to a
location where all other users will execute it. In a properly setup XP
(Home: turn off "simple file sharing") or 2K the ACLs prevent this.

> What running as limited user does primarily is prevent the user from
> changing the system configuration too much, mainly to implement change
> control within an enterprise. It also makes it harder for malware running
> under your account to do some things like create new login accounts. It's
> also a security best practice, but not really because of viruses or malware.
> Running as limited user does not prevent you from becoming infected, sending
> out infected emails or packets, infecting other systems, deleting all your
> data, searching your data for credit card numbers and passwords, running a
> listening service, etc.

Totally right.

> Note also that "Power User" is really not a very limited user. It is easy
> to escalate privileges to Administrator. Also, most accounts in the Guests
> group are not as limited by default as you might think.
>
> RUNNING AS LIMITED USER DOES LITTLE OR NOTHING AGAINST VIRUSES. Spread the
> word.

But it limits the damage to your own user profile and home directory!

It's therefore possible to clean the infection without reinstallation
of the system: login as another user with administrative rights (you
might prefer "secure mode" so that most autostart mechanisms wont be
triggered) and erase the user profile and the home directory of the
user account where the malware was executed.
Here the typical home user with just one PC has an advantage above the
office user in a companies' network: the latter must be cleaned at all
places where the compromised user account had write access!

AND: if you really do it right then use software restriction policies
and deny the execution of ANY file except beneath %SystemRoot% and
%ProgramFiles%. Since restricted users aren't allowed to write there
they can't run arbitrary code, but only the programs the administrator
(or a power user) installed.
If that's to restrictive: you should AT LEAST deny execution in %TEMP%,
?:\RECYCLE?\, ?:\System Volume Information\, the caches of your browser
and mailer, all removable drives.

ALSO: if you use your PC standalone at home you SHOULD turn off the
whole "Windows network", i.e. file and printer sharing, NetBIOS, RPC,
DirectSMB and so on. You'll need TCP/IP and nothing more to surf the
net and communicate per mail and news and "ICQ" and whatever you like.
Have a look at http://home.arcor.de/skanthak/harden.html and see the
HARDEN2K.INF linked there: this will lock down 2K as far as possible.

Stefan

Max Burke
07-09-2005, 11:52 PM
> Stefan Kanthak scribbled:
> WRONG: running as limited or restricted user on a properly setup XP or
> 2K system prevents malware from infecting or compromising the system
> itself or other user accounts.

All good advice....

But (theres always a but)

Have you ever tried to set up a user account on XP (Home AND Pro) and still
have ALL the applications, utilities, etc function as they do when running
as administrator?
It cannot be done for most ordinary users (like myself) who just want to be
able install and run applications that they/we use everyday.

The huge ammount of tweaking, configuring, exceptions being allowed to just
run applications and utilities, and to even get some Microsofts applications
to work on a limited account just doesn't cut it for the ordinary user.

If the ordinary user wanted to have to do this just to get any program to
work they'd be using some version of *nix, not Windows. ;-)

You either have to give up using the applications and utilities you user
every day or run as administrator.

Not that Microsoft is entirely to blame here; It just as much the fault of
third party developers who insist taht their application/utility has to run
with FULL admistrator privilleges or not at all.

Microsoft need to make XP a LOT easier to setup limited user accounts that
can still run any applications/utilities that needs adminstrator level
access; Developers need to make their applications run with either limited
or administrator level access.

I have tried quite a few times to set up and run limited user accounts on XP
Home and XP Pro and every time had to give up and revert back to running a
Administrator account just to do my 'every things' I do with my computer.

I now take the view that as long as I maintain a fully up to date patched
and secure systems, and enforce 'safe hex' practices then running as
administrator is the best and only viable, user friendly option for the
ordinary user wanting to do their ordinary everyday work on their computers.

Hopefully microsoft are improving this 'situation' in Longhorn...

--
mlvburke@xxxxxxxx.nz
Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke

D@annyBoy
07-09-2005, 11:52 PM
Good post indeed :-)
Despite what the experts advise, I still run my laptop as as admin instead of a
limited account to avoid the problems when installing new software

If many users have the ability to recover a system within 20 minutes, then who
cares whether they can their system as an admin or not
but in reality, this is not the case

I once allow a newbie to use my desktop for an hour, and d@mn him, changed my
settings thinking that it was best for me without the slightest idea that he can
potentially damage my computer


While having a glass of beer, I read that Max Burke wrote in
news:uMu0KSBZFHA.2768@tk2msftngp13.phx.gbl


>> Stefan Kanthak scribbled:
>> WRONG: running as limited or restricted user on a properly setup XP or
>> 2K system prevents malware from infecting or compromising the system
>> itself or other user accounts.
>
> All good advice....
>
> But (theres always a but)
>
> Have you ever tried to set up a user account on XP (Home AND Pro) and still
> have ALL the applications, utilities, etc function as they do when running as
> administrator?
> It cannot be done for most ordinary users (like myself) who just want to be
> able install and run applications that they/we use everyday.
>
> The huge ammount of tweaking, configuring, exceptions being allowed to just
> run applications and utilities, and to even get some Microsofts applications
> to work on a limited account just doesn't cut it for the ordinary user.
>
> If the ordinary user wanted to have to do this just to get any program to work
> they'd be using some version of *nix, not Windows. ;-)
>
> You either have to give up using the applications and utilities you user every
> day or run as administrator.
>
> Not that Microsoft is entirely to blame here; It just as much the fault of
> third party developers who insist taht their application/utility has to run
> with FULL admistrator privilleges or not at all.
>
> Microsoft need to make XP a LOT easier to setup limited user accounts that can
> still run any applications/utilities that needs adminstrator level access;
> Developers need to make their applications run with either limited or
> administrator level access.
>
> I have tried quite a few times to set up and run limited user accounts on XP
> Home and XP Pro and every time had to give up and revert back to running a
> Administrator account just to do my 'every things' I do with my computer.
>
> I now take the view that as long as I maintain a fully up to date patched and
> secure systems, and enforce 'safe hex' practices then running as administrator
> is the best and only viable, user friendly option for the ordinary user
> wanting to do their ordinary everyday work on their computers.
>
> Hopefully microsoft are improving this 'situation' in Longhorn...

lecter
07-09-2005, 11:52 PM
Switch between administrator and limited accounts is rally boring....
and some programs even refuse to run under limited account.....but I
still do my daily work under limited account......
limited account did prevent some hacks! and I am glad to found
that there pop-up words like" the program can't......have no
right........"(that means system corrupting been stopped)


__
Lecter
- "Trust No One!"

Stefan Kanthak
07-09-2005, 11:52 PM
"Max Burke" <mlvburke@%$%#@.nz> wrote:

Your email address is syntactically wrong!

> > Stefan Kanthak scribbled:
> > WRONG: running as limited or restricted user on a properly setup XP or
> > 2K system prevents malware from infecting or compromising the system
> > itself or other user accounts.
>
> All good advice....

I know ;-)

> But (theres always a but)
>
> Have you ever tried to set up a user account on XP (Home AND Pro) and still
> have ALL the applications, utilities, etc function as they do when running
> as administrator?

Yes, all the time since I started to use NT4 back in 1997!
When I encounter an application that doesn't work AND I don't need it
badly -> trash (or if I bought it after explicitly asking the vendor
"is this REALLY designed for NT" -> back to vendor, money back to me).
If I WANTED to use the application I checked where it fails and adjusted
te permissions (or created a mapping for the *.INI).

> It cannot be done for most ordinary users (like myself) who just want to be
> able install and run applications that they/we use everyday.

You can install almost any application from an restricted account with
Shift+Rightclick->Run as... and then select "Administrator" and enter
the password.

> The huge ammount of tweaking, configuring, exceptions being allowed to just
> run applications and utilities, and to even get some Microsofts applications
> to work on a limited account just doesn't cut it for the ordinary user.

If it won't work return it to the vendor. They'll learn if enough people
will do so.

> If the ordinary user wanted to have to do this just to get any program to
> work they'd be using some version of *nix, not Windows. ;-)

You'll have to use "su -c pkgadd $PWD/*.pkg" or "sudo" there too!
But: this works. What also works is adjusting permissions on say
/dev/cdwriter or setting suid-bit for /usr/bin/cdrecord to let the
normal user burn CDs.
Windows has the finer granulated ACLs, but even it's manufacturer
uses them to their full extent. Microsoft apparently doesn't even test
many applications with "restricted user" accounts. SAD!

> You either have to give up using the applications and utilities you user
> every day or run as administrator.

Hmmm... not me. But I DONT WANT to use crappy applications, I'll return
them and get my money back. Typical situation: the bigger the company
the crappier the software!

> Not that Microsoft is entirely to blame here; It just as much the fault of
> third party developers who insist taht their application/utility has to run
> with FULL admistrator privilleges or not at all.

Right. On the other side I sue Microsoft for being overly "careful" not to
break even the most misbehaving applications (including their own, like
MS Office:-).

> Microsoft need to make XP a LOT easier to setup limited user accounts that
> can still run any applications/utilities that needs adminstrator level
> access; Developers need to make their applications run with either limited
> or administrator level access.

No! Microsoft MUST NOW stand up and tell all the developers AND testers out
there to develop for NT: install as Administrator or PowerUser, ask Windows
for all the right paths (no hardcoded C:\Program Files\, but %ProgramFiles%
or SHGetFolder()), "%AllUsersProfile%" instead of "%UserProfile%" or even
"C:\Dokuments and Settings\%UserName%\") and let the program run with any
rights the user has.
If some functions of the program need higher privileges: give MEANINGFUL
"error" messages, and don't say "You need admin privileges to run me" right
after the start.

> I have tried quite a few times to set up and run limited user accounts on XP
> Home and XP Pro and every time had to give up and revert back to running a
> Administrator account just to do my 'every things' I do with my computer.

Not here. Not me, not the some hundred people that use my installations.
OK, no one plays games (if I want to play games, then not on my PC that's
to boring), and I have to give advice sometimes how to tame the beasts,
but it's possible!

> I now take the view that as long as I maintain a fully up to date patched
> and secure systems, and enforce 'safe hex' practices then running as
> administrator is the best and only viable, user friendly option for the
> ordinary user wanting to do their ordinary everyday work on their computers.

Take a look at RunAsAdmin on sourceforge.

> Hopefully microsoft are improving this 'situation' in Longhorn...

They'll again present a shiny surface with many useless gadgets.
I personally can't really work with XP's explorer, it's way to smart
for me.

Stefan

D@annyBoy
07-09-2005, 11:53 PM
if you are not on a network, it would really makes no difference

I shared my laptop with my financial controller. I decided not to run login at
bootup because it is too much of a hassle explaining to her. Worst, when she
can't connect to the Net, and I have to explain to her, over the phone, what are
the steps to take. ( and I can't even fire her <bg> )

:-)


While having a glass of beer, I read that lecter wrote in
news:o6pj915veq4qfg04tgo75hplejcmu6rlqb@4ax.com


> Switch between administrator and limited accounts is rally boring....
> and some programs even refuse to run under limited account.....but I
> still do my daily work under limited account......
> limited account did prevent some hacks! and I am glad to found
> that there pop-up words like" the program can't......have no
> right........"(that means system corrupting been stopped)
>
>
> __
> Lecter
> - "Trust No One!"

Knox
07-09-2005, 11:53 PM
The security templates are actually in %windir%\Security\Templates.

I haven't ever used these templates. Looking at them, they don't seem to
deal with software restrictions which I would think are one of the best ways
of preventing malware from creating problems by preventing the execution to
begin with. You touch on some recommendations for software restrictions, is
there a "best practices" template for those?


Knox



"Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
news:O1XkgABZFHA.2288@TK2MSFTNGP14.phx.gbl...
> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote:
>>
>> "lecter" <2@2.com> wrote in message
>> news:kvfg91p7db9bm491idlkjnlobvkp3eo21h@4ax.com...
>> > I have a computer run under winxp system. And one day I found that
>> > the registry was modified and I couldn't run any .exe file! (the
>> > problem have been solved by input a registry key.)
>> > The thing I want to know is that the registry can be modified
>> > under winXP limited account?
>>
>> Very very easily. Running as limited account does VERY LITTLE to stop
>> viruses. Anyone who tells you any different is mistaken. Even
>> well-known
>> people at Microsoft have this misconception.
>
> Right so far: EVERY piece of code that comes to execution (intentionally
> or not) has exactly the same rights/privileges as you. It can trash ALL
> your files (remember: on NTFS the owner has full access; on FAT: forget
> ANYTHING about security then) and write garbage everywhere you are
> allowed to write to. This specifically includes your userprofile (your
> registry hive beeing a part of) and your home directory.
>
> BUT: as long as your account has no administrative rights and NO debug
> privilege logging out will terminate all processes you started.
>
> AND: running with administrative rights is a VERY BAD HABIT.
> Multiuser operating systems are about 50 years old, Unix about 30 years,
> and one of the first rules a novice system administrator will learn is:
> NEVER work with administrative rights if you don't do administrative
> tasks! You get your own limited account and use it for your daily work.
> This will LIMIT any damage: just try an RMDIR /S /Q %SystemDrive% with
> your limited account and then with administrative rights.
>
>> Running as limited user does prevent much spyware and adware today, but
>> only
>> because the authors of that malware see no need to make their programs
>> work
>> as limited users. This tactic will NOT be effective against future
>> malware.
>
> WRONG: running as limited or restricted user on a properly setup XP or
> 2K system prevents malware from infecting or compromising the system
> itself or other user accounts.
> Malware can do anything you are allowed to do on your account, but cant
> compromise other accounts or write itself to %ProgramFiles%, %SystemDrive%
> or %SystemRoot% and beyond. It can do anything with [HKCU], but nothing
> in [HKLM] and the registry hives of other users.
> ... except when using a (not yet fixed) security hole.
> Up to now I don't know malware that used a (remote) exploit before the
> fix was available.
>
> If you're in doubt how to setup a system properly: Microsoft, the
> No Such Agency, the NIST and some others published detailed guides how
> to "harden" a system. Have a look at the (high) security templates in
> %SystemRoot%\System32\Security\Templates\ and use them (carefully).
> If you have XP home: turn OFF that dumb "simple file sharing" and
> answer the question whether the user profiles should be secured from
> other access with YES!
>
> If you don't know how to properly setup a system: go and hire someone
> who is able to do this right (but beware).
>
> BUT: when you have a window displayed on your desktop that runs in a
> higher privileged process (MOST, if not ALL of those pseudo^Wpersonal
> firewalls and some virus scanners do so) then it's possible to attack
> that process and perform a privilege escalation.
> That's a PRINCIPAL problem of Windows and well known as shatter attack
> and should BY ALL MEANS be avoided (don't use such software, and don't
> buy such crap).
>
>> Malware running as limited user can do anything that you can do. If you
>> were able to change the registry and fix the problem while logged in as a
>> limited user, then malware would have the same permissions. You can see
>> the
>> permissions of that registry value by clicking Start, Run and typing
>> REGEDT32.
>
> Correct. But since you are owner of [HKCU] you have full access to any
> of your registry entries (or can get it), so this advice ain't so very
> useful...
>
>> Also, many viruses use buffer overflows or could theoretically
>> use other exploits like local privilege escalation to gain full System
>> privileges, regardless of the permissions of the currently logged-in
>> user.
>> If the registry value you fixed did not give Write permission to your
>> limited account [or to the Users or Everyone groups], then I would go to
>> http://windowsupdate.microsoft.com to check to make sure your system has
>> all
>> its critical Windows patches to prevent remote buffer overflow viruses.
>
> TOTALLY RIGHT.
> The least you can and should do is to patch your system timely. Up to now
> the exploits came all after the fixes...
>
>> If you have multiple user accounts sharing one machine, logging in as a
>> limited user may prevent malware from loading and running when other
>> people
>> log in. If you are the only user of your machine, however, that
>> limitation
>> means absolutely nothing. Even if multiple people use the same system,
>> they
>> can all become infected if they all happen to run a shared infected file,
>> for example.
>
> But then that infected file must have been written (itself?) to a
> location where all other users will execute it. In a properly setup XP
> (Home: turn off "simple file sharing") or 2K the ACLs prevent this.
>
>> What running as limited user does primarily is prevent the user from
>> changing the system configuration too much, mainly to implement change
>> control within an enterprise. It also makes it harder for malware
>> running
>> under your account to do some things like create new login accounts.
>> It's
>> also a security best practice, but not really because of viruses or
>> malware.
>> Running as limited user does not prevent you from becoming infected,
>> sending
>> out infected emails or packets, infecting other systems, deleting all
>> your
>> data, searching your data for credit card numbers and passwords, running
>> a
>> listening service, etc.
>
> Totally right.
>
>> Note also that "Power User" is really not a very limited user. It is
>> easy
>> to escalate privileges to Administrator. Also, most accounts in the
>> Guests
>> group are not as limited by default as you might think.
>>
>> RUNNING AS LIMITED USER DOES LITTLE OR NOTHING AGAINST VIRUSES. Spread
>> the
>> word.
>
> But it limits the damage to your own user profile and home directory!
>
> It's therefore possible to clean the infection without reinstallation
> of the system: login as another user with administrative rights (you
> might prefer "secure mode" so that most autostart mechanisms wont be
> triggered) and erase the user profile and the home directory of the
> user account where the malware was executed.
> Here the typical home user with just one PC has an advantage above the
> office user in a companies' network: the latter must be cleaned at all
> places where the compromised user account had write access!
>
> AND: if you really do it right then use software restriction policies
> and deny the execution of ANY file except beneath %SystemRoot% and
> %ProgramFiles%. Since restricted users aren't allowed to write there
> they can't run arbitrary code, but only the programs the administrator
> (or a power user) installed.
> If that's to restrictive: you should AT LEAST deny execution in %TEMP%,
> ?:\RECYCLE?\, ?:\System Volume Information\, the caches of your browser
> and mailer, all removable drives.
>
> ALSO: if you use your PC standalone at home you SHOULD turn off the
> whole "Windows network", i.e. file and printer sharing, NetBIOS, RPC,
> DirectSMB and so on. You'll need TCP/IP and nothing more to surf the
> net and communicate per mail and news and "ICQ" and whatever you like.
> Have a look at http://home.arcor.de/skanthak/harden.html and see the
> HARDEN2K.INF linked there: this will lock down 2K as far as possible.
>
> Stefan
>

Karl Levinson, mvp
07-09-2005, 11:53 PM
"Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
news:O1XkgABZFHA.2288@TK2MSFTNGP14.phx.gbl...

> > Running as limited user does prevent much spyware and adware today, but
only
> > because the authors of that malware see no need to make their programs
work
> > as limited users. This tactic will NOT be effective against future
malware.
>
> WRONG: running as limited or restricted user on a properly setup XP or
> 2K system prevents malware from infecting or compromising the system
> itself or other user accounts.

This means nothing unless multiple users are using the computer. If this is
a single-user system, making the virus unload when the user logs out or
preventing infection of other system accounts means very little.

Stefan Kanthak
07-09-2005, 11:53 PM
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote:

Karl, your quoting resp. its linebreaks are a little weird.

> "Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
> news:O1XkgABZFHA.2288@TK2MSFTNGP14.phx.gbl...
>
> > > Running as limited user does prevent much spyware and adware today, but
> only
> > > because the authors of that malware see no need to make their programs
> work
> > > as limited users. This tactic will NOT be effective against future
> malware.
> >
> > WRONG: running as limited or restricted user on a properly setup XP or
> > 2K system prevents malware from infecting or compromising the system
> > itself or other user accounts.
>
> This means nothing unless multiple users are using the computer. If this is
> a single-user system, making the virus unload when the user logs out or
> preventing infection of other system accounts means very little.

Hmmm...
There are at least two user accounts: Administrator and the restricted
one. The damage will be limited to the restricted account, and can VERY
easy (completely) be repaired through removal of the offending user
profile, preserving the system and all the installed applications.

The argument I hear most often from lusers who got infected is "I can't
afford the time to reinstall the system and my applications (and I don't
have the CDs any more:)", and this will vanish when running restricted.

You may even enable the "Guest" account and use it solely for surfing
and mailing: logging out will clear the user profile! Upon login the
user profile will be built from "Default User", which can easily be
preconfigured.
I put all my settings into a HIVEOEM.INF file which I place besides the
HIVE*.INF delivered with the OS and add four lines in TXTSETUP.INF to
have the settings applied as early as possible during setup.
Another way is WINNT.SIF [SetupParams] UserExecute = "..." (see Q216518
and Q249149) which will run just after SVCPACK.INF with the registry hive
of "Default User" as [HKCU].

Stefan


registry hacked under XP limited account