Running Windows Without Administrator Privs?

javacowboy asks: "For a while now, I've been advising friends who run Windows to try running as a regular user, as opposed to running as administrator, which is the default setting. However, I switched to Mac a year and a half ago and I haven't run Windows since, so I'm probably not the best person to be giving this advice. Still, on a philosophical level, *trying* to run Windows as a non-admin, given the prevalence of viruses, worms, trojans, and spy-ware, seems to make sense. Have any of you tried to run Windows as a non-admin, and how did it work out for you? Are there certain tasks or certain software you need to be admin to run? How realistic is it to expect a Windows user to run their OS as non-root?"

one experience

[yagu (721525)]

A friend's computer shared by the entire household was unendingly compromised. We restored XP many times from scratch but the result was always the same, within a month XP was toes up again.

We did manage to trace the culprit pretty certainly to one of the kid's AOL sessions. No emphasis and teaching was enough to stop a trusting click to wreak trojan horse havoc. (I don't blame the kid, she was using in good faith and only talked to friends, and only clicked when she was assured they were "being good". Unfortunately, in the world of XP running with admin privelege, this is not enough.)

We finally bought a separate computer with discrete accounts, and only one had admin access. The kids' accounts were non-admin. This new machine remains uncompromised, but with a price.

The non-admin accounts, while unable as expected to install software, have random and mysterious failures. I've been able to track some down to exactly what I (and most) feared -- applications which expect to have admin access. Not one example was legitimate in the sense the failure point was performing work requiring admin access, it was just presumptive development by the application. (Interestingly, one of the applications that works fine in admin access but not in non-admin access is Windows Media Player 10.)

Unfortunately this turns out to be a common symptom running non-admin in XP. Lots of applications will work fine. Lots won't.

The machine remains partitioned as described, but the ultimate result has been the kids gravitating back to the unprotected computer for unfettered access. I expect that machine will continue to need its periodic re-imaging.

These problems in XP aren't rare and are artifacts of an infrastructure with security tacked on in ugly layers again and again, all as afterthoughts. I hope Vista proves better at this, but wonder how many applications will continue as problematic because of a murky and muddled and shifting security architecture.

For the record, I'm simply amazed Microsoft has gotten away with this for so long... it's ample empirical evidence more deals on shop architectures are being made on the golf course and not around the white boards.

And, also for the record, Microsoft has the money and power to fix this once and for all. I'm sure some will defend Microsoft's incremental work on this, but for too many years my observation has been Micosoft using their money to buy additional fingers with which they point at others to blame rather than work to solve comprehensively the security and system integrity problems.

• Bottom line:

I still recommend PC owners create separate non-admin accounts with only one admin account. Applications that won't/can't play nice I recommend they uninstall and ask for their money back. This isn't optimal, but it keeps the machine healthy longer.

Sigh.

Re:one experience

[exKingZog (847868)]

We run all our staff accounts as limited users at work. We have two pieces of software that don't like running under regular accounts, and in both cases the solution is to give users modify access on that app's folder in %program files%. Also, I'm puzzled by WMP 10 not working - works fine for our staff, and my girlfriend's account on my PC, and the guest account I set up for a friend once.

The main culprit is almost always always programs trying to store data in their installation folder rather than th

Re:one experience

[Jaruzel (804522)]

However, modifying %ProgramFiles% is fine for us SysAdmins, but your average Joe User isn't going to have a clue on how to do it - The application will barf, and Mr Dad will say 'Sod it. I'll give myself Admin', because life is simply too short to faff about with these things.

Vista's approach, while not perfect does redress problem somewhat. If an app needs admin, Vista pops up a dialog asking for User/Pass of an admin account (a bit like an automatic SU) - I'm not sure if Vista knows each app and what it n

Re:one experience

[skinfitz (564041)]

applications which expect to have admin access

...don't want to sound like a Windows fanboy at all but there are many *NIX apps that expect to have root - ethereal for example. Sure they are usually system admin related, but it doesn't mean that you have to run the entire session as root because you can simply use su.

In Windows you can use the runas command similar to su to give elevated privs to individual apps. You can also use a switch to cache credentials (like chown +x root) that the admin can use to give users the ability to work with awkward apps so it's not really a big deal for the odd application if the machine is set up correctly.

Re:one experience

[Bert64 (520050)]

Ethereal only requires root if you want to actively sniff the interface with it (as opposed to reading logs you captured earlier), there are obvious reasons why non root users can't sniff network traffic especially on a system which was designed to be multi user rather than having multi-user support kludged in as an afterthought.

In many unixes nowadays you can use capabilities, to give a program that normally would require root, whatever access it requires without giving it full root (such as raw socket cap

Re:one experience

[cortana (588495)]

If you run ethereal as root then you're asking to be compromised.

You should be capturing packets with tcpdump (as root), and opening the file it creates with ethereal as an unpriviliged user.

Re:one experience

[jimfrost (58153)]

..don't want to sound like a Windows fanboy at all but there are many *NIX apps that expect to have root - ethereal for example.

While there is some truth to this, it's not the case that, say, "larn" or "hack" needs root access.

But it is the case that many (all of the ones I've tried) of those Disney game programs require administrator privileges. These are basically flash games, and they're being sold for children to use. But they simply will not operate without administrator privileges.

(This isn't

Re:one experience

[skinfitz (564041)]

Why, to sniff your network to send anything it finds to the government of course! ;)

Re:one experience

[harrkev (623093)]

I should also like to point out that I tried the user vs. admin thing. The software that made me switch back was Winamp (they should know better) and Logitech's driver for the Quickcam Chat (they should definately know better).

Winamp was annoying, but I suppose that I could ask for a refund of every penny that I paid for it, which was nothing.

Logitech, on the other hand, was more annoying. I paid good money for that product, and a company that size should check for this sort of stuff. The problem is that

Answers to your thoughts:

[Ayanami Rei (621112)]

1) Don't use Winamp. Use foobar2000. Works properly with multiple/non-privledged users... plugins for everything under the sun.

2) There are other programs besides the Logitech tool that can take pictures with your camera. Try any other PTP supporting application (like the Windows XP Camera wizard). In general bundled software that comes with any hardware is likely to be crap... not just Logitechs'.

Cool Hack:

[Ayanami Rei (621112)]

Create a secondary user, call it, I don't know, Granny2.

Give this user permissions to do whatever it is that the unprivledged account can't deal with (modifying its own Program Files directory, whatever). Make it have no password and deny interactive logon, but allow batch logon.

Now, using "su" from sysinternals, create a shortcut that runs su with the options to log on as "Granny2" using a "batch" logon, and have it run the nasty application.

Here's the key. PUT THE LINK IN HER PERSONAL START MENU/DESKTOP. Not in the All Users desktop. These are special shortcuts for this ONE USER.

To complete the tour de force, go into the registry under the Granny2 user find:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Shell Folders

Change Personal, Desktop, etc. to MIMIC the Granny user. Then give Granny2 R/W privs on the Granny profile.

Boom! Smooth, seamless access to all misbehaving apps. I did this to get Turbotax and Quicken to run on a family PC under multiple accounts with unprivledge users who know nothing about technology or to remember passwords.
Worked like a charm.

Re:one experience

[drsmithy (35869)]

(Interestingly, one of the applications that works fine in admin access but not in non-admin access is Windows Media Player 10.)

What problems did you have ? Because while I don't use WMP frequently, I've never had a problem using it in a non-admin account.

These problems in XP aren't rare and are artifacts of an infrastructure with security tacked on in ugly layers again and again, all as afterthoughts.

The security infrastructure in NT (ie: XP) has been there from the get-go and certainly wasn't "tacked

Re:one experience

[Bert64 (520050)]

The security infrastructure in the (NT) kernel was there from the start, but the frontend interface that most people interact with comes from win3.1/9x which most certainly has no concept of security.

When merging the 2 together, they decided that a consistent (ish) interface was more important than security, so the underlying security features got bypassed or papered over.

Ok... we're getting closer to my original point...

[lorcha (464930)]

So make the next mental leap. Suppose Microsoft were to, as I originally suggested, make Windows default the user to an account with no admin rights. Then when Grampa Bob tries to run TurboTax and it shits all over him (that's the technical term for, "Bob's attempted execution of the TurboTax application failed with a cryptic and unhelpful error message"), Grampa Bob is going to call up Intuit and say, "WTF?".

If Intuit doesn't want to have to deal with Grampa Bob and 50,000,000 of his closest friends wh

Aaron Margolis

[BSDevil (301159)]

Runs "The Non-Admin Blog" - one of the most useful resources for this. He's a Microsoft staff consultant, and often has tips for it you won't find elsewhere.

Check it out at http://blogs.msdn.com/aaron_margosis/ [msdn.com]

Some advice

[VGPowerlord (621254)]

I'm running Windows XP Pro as a Limited User right now. The important thing to remember is that some programs, games in particular, don't like it if you don't change the file (and sometimes, registry) permissions.

Registry permissions can be set using reged32.

Installers are also a problem. Since Windows program like making a mess (i.e. putting DLL files in the system and system32 directories), you usually need to run then as Administrator. The "Run As..." menu item can be used to elevate priviliges for a single program. This appears in context (right-click) menus by default, unless you're in the Control Panel. In that case, hold down shift when right-clicking.

Windows Explorer can be started as a different user, if you set the option to run Explorer Windows in a separate thread. This option needs to be turned on for the user you're changing to, not for the current user. You can find this option in Control Panel (Classic View), Folder Options..., View tab, Launch folder windows in a separate process.

Here's a few sources to consult:

• Aaron Morgosis's Blog [msdn.com] (non-admin category)
• Using a Least-Privileged User Account [microsoft.com]
• Applying the Principle of Least Privilege to User Accounts on XP [microsoft.com]

I'm sure I missed some things, but other posters will point them out.

I could hear it now....

[Zanth_ (157695)]

Considering most users like to install the latest kitchy program, I would assume it would be quite a trial in the current format, to have a user run without admin access. I could only imagine the calls the local techy friend would get, instead of "can you pleeeeease come and fix my malwared/spywared/virused/trojanned/fubar'd computer" it will now be "can you pleeeease come and install happybloggeryp2pdownloadmeforfreeporntoday.exe"

Re:I could hear it now....

[Bert64 (520050)]

To which you can say "NO!" and hang up... Much easier than trecking over there and spending a few hours reinstalling the whole system!

The info is out there...if you can read German ;-)

[D4C5CE (578304)]

The staff at Heise, publishers of c't (one of Europe's major IT mags) have dedicated much time, effort, and a series of extensive articles to this question. [heise.de] Some of them are online for a free read, in particular on the pages subsequent to the above link.

Learning German is probably an effort on par with trying to replicate their years of work and experience. ;-)

There was even a database detailing which application caused how much trouble without administrator privileges [archive.org].

However, in all of this the question comes to mind whether the best way to obtain as much as possible of Mac-like security and ease of use on PCs wouldn't simply be installing Linux in the first place.

Some tips...

[pla (258480)]

As someone who runs as a non-admin, I'll share a few tips I've learned on how best to make everything work...

1) Download CPAU [joeware.net], which works somewhat like RunAs but will let you create "job" files so you don't need to type a password each time.

2) Make three accounts, a "guest" (don't use the built-in guest account for this) user, a "poweruser", and an "admin" (don't use the built-in admin account for this). For the rest of this post, I'll call your real account "fred", the lower-permissioned account "barney", and the higher-permissioned account "gazoo".

3) Set the root of all drives to explicitly "deny" all permissions to "gazoo". This wouldn't even slow down an interactive attacker, but few hostile programs expect to need to take ownership and change permissions from an account already having admin privs.

4) Give "fred" write permission on "Documents and Settings\barney". Give "barney" read permission on "Documents and Settings\fred". Give "fred" read permission on "Documents and Settings\gazoo". That alone will solve 99% of permission problems you'll have.

5) Use CPAU to set up job files to run all your networking programs (browser, email, IM, etc) as "barney". Do the same for all programs that legitimately need admin access (many CD/DVD rippers, for example) to run as "gazoo".

6) To install most software (even well-behaved software that doesn't require admin to run), log in as admin (the real one, not "gazoo") and create its directory under Program Files, giving "fred" (or "barney" if it will run with reduced permissions) write permission to that dir. Then, install it while logged in as "fred" (or, again, as "barney" if applicable). Also, some pesky software will work best if you install it first as the user it will run as, and then as "fred". Firefox and Thunderbird fall into this category, because of the way they handle user profiles (Using the highly-recommended "Portable [portableapps.com]" versions of both will completely avoid this problem, btw).


The above will take care of most common problems you might have. Other problems will still pop up, however.

For example, good luck printing from your web browser - you can use Microsoft's TweakUI to edit the relevant ACLs, but that seems like about a 50/50 shot of working. I curently have two machines at home set up more-or-less as described above, and basically identical. One of them can print from "barney" and one can't. Wierd.

Also, get used to using UNC names. Mapped drives, even if mapped under all three accounts, will not show up for programs running as anyone but the currently logged-in user.



And some "experts" wonder why so many Windows users still run as admin.

Re:The Problem is with Clueless Users

[Russellkhan (570824)]

So, you run XP as admin with no firewalls or antivirus despite having been hit by a virus in the past, and you don't reboot after updates, which means basically that your updates are not applied to your machine...

What is it exactly that the 'clueless morons' do that you don't?

Re:Annoying

[datafr0g (831498)]

I agree that it is annoying in general however in XP Pro, installing an application is usually pretty painless.

Just "right click" the installer executable and select the "Run as" option to run the installer as a user with privilages.

Regmon Filemon

[pedestrian crossing (802349)]

You can eliminate the guess work by using Regmon and Filemon from here [sysinternals.com].

These utilities log all file and registry access attempts, successful or unsuccessful.

Most applications that "need" admin rights, actually only need the correct rights on a specific reg key or directory. Granting only the needed rights gets the app working without adding unnecessary rights/risks.

Re:Forget it.

[senatorpjt (709879)]

Unforunately, only the people with the knowledge of how to prevent Windows from being compromised by running as Admininstrator in the first place are the only people who know how to set it up to run as a limited user.

It seems like Windows was set up so that the Administrator uses the Administrator account all the time, and if it's your personal computer, that's you - limited users are for when someone else is the Administrator.

Re:Not hard to do on a home computer...

[biglig2 (89374)]

You put a keylogger on your gf's machine? I hope she doesn't read slashdot.