User Group Presentation - Securing Windows by Running LUA
LUA is a TLA(three-letter-acronym) for "Least-Privileged User Account". On 24 May, 2005 I will be giving a presentation for the Chicago Computer Society on the topic of running Windows under a non-Admin user account.
Running Windows under the local administrator account with full privileges exposes your machine to numerous dangers, especially when working with Internet-facing applications. Under normal circumstances you should run under an account with fewer privileges.
I will discuss the motivation to, techniques for and difficulties with running LUA on Windows XP based on my experience (see my post below).
It will be an interactive evening with a demonstration of my configuration and utilities. And, if possible, I will demostrate changing the configuration of an unsecure machine to run effectively with an LUA. In addition I will discuss a number of other, better known, steps to keep your machine running efficiently and free of malware.
Running Windows under the local administrator account with full privileges exposes your machine to numerous dangers, especially when working with Internet-facing applications. Under normal circumstances you should run under an account with fewer privileges.
I will discuss the motivation to, techniques for and difficulties with running LUA on Windows XP based on my experience (see my post below).
It will be an interactive evening with a demonstration of my configuration and utilities. And, if possible, I will demostrate changing the configuration of an unsecure machine to run effectively with an LUA. In addition I will discuss a number of other, better known, steps to keep your machine running efficiently and free of malware.
(I will update and extend this post for several days)Here are some relevant links to topics I will discuss (see also my earlier post):
MS TechNet: Using a Least-Privileged User Account describes the motivation for doing this.
MS Support: Certain Programs Do Not Work Correctly If You Log On Using a Limited User Account
posted by Allan Wolff at 9:24 AM
1 Comments:
One issue when running non-admin is installations which write registry edits under CURRENT_USER only. Then if you switch to the admin account to install software it is only set up correctly if you run as it admin. There is no non-tedious fix for this. One is to temporarily add the target account to Administrators, install the software, and then take account out again. Another is to use Margosis MakeMeAdmin utility but you have to create a batch file/shortcut. And finally if the issue is a registry key only you can export it from the Admin id and import it to the target id.
Depending upon who uses the machine I suppose one might import to HKLM for use by All Users.
There can also be issues of file permissions which Margosis addresses too.
Post a Comment
<< Home