Saturday, July 30, 2005

Running Windows as Non-Admin Presentation at APCU

I gave my presentation on Running Windows as a Least-Privileged User (Non-Admin) this morning to the APCU at the Wilmette Public Library. The Assocication of PC Users is a long-running user group here in the Chicago area, with a knowledgable base of users. I covered all the ground I intended as outlined below:
  1. Introduction - Users, Accounts, etc.
  2. Why not run as an Administrator?
  3. Problems when running Non-Admin.
  4. Tools and Techniques for running Non-Admin.
  5. The tools I dicussed are PrivBar.dll ToolBar extension for IE and MakeMeAdmin batch command file, both by Aaron Margosis, and DropMyRights.exe by Michael Howard

There was a good response from a number of audience members, including Irwin Romanek, Sid Bratkovitch, and several others whom I do not know. When I went slightly aside the main theme to discuss IE(Internet Explorer) security and demonstrated URLZones, the question came up of just when they control Internet access - that is, what programs beyond IE and Outlook Express. I need to research that and post what I can find out.
Many people in the audience run Firefox instead of IE, and asked why I use IE. I explained that most corporations I work with standardize on IE. Then I mentioned the forthcoming IE7 and noted that the beta1 is out now (formally announced this week). There are two semi-official announcements at the MS IE blog. Here is a comment from the posting by Chris Wilson:

In the web platform team that I lead, our top priority is (and will likely always be) security – not just mechanical “fix buffer overruns” type stuff, but innovative stuff like the anti-phishing work and low-rights IE.

He lists a number of details on the developer side, particularly CSS support, but nothing about the security enhancements. He makes the following notable statement/admission, with references to ACID tests:

We fully recognize that IE is behind the game today in CSS support.

And it does indeed appear that IE7 will NOT be supported on the Windows 2000 platform. This is not too surprising, because the XP OS added some new security features, such as SAFER, that are not available on Win2K. But wait, this article, describing new features in IE7 specifically states that only some will be supported on XP, so that suggests that the browser generally will be supported on Win2K.

Irwin asked whether I thought normal users could readily use the techniques I showed. I readily acknowlegedly that it seemed unlikely. But I forgot to emphasize that they can run normally as Non-Admin in most cases and that experts, such as the audience or the users consultants/technicians could help them set up shortcuts to any of the other tools they need.

Here is a list of my previous post related to this topic. They have many links to articles and blogs with more details:
Developing LUA (with Least Privilege)
User Group Presentation - Securing Windows by Running LUA
LUA Development

These relate to Internet Explorer:
More on IE Security
Windows Internet Security Zones
IE Shell programming, Security
Internet Explorer Tweaks and Tools

[I can add details to this post, if visitors request some in comments]

Also at the meeting Sid Bratkovich gave some presentations on a terrific new IBM Desktop PC which he brought in. After a video on restoring a problem install of XP he gave an extended demo of VMWare.


Post a Comment

<< Home