Friday, January 20, 2006

More on Running LUA

Still trying to run and develop as a limited user. Keith Brown, following someone else, references work done by Ziff-Davis and discussed in an eWeek article which shows the safety advantage of running as a normal user versus Admin or even Power user! Only the base limited user was largely immune from infection by viruses when they surfed the web extensively. They don't indicate what kind of prophylaxis they used for their web browsing however.

Addendum to some earlier posts
I have tended to run devenv.exe (Visual Studio) as an Admin, but one can develop local WinApps with a limited account as long as you make sure that account has the proper rights to the target source directories and any needed data file directories. Setting those up on a non-domain machine can involve setting the rights at a granular level, and normally this is not available in the Windows Explorer GUI when simple file sharing is enabled.
But you can use the NT command line tools for setting ACLs (Access Control Lists) - CACLS.EXE (NT) and XACLS.EXE (Support Tools). They are a little arcance but do the trick. One thing you have to be careful of is not use the /G or /P options with out /E, or else you remove all existing rights.

As to managing the localgroups, I never listed the UI tools for changing them in my post CCS User Group Presentation where I showed the appropriate command lines. There are several GUI programs that allow you to manage users and local groups:
Running "control userpasswords" gives you the rather dumb User Accounts dialog in Control panel. Running or "control userpasswords2" gives you a smarter, more granular tool to manage users, including specifying their group membership. Finally "lusrmgr.msc" is an MMC plugin which provides a full powered GUI tool to create/manage local users and groups.

It is worth noting that Power Users seem to have the power to add users to the Admin group, hence one reason that it is not really a safe level of operation.


Post a Comment

<< Home