User accounts

[videobruce 0]

I have been running 2k for 7 months now logged in as a administrator. I have read in other forums that for security reasons AND for performance reasons you shouldn't do this. The administartor function runs additional processes that the regular or power users don't need.

 

I finally got around to trying this and when I logged in as a regular user or power user, I still have the same 21 processes running at startup as I did as a administator (in task manager)! Also, I tried some basic changes as: moving and deleting shortcuts on the desktop, changing folder view options from those stupid Windows 3rd grade cartoon icon defaults to details, single click instead of double click, but everything returned to the default state after a reboot!

 

Are the user permissions so strict you can't even do simple things like those??????????

 

I added the path from the administrator settings to the new user I created for the desktop shortcuts and start meun shortcuts, but the folder views for example never changed!

[uboofer 0]

You should log on to the WS as your normal account and use the "runas" command to log on as administrator. How you get to the runas command is hold down the left shift key and right click on the option. This should bring up a promt called runas. Left click on this and it will allow you to enter the admin username and password.

[clutch 1]

Why? Why would you suggest this? Are you simply suggesting this for regular users, or for any user? Bear in mind that if you plan on administering any systems remotely from your desktop, you might run in to problems if you are not logged in with the proper credentials as many times you will not have the option to elevate them at connection time. But then again, I am not so crazy about the "runas" option anyway (long time, and current, NT 4.0 admin) and have found it clumbsy if the application decides to call another executable which switches the app back to the current user's credentials. The "runas" option doesn't replace being a "superuser" in *nix.

[Davros 0]

It depends on the apps you need to run. If using the runas option does not cause any problems, then this would be the more secure option. The reasoning is that if you pick up something malicious like a trojan or a bad script in an email, or just poorly written software, it won't be able to execute with administrative rights, limiting the potential damage it can do.

[clutch 1]

Unfortunately, there are too many apps on the market that still require legacy access to the registry (hence the Power User group, and this option during Terminal Services installation in Application Mode) and will not function properly. I am a strict believer in limiting access as much as possible, but relying on "runas" is something that I have yet to find viable, so I am just providing a heads-up on it.

[uboofer 0]

As a general rule I never log on as admin on any of my PCs. If you use the runas command, you can walk away from your desk and if someone gets on your PC they have absolutely no ability to give them or someone else more access than needed.

 

As Devros pointed out also some viruses and trojan horses will raise havac on a computer logged in as administrator then it will hit your network. As administrator you have the ability to access all files and edit the registry. A virus will take advantage of this and the NTFS securitys will be nonexistant.

 

You are correct in that some programs will not work on a account that has little power such as the user group but just give yourself power user account privleges and this should help some. If a application needs to have admin rights, use the runas command to promote yourself to admin while you are in that window and your system will stay more secure.

 

As for remote connections you should be able to set up yourself to have the proper permissions at the domain level to allow yourself to do what you need to without allowing yourself to be opened up for attack. If you do need to log on as Admin for that machine you can use the runas command for that also. It only effects that connection and it does not open your PC up for full control.

 

I run a Windows 2000 network at home and my job is a NT network. I run into issues all the time of not having the correct permissions at the time I need them. The runas is a great tool to allow you to have the correct credentials at the time you need them and not leave yourself open. If a network is properly administrated people will have just enough permission they need to do their job. No more no less.

 

Look all I am stating is that the way I was taught and everything that I have ran into is to use a normal network account and not log on as admin until it is absolutly needed. Everyone has a different way they decide to run their network and I will not tell you how to run yours but I think that this is the most secure way to keep hackers out and still be productive. Remember that most companies are hacked internally from their own users and not from the outside.

[clutch 1]

First, the "walk away from your desk and not worry" issue is moot if you lock your workstation (which you should be anyway). Now, I am under the impression that you and Davros might not have been administering NT networks for very long, and that's fine (gotta learn somewhere, right?) since you are indicating that using "runas" is the way you were "taught" rather than reviewing it as a method to integrate into your current administration methodology. There are many times that you run into issues attempting to use this to connect to other systems (including using AD) and you will not be granted access as your credentials will not clear. If you will notice, NT networks have run fine for many years without the need for any sort of "runas" functionality necessary (the current one I manage has been fine since '98), and the idea of setting up admins to have no elevated privies and then to use this utility for everything (or, if lucky, get prompted when you use other mgmt utils) isn't so hot. But what do I know, I've been using NTx for the last 7 years...

[BladeRunner 0]

Well really there were two moot points.

The first as covered about walking away from your desk.

All of my users are now pretty well trained to simply lock their workstations if they are going to be away for a long time.

As Systems Administrator I never leave my office even to grab a coffee without first locking the station.

 

The second on virus's & trojan's, if you are running a professional network then you wont really be at risk from these.

Considering every single workstation & server on my network is running some kind of anti-virus software. (NAV Corporate)

In turn each of these machines are automatically updated with the latest definitions as and when they become available, so there is no risk of outdated definitions on any of the machines.

As an extra layer of security e-mail is scanned as it comes into the building.

 

Also, again if this is a professional network we are talking about, then all servers & workstations will be up to date on their security patches, so no chance of attack here.

 

There is a big difference between "What the book tells you" and what you pick up when working with this kit on a daily basis.

[clutch 1]

As BR stated, the risk is rather minimal for viruses and trojans when there is a properly configured AV system in place, not to mention that anyone with elevated privies should have a pretty good idea of what is and isn't safe to open to begin with.

[Davros 0]

None of you should assume I'm on any particular "side" of this issue. I merely stated the reasoning behind using the runas option because Videobruce asked for the reasoning behind it. I don't use it very much myself actually! It's clumsy and annoying. And if you are concientious enough you will take other, better precautions in the first place.

 

It's great to have the latest virus definitions and hotfixes, but that does not mean you should feel safe and comfy. It's the unknown viruses and security holes that are the big problem. I don't remember the last time an antivirus definition came out for a virus before it was already in the wild. The best defence is the education of your users, however daunting that may be.

 

If you want to go by the book and only use the runas option, then you should use a regular user account, not power user. Power users still have enough permissions for many exploits, such as the right to install other programs.

 

I hope I don't sound like a newbie student. I wish I had 7 years experience in this field. Instead I spent 7 years as a chemist and hated every minute of it. Gradually, I turned to IT and began running the p.o.s. NT4 network at that plant, before quitting my job for some formal education. I should get my MCSE in about 3 more months and begin logging proper experience finally. You guys in this forum are a continual inspiration, and the issues discussed here are very informative and helpful as well.

[clutch 1]

Quote:

Originally posted by Davros
It depends on the apps you need to run. If using the runas option does not cause any problems, then this would be the more secure option. The reasoning is that if you pick up something malicious like a trojan or a bad script in an email, or just poorly written software, it won't be able to execute with administrative rights, limiting the potential damage it can do.

This quote was the reason for my assumption. It seems that many people are confusing this utility (which is all it is) with some sort of *nix superuser equivalent, which it isn't. I have seen several references to this and I have decided to start correcting it so the new users (and future admins like yourself) can understand what it really does for you. It doesn't enhance security by any means, and what really does is help you out in a pinch by temporarily enabling an app to run with higher rights than the current user. Now, how secure do you think it is to be entering the admin credentials multiple times during a logon session just to run a few apps?

[Davros 0]

I see what you're saying now. It can be more risky if you enter your admin credentials over and over using runas, b/c of prying eyes nearby and such. Thanks for the tip!