Jump to content
Compatible Support Forums
Sign in to follow this  
brblueser

Admin rights mess

Recommended Posts

I need some help with setting admin rights on Win2000 Pro...

 

I used to belong do Admin group, which allowed me to do everything. This is a bad thing, and I decided to play Mr. Nice Guy and switch back to default "Power Users" group. According to its description, I should be allowed to install progs and such, but this is not happening: most of the apps I try to install either simply fail or explicitely say they need admin rights in order to be installed ;(

 

Even worse: 'runas' is not helping me at all, and all sorts of weird things happen: apps silently refusing to run as normal user, games showing weird behavior (my mouse goes crazy if I run Jedi Knight II with 'runas') and such ;(

 

Given this incredible mess, I will revert to being a member of admin group until I figure out how to deal with this the correct way... ;(

 

Any help will be much appreciated. BTW: This is a single user machine (home use only), but it is connected to a cable modem, so security concerns apply.

 

TIA

 

Andre

Share this post


Link to post
Quote:
I need some help with setting admin rights on Win2000 Pro...

I used to belong do Admin group, which allowed me to do everything. This is a bad thing, and I decided to play Mr. Nice Guy and switch back to default "Power Users" group. According to its description, I should be allowed to install progs and such, but this is not happening: most of the apps I try to install either simply fail or explicitely say they need admin rights in order to be installed ;(

Even worse: 'runas' is not helping me at all, and all sorts of weird things happen: apps silently refusing to run as normal user, games showing weird behavior (my mouse goes crazy if I run Jedi Knight II with 'runas') and such ;(

Given this incredible mess, I will revert to being a member of admin group until I figure out how to deal with this the correct way... ;(

Any help will be much appreciated. BTW: This is a single user machine (home use only), but it is connected to a cable modem, so security concerns apply.

TIA

Andre



If you're a standalone or a small network, why is it bad to run as
Administrator??? You been listening to these Linux guys too much ;-).
In a small (home) networked enviorment sub accounts are for your wife or kids.

Share this post


Link to post
Quote:
If you're a standalone or a small network, why is it bad to run as
Administrator??? You been listening to these Linux guys too much ;-).

Hey, I am one of these Linux guys! :P

Quote:
In a small (home) networked enviorment sub accounts are for your wife or kids.

Agreed. My main concern is that, by running everything as admin I might be increasing the chances that if I do some damage (either by myself -- less likely, but... -- or "manipulated" by some virus/exploit), it could be orders of magnitude worse than if I was logged as average Joe user.

I try to keep myself up-to-date with AV signatures and AFAIK my firewall is well configured, but you never know with virii/exploits coming out every 2 weeks...

I am just finding it hard to properly configure permissions, because apps seem to act weird if I switch to a non-admin group, and I can't seem to get the pattern -- even if I uninstall them as admin and try to reinstall them as a 'power user', things don't go fine.

In the meantime, I will keep playing God here... (not that I don't like it, but... ;)) And, yes, given the environment here, no doubt I would be admin anyway laugh (I am just not sure I should be all the time!)

Thks for the reply.

Share this post


Link to post
Quote:
Quote:
If you're a standalone or a small network, why is it bad to run as
Administrator??? You been listening to these Linux guys too much ;-).

Hey, I am one of these Linux guys! :P

Quote:
In a small (home) networked enviorment sub accounts are for your wife or kids.

Agreed. My main concern is that, by running everything as admin I might be increasing the chances that if I do some damage (either by myself -- less likely, but... -- or "manipulated" by some virus/exploit), it could be orders of magnitude worse than if I was logged as average Joe user.

I try to keep myself up-to-date with AV signatures and AFAIK my firewall is well configured, but you never know with virii/exploits coming out every 2 weeks...

I am just finding it hard to properly configure permissions, because apps seem to act weird if I switch to a non-admin group, and I can't seem to get the pattern -- even if I uninstall them as admin and try to reinstall them as a 'power user', things don't go fine.

In the meantime, I will keep playing God here... (not that I don't like it, but... ;)) And, yes, given the environment here, no doubt I would be admin anyway laugh (I am just not sure I should be all the time!)

Thks for the reply.


Sorry about the Linux comment, I'm running Mandrake 9 myself. I've tried SuSE and
Red Hat also. Their are two different criteria that we deal with here. Linux (and
of course UNIX) have excellent security and networking features. Most of the time
these are far ahead of NT. The problem is that these work flawlessly on a system
where not much change takes place, but, that doesn't seem to hold up when a
lot of program and system reconfiguration is going on. Linux has the strength
here, but, not the durability. Everyone likes to put down windows, but, it's
not as simple as that.

To put it another way... I can slam my W2K system around all day long without
a problem. Programs in/out, multiple reboots, all sorts of weird configurations,
and it just keeps chugging along. Linux tends to be a lot more brittle environment
which I've often seen break with that same abuse. On the other hand when left in a
set configuration, well, we all have heard how a walled up Linux (or UNIX)
box is found running years later...

the other issue is the security one. In a large business or government
environment, it is essential that one has impeccable security in place. In the
kind of personal and small business environment that I deal with, that
kind of security is difficult and many times irrelevant. Many of the 'serious'
security issues that 'everyone' is so concerned about apply mainly to the
government and big business environments. Now I'm not saying that I don't use
security, but, required parameters are much different in that small business than
in the large impersonal workplace.

So, I guess I'll keep Mandrake as a second system on the computer.
And, if anyone is determined to run Linux, I'd definitely recommend Mandrake.
But, I think that W2K will remain as my main workstation environment for the
foreseeable future.

Share this post


Link to post

The security models are completely different, and many of the exploits/viruses/worms attack services that are already running with admin (or worse, "system" priveledges if never changed by the admin) credentials and thus makes no difference what account was logged in at the time. Few people have made a point to really understand both models, and these misconceptions about not using admin privies on Windows systems keep rolling foward. Just setup another account for yourself, and make it a member of the administrators group. And then rename the "administrator" account to something else to help slow down the more obvious attacks.

Share this post


Link to post
Quote:
Sorry about the Linux comment, I'm running Mandrake 9 myself. I've tried SuSE and Red Hat also.

Hey, no need for apologies, no harm done smile Also, please, folks, don't get the idea I came here with the intention to light up a flame war. I did not intend to compare Win and Linux (although I wouldn't mind doing that, I am still learning technical aspects of Win2k and any information is a bonus, maybe this just isn't the right place), it's just that Linux is a natural reference to me.

Quote:
To put it another way... I can slam my W2K system around all day long without a problem. Programs in/out, multiple reboots, all sorts of weird configurations, and it just keeps chugging along. Linux tends to be a lot more brittle environment which I've often seen break with that same abuse.

Strange... I've never had this kind of probl with Linux. Aside from new hardware installations, which might require some fine-tunning on the config files (and, I have to agree, depending on the type of hardware it can really be a PITA) and definitely requires a reboot, I only reboot Linux boxes when I upgrade the kernel. YMMV.

Quote:
On the other hand when left in a set configuration, well, we all have heard how a walled up Linux (or UNIX) box is found running years later...

Believe me, I've seen this happen -- the machine was an amazingly old and beaten PII, it was hosting a set of CGI scripts for user registration and data submission, and this machine was forgotten. We only remembered it existed when filesystem became full and service stopped (but not the OS). It stayed like this for almost two years! smile

Quote:
the other issue is the security one [snip] Now I'm not saying that I don't use security, but, required parameters are much different in that small business than in the large impersonal workplace.

Agreed. Nevertheless, the risk is there, and even though I don't have any sensitive data in my home computer, I would get really pissed off if some nasty IE exploit wipes out files from my HD... (and even more if I contributed to it in any way with careless administration)

Quote:
So, I guess I'll keep Mandrake as a second system on the computer. And, if anyone is determined to run Linux, I'd definitely recommend Mandrake. But, I think that W2K will remain as my main workstation environment for the foreseeable future.

It's always good to keep an open mind (that's what I am trying to do wink ). In my case, it's the other way around -- my good old RedHat is my preferred system on my box.

OT: Mandrake has ranked again as #1 distro according to a Linux Journal survey... I should definitely give it a try.

Thks again for the ideas and the nice conversation.

Share this post


Link to post
Quote:
The security models are completely different, and many of the exploits/viruses/worms attack services that are already running with admin (or worse, "system" priveledges if never changed by the admin) credentials and thus makes no difference what account was logged in at the time. Few people have made a point to really understand both models, and these misconceptions about not using admin privies on Windows systems keep rolling foward. Just setup another account for yourself, and make it a member of the administrators group. And then rename the "administrator" account to something else to help slow down the more obvious attacks.

Thks for the tip. This is actually what I am doing: I use a 'normal' (non-admin) account, but I am a member of the Admin group instead of PowerUsers. So, is this a reasonable setup when it comes to security?

Now, changing privileges from 'system' to (?) is something that I definitely haven't done. Could you please elaborate a little further (or point me to some documentation)?

I haven't renamed Adminstrator account, will do that.

Thks again smile

Share this post


Link to post

Why is madrake better than other? I had an old mandrake 5.2 for some time and then upgraded to redhat 7.2. I didn't however try a new version of mandrake.

Share this post


Link to post

(Mmmh... I have a felling this is getting really OT for this forum... ;))

 

Underneath, Linux distros are essentially the same (after all, its the Linux kernel behind all of them), but they usually differ mainly on the instalation and configuration tools and package management (Debian uses .deb files, RH, SuSE, Mandrake and others use RH's RPM etc.). Distros also differ on the amount of bundled apps, as well as on how bleeding edge they are (some prefer to include the very latest versions of apps, while others are usually a little behind). Finally, there are specific versions of distros tuned for specific purposes, just like with Win2k Pro, Win2k Server etc.

 

Installation/configuration tools have direct impact on ease of configuration, specially depending on the hardware you have (like graphics boards, digital cameras, scanners etc.) I have never tried Mandrake, but from what I've heard its tools are very efficient and user-friendly, and it does a good job in keeping pace with latest versions of apps.

Share this post


Link to post
Quote:
Why is madrake better than other? I had an old mandrake 5.2 for some time and then upgraded to redhat 7.2. I didn't however try a new version of mandrake.


This is my take so far.

1) Mandrake 9.0

Install and video support with Mandrake 9 is among the best. configuration utilities (drake) are
quite easy to set up and among the most flexible. Good support for the latest KDE and Gnome.
Excellent Samba support / utilities. This is the best balanced of the packages. If you're just
starting with Linux then this is a no brainier.

2) Red Hat 8.0

Red Hat is the most bullet proof, and, the most inflexible of the packages. You are (almost) forced
to use Red Hat's version of Gnome. Very little support for anything else, but what does exist is
extremely polished. Has great installation, and terrific video support. This is the only package
that would install in graphics mode to my ATI8500 card.

3) SuSE 8.1

SuSE impressed me as being the most flexible of the bunch, and was visually / ethically the most
interesting as delivered. The install is a little rough around the edges, but, if I was (a lot)
more experienced, then, I would probably go with SuSE. I understand that SuSE is one of the oldest
Linux outfits, and , it shows. It just feels good???

Share this post


Link to post

Firstly, we have www.linuxcompatible.org if you would like to have a heavy duty Linux discussion, but I don't mind talking Linux here wink. Second, all RPM-based distros suck. I'm sorry, I'm a Debian guy, and I can't stand having to hunt around for stupid libraries when the packager is too lazy to either include them or at least give good documentation as to what it needed. And this includes several mainstream packages as well, such as CD burning front-ends. The worst was trying to install the knock off of APT for RH/RPMs, known as "apt4rpm", and that was a nightmare. It took me 2 hours or searching all over the place to get what I needed for a RH8 install, and when I finally got it loaded it would still break (just as much as the normal RPM installer would). In addition, with apt in the Debian distros (Debian, Lindows, Xandros, Libranet, etc) you can install multiple packages at once by simply using "apt-get install package1 package2 package3..." and it will resolve all the dependencies and install them in order. With this ability, this type of OS lends itself to upgrading while RH, Drake, SuSE, etc. really need to be upgraded with CD images (at best) or simply formatted and reinstalled.

 

Another type of distro with great promise is the compiling style (as a friend calls it, a "glorified installer"), such as Gentoo and Sourcerer. With these you run *very* close to the core of the OS (almost as geeky as the LFS, Linux From Scratch, guys but with a little less headache). In Gentoo, you can tune your make.conf to the needs of yourself and your machine, and then compile *everything* that goes on it. Of course, this level of customization doesn't come without its price. I have a P2 400 workstation that has been "emerging" KDE since 8:30 yesterday morning, and it took 6 hours to compile and install Gnome with nothing else installed in it. Personally, I will be sticking with Debian for the now, since I don't have that kind of time to install everything I need smile.

 

However, RH, Drake, and SuSE are really great for newbies, or people that don't want to futz with their system much. They are "easier" to install (I can install Debian in half the time it takes me to get RH8 going though) for new people, and have friendly interfaces overall with more control panel type utilities. To all those that like them, don't be offended. This is just my up-in-yan of them smile.

 

With respect to the security layouts, I find the *nix model to be rather limited. You can setup objects, and then use those objects (such as users) as containers (groups) for other objects. And that's about where it stops. In NT, you can add people to groups, and easily manage multiple groups AND users with all kinds of permissions, while in *nix you have the 3x3 system (owner, group, world and read, write, delete) which doesn't quite cover what I need unless I make a ton of groups and criss-cross membership all over the place.

 

brblueser,

 

In order to change the logon credentials of a service, you just go to the services panel (right click on "my computer", select "manage", then go to "services") and open the properties of a given services. At that point, you should see a log on tab, and you can change the credentials of the service. You know when you have a spun (failed) process, and you can't kill it? Normally, it's because the process is running under "System", which has a higher level of credentials than "Administrator/Admins", and the admin has no right to kill it. This is a major reason why you see people rebooting NT boxes when there's a problem. The next biggest issue is if explorer is slowing down, and you can just kill that process and restart it using Task Manager. Both of these functions have been around a *long* time in the Windows world, and directly translate to using ps -aux and kill in *nix, and using ctrl-alt-backspace to kill X-server (and hence, your window manager) when there's problems.

 

HTH

Share this post


Link to post
Quote:
Firstly, we have www.linuxcompatible.org if you would like to have a heavy duty Linux discussion, but I don't mind talking Linux here wink.HTH


I'm too lazy to switch right now.

Quote:
Second, all RPM-based distros suck.HTH


Without getting into the multitude of different program distribution methods, packages using RMS have come a long way towards easy instillation of programs. Linux as a workstation environment will never gain momentum unless this problem is resolved. And, since you've mentioned Debian, I should mention that I've also done an install with that. My impression was one of almost arrogance. Sorry, I'm not trying to offend anyone, but, Debian is the least user friendly Linux build that I ran into, and, its users don't seem much interested in making it any easier or better. Even Slackware was friendlier ;-).

Quote:
However, RH, Drake, and SuSE are really great for newbies, or people that don't want to futz with their system much. They are "easier" to install (I can install Debian in half the time it takes me to get RH8 going though) for new people, and have friendly interfaces overall with more control panel type utilities. To all those that like them, don't be offended. This is just my up-in-yan of them smile.HTH


Most of the new users are used to, and, will want this type of environment. Many will go beyond that, but, a user friendly environment will help them to learn it better and faster. If Linux is to progress from a nitch OS to anything mainstreem and compete with the MS offerings, then, a lot more has to be done in this direction.

Share this post


Link to post

The install process is actually really simple, if you find a how to on your system (or a generic one) first. However, it can be very intimi[censored]. That's why trying something like Lindows, Xandros, or Knoppix is a much better alternative. You get all the power and stability of Debian, but with a much better install (or in the case of Knoppix, it can just run from the CD and be copied to the harddrive if you want to keep it) system. There is another friendly installer that handles the setup duties for Debian, and you can get it for free as well (it's a basic Debian distro, but with a graphical installer) but I can't think of it's name right now. Unless there's a real method to handling dependencies in RPMs, then it will always be a major failure and thorn to Linux users everywhere.

 

Oh, and your account here is also valid at www.linuxcompatible.org, in case you or others didn't already know smile.

Share this post


Link to post

Hi clutch,

 

[ thks for bearing with the ongoing discussion but, again, it's not my intention to turn this into a Linux-related thread (I didn't even mention Linux on my original post! wink ) ]

 

Nicely put. Indeed, "dependency hell" with RPM-based distros can be quite a PITA. apt-get abilities are legendary, and I believe it is one of Debian's strongest points -- the weakest being the installation process IMHO. I've followed a Debian installation once at my last job, and it was awfully hard to even find desired packages on the cds. However, I always heard that once you get used to the installation process, you won't replace your Debian for nothing smile

 

Regarding apt4rpm, I believe its main probl is the lack of repositories, since it is sort of "unofficial" (only Conectiva claims full support for it, since they are the ones responsible for porting apt to RPM-world). It seems to be gaining popularity, though, maybe things improve in the future... (it should take a while, since a port to RPM 4.x is facing some probls AFAIK). RedCarpet, from Ximian, also does automatic dependency checking, but it is still buggy (at least here on my system it doesn't run right).

 

The "self-building" distros are really interesting, but you have to be "in the mood" to wait the whole thing to finish... wink (and, as you said, you'd better have a good hardware to back you up)

 

I am still running RH 7.1 here, but it hardly resembles the original 7.1. I upgrade some basic system tools and apps using up2date, but I still do most of my upgrading by hand. I never used RH tools for configuration (aside from initial installation). However, I agree, it is specially well-suited for newbies -- and this is their goal in order to try to make Linux more "suitable for the masses". I am not against this, but I can't say I am totally for it either... but that's another story wink

 

Quote:
With respect to the security layouts, I find the *nix model to be rather limited. You can setup objects, and then use those objects (such as users) as containers (groups) for other objects. And that's about where it stops.

Agreed. Here is where it shows its age: this is the same model invented way back in the 70s. Simpler (and therefore more common) needs are usually well-served by this simple model, but more complex setups, even though not impossible, indeed demand extra groups creation and admin.

 

Quote:
In order to change the logon credentials of a service, you just go to the services panel (right click on "my computer", select "manage", then go to "services") and open the properties of a given services. At that point, you should see a log on tab, and you can change the credentials of the service.

Cool, now I'm making some progress smile All my services are currently running as 'LocalSystem'. If I got it right, this should be changed to 'Admin', right? (or whatever name I gave it). Don't I risk failing starting some services if I change this?

 

Thks for your help and patience.

Share this post


Link to post

Most of the core ones (the MS defaults) don't need to be bothered with (and probably shouldn't) so I wouldn't worry about those. The real need to adjust these is with applications that run a service in which you have installed after the fact (RDBMS systems, web servers, ftp servers, etc) that you want full control over. What I have done is created accounts for each of these services, then give them only what they need for permissions (such as "Power Users" so they can launch but not install anything on their own). Also, whenever in a domain environment, I make these accounts locally on the machine rather than in the domain so that if a service is compromised, it can't be used to move across the network or create accounts in the domain.

Share this post


Link to post
Quote:
Unless there's a real method to handling dependencies in RPMs, then it will always be a major failure and thorn to Linux users everywhere.

Right. I subscribed to the RPM mailing list a while ago, and some guys that actually develop RPM are also members. They are really aware this is the Achilles heel of RPM, and they would also love to implement a decent solution for it. However, from what I could see, there are some other 'deep' (conceptual) probls that need to be fixed first.

Quote:
Oh, and your account here is also valid at www.linuxcompatible.org, in case you or others didn't already know smile.

Cool! laugh Didn't know about it, will drop by to see what's going on.

Share this post


Link to post
Quote:
Most of the core ones (the MS defaults) don't need to be bothered with (and probably shouldn't) so I wouldn't worry about those. The real need to adjust these is with applications that run a service in which you have installed after the fact (RDBMS systems, web servers, ftp servers, etc) that you want full control over.

Mmmh... from what I can see, there's not really much I would need to change, then. I have AVG from Grisoft (a free AV app), Sygate Personal Firewall, NVIDIA Driver Helper and a bunch of Iomega services (for my ZIP drive) all running as LocalSystem. Should I change this?

Quote:
What I have done is created accounts for each of these services, then give them only what they need for permissions (such as "Power Users" so they can launch but not install anything on their own). Also, whenever in a domain environment, I make these accounts locally on the machine rather than in the domain so that if a service is compromised, it can't be used to move across the network or create accounts in the domain.

That's clever. Maybe I will play with this later.

... I just realized this: there is no such a thing as 'system user', is it? (I am trying to make a comparison with root/non-root users).

Thks again.

Share this post


Link to post

"SYSTEM" is an account, but the Admin has little control over it (hence being unable to kill dead processes launched under SYSTEM). Root is sort of a hybrid of SYSTEM and Administrator in NT, as duties under NT are split up between them while their comparitive functions in Linux simply run as "Root". In this case, a properly configured service under Windows could be more secure than the *nix counterpart, since most processes/services in *nix run as Root and if compromised have Root-level access to the system (unless you are using a hardened/split-level kernel to reduce this hazard, but many are not). Just remember that some services might need to load and unload drivers or some other high-priviledge tasks, and if the "Power Users" group can't do it, then you might have to adjust its user rights to allow for this.

Share this post


Link to post

But, is it really an account? I mean, it doesn't appear under any of the user mgmt tools... (not that it really matters, I am just trying to understand it)

Quote:
In this case, a properly configured service under Windows could be more secure than the *nix counterpart, since most processes/services in *nix run as Root and if compromised have Root-level access to the system

Well, IIRC it's not that bad: you have many different users for many different services: apache, xfs, dnscache, mysql etc. Some of them might indeed share root privileges (through suid or by belonging to specific groups), but it doesn't have to be that way for all of them. Also, some services run on chroot jails.

 

However, for services running as root (or under suid), you're right -- same, as you said, for services running as 'system' on Win2k. And AFAIK you shouldn't need kernel-level modifications to apply such a policy for most of the services (although properly configuring this by hand could turn out to be impossible for some cases or at least tricky for others, demanding creation of specific users -- easy part -- and proper file permissions configuration -- the hard part, depending on how far you're willing to go or how complex is your setup).

 

Anyway, thank you very much for the tips and insights, it has been really enlightening, I have definitely improved my Win2k knowledge.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×