Guest Blogger - Running Without Administrative Privledges

  • Article

A little while ago I wrote a post on how Rick convinced me to run Vista as a standard user.  Vista sure makes this easy but Colin Harford has written a nice guest blog post on how he is able to run as a standard user on XP.

----------------------------------------------------------------------------------------------------

We are all guilty of it at one point or another.  We all like to make our users run without admin privileges, either by not granting them admin access, or by using group policy, so that that the account can’t do everything.   Of course, this is for the safety of the network, computers, data, etc.    However, how many of us run without admin privileges? 

We like to run with admin privileges because it is easy.  Be it by running with Domain Admin to the workstation, or by having a separate user account, and that account has admin access to the workstation.  From a security perspective we shouldn’t.  Just look at how many 0day exploits have been published in recent days, where all you had to do was visit a site to get infected, or run without a firewall.   It is sure a lot easier for an exploit that allows remote code to be executed to compromise the system when it starts out by having Administrator privileges.    This is not the be all, end all solution and is not a substitute for a good firewall, Ant-Virus, Anti-Spyware, and a good password.  Rather, it is just another layer of defense, a part of your defense in depth strategy. 

 Windows XP when not in a domain has things like fast user switching to allow switching between a LUA and an admin account.  When you’re in a domain, there is no longer that option.  Sure, there is the run-as, and that works well, for launching things like Active Directory Users and Computers MMC, as then you can launch that with an account that has modify access, etc.  However, what if you need to run a program as your username that has admin access?  There are plenty of programs that do and a number of different walls of shame for them. 

 Aaron Margosis has written extensively on running without Admin Access (His blog, can be found here: https://blogs.msdn.com/aaron_margosis/).  There is also the site https://nonadmin.editme.com/ where you can download some handy tools to help you get running.  The first tool is a bat file written by Aaron Margosis, which allows you to run almost anything from a command window with Admin Access.   You can find more, and to download it at: https://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx Here you can enter a configurable account that does have admin access:

Then you get prompted to put in your password.  From, in here, you can launch any program or installer with admin access.  Anything that is launched, from that red window has admin privileges, note that, Windows Update web page still does not work with this.

The next tool is one that is a toolbar called PrivBar that shows you if you are running currently with admin privileges.  (Handy for Windows Explorer).    You can find it at https://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx

 A third tool makes it easy to open Control Panels, Task Manager, etc with admin access, with only a few clicks of the mouse.  It is called Launch Admin, and can be found here https://launch-admin.sourceforge.net/. Once it is opened from within the MakeMeAdmin,a new icon appear in the task bar, when you click on it, a menu comes up:

Finally, there is always, running each program manually with restricted access, as part of the “Run As” option.

However, this doesn’t provide the same level of protection as running everything without admin privileges except what you explicitly define. There, you have it; an easy way to run without admin access, yet being able to easily get admin access.

With Windows Vista, you do not need to make use of tools like “MakeMeAdmin.”  Vista incorporates a number of security changes over XP, et al, which helps reduce your exposure to threats.     However, in many ways, the messages IMO aren’t written for end users.  A good article on this can be found here https://www.microsoft.com/technet/technetmag/issues/2006/07/SecurityWatch/default.aspx

----------------------------------------------------------------------------------------------------

Colin Harford is a computer professional with a wide range of experience; working with computers for more years than he would often like to admit. His focus is on system administration, primarily involving AD and Exchange. Colin was also involved in the creation of two user groups.