The most important Windows security tool
There are so many products and options available for Windows security it’s hard to know where to start.
Many people wind up focusing on things that are enhancements, rather than fundamental security improvements. Recently we dealt with an organization who agonized over which anti-virus product to buy. In fact, they spent three years developing criteria, soliciting bids from vendors, and testing and evaluating before making a decision. A similar effort and length of time went into selecting a firewall. They felt that getting just the right security products were the solution to the plague of spyware, viruses and web site vandalism they had been experiencing.
Meanwhile, all Windows user accounts throughout the organization had local administrator privileges on the workstation, meaning that any malicious software that onto a workstation would be able to do anything the user could do.
Removing administrator privileges for local user accounts was on the list of things to do, but it was low priority. It took some effort to demonstrate to management that no tool they could buy, no matter how sophisticated and well designed, could provide the increase in protection of switching to unprivileged user accounts.
Let’s say that again: Running as a regular user is the most effective thing you can do to avoid viruses, spyware, keyloggers, root kits, hostile e-mail attachments and employee misuse. In fact, it’s so effective that you could remove your anti-virus software and probably never suffer an infection.
When you run as administrator all the time, any malicious software that gets on your system from web browsing, e-mail and other sources has full permissions to change files and settings, including critical components of the operating system. Malware can also affect every process on the system, including shutting down your anti-virus and personal firewall (a common first step for malware). When you use a normal user account, that same malware is forced to find a bug in the operating system to make changes or shutdown protection software, a much more complex task.
It’s like a thief equipping themselves with the special tools needed to break in and steal your car, then discovering that though you locked the doors, you left all the windows rolled down and key in the ignition. Running as a normal user significantly increases the obstacles that malware have to get past to infect the system. The majority of malware doesn’t even try. Most viruses, spyware and trojans can’t install themselves unless the user is an administrator.
Even more important, using a normal user account provides proactive and generic security… capable of preventing even new malware from gaining a foothold. It doesn’t need continuous updates and stops more than just a list of known problems, completely unlike anti-virus and anti-spyware products.
But if running as a normal user is so important and so effective, why don’t we hear more about this issue? A large part is because it’s not a product you can buy. You won’t see full page ads for it in CEO magazines. It also can be difficult, especially for large organizations with lots of legacy software that expects a Windows 95 “full rights” environment.
For small organizations and home users running Windows XP, changing from administrator to users accounts is quite easy. Windows XP has several features that make the process reasonably straightforward.
What to expect
Running as a normal user vastly increases the security of Windows desktops. Once you get it working you’ll wonder why you didn’t make the change sooner. However, there are some differences that most Windows users are not used to:
- To install most software, you must either log in with an Administrator account, or use the “runas” capability in Windows 2000 and higher (“runas” lets you temporarily run a program under another account. In Windows XP a runas option is available by right clicking on an icon or exe file name).
- To run Windows Update you must log in as an administrator. “Runas” does not work with Windows Update.
The biggest frustration remains the software. Running as as regular user has been possible since the introduction of Windows NT Workstation in 1993, yet many software vendors still sell software that expect to have administrator rights. Common problems with software include:
- Very often the setup program installs menu options and desktop icons in the Administrator folders (C:\Documents and Settings\Administrator\Start Menu and C:\Documents and Settings\Administrator\Desktop) so other users can’t see them. To fix this, manually move or copy the items over to All Users (C:\Documents and Settings\All Users\Start Menu and C:\Documents and Settings\All Users\Desktop) and change the security permissions to allow authentication users to see them)
- In rare cases, the software writes configuration settings to its installation directory in Program Files instead of the Windows Registry or each user’s Application Data folder. As a workaround you can enable write permissions for all users to the file.
There are almost always work arounds for problems with badly written software. There are also several web sites where the community discusses solutions and maintains lists of software to avoid. Many tools are available to make many tasks easier. There are even some tools that can give administrator privileges only to critical software you can’t do without while maintaining normal privileges for everything else.
However, once in a while you find software is so oblivious to security you have to use an alternative. For example, recently we looked at a personal firewall that couldn’t run unless all local users had administrator privileges!
Fortunately, the majority of software vendors have got the message and most corporate software like office suites run just fine with a normal user account. Smaller software products, especially open source and shareware, are the most frequent problems.
Getting started
Okay, so now you’re convinced that it’s time to make the change and switch to regular user accounts, where do you start? The security community and some folks at Microsoft have starting making information and tools available to help in the process.
To get started, try the following resources:
- Applying the Principle of Least Privilege to User Accounts on Windows XP (Microsoft)
- NonAdmin – “The community site for PC users who want to run without administrator privileges”
- The Non-Admin blog – running with least privilege on the desktop (Microsoft)
Conclusion
The transition to running with unprivileged accounts takes time and sometimes some fiddling to get stubborn applications to run right, but it remains the single most worthwhile change you will ever make to improve the security of the Windows desktop.
Related posts:
- Windows .NET rootkits are easy
- Free host intrusion prevention for Windows
- A simple tool to track and control spammers
- U.S. military to standardize Windows hardening
Tags: authorization, Malware, windows, Windows security
2 Responses to “The most important Windows security tool”:
May 16th, 2006 at 4:59 am
Just installed Win2K and needed this advice on what to do with the various User, All User and Administrator directories, and where the files should be placed. Your discussion is the most practical I have found.
There is a problem with the line-wrap on this text box. I was only able to leave comments by working in Notepad, then pasting. Otherwise, couldn’t see what I was writing … this is on MS IE6, the latest 2000/XP version.
May 24th, 2006 at 9:57 am
Glad you found the info helpful. One day all Windows software will be written to run as non-admin (it looks like Vista will help enforce this) and we won’t have to jump through these hoops.
Thanks for letting me know about the wrapping issue… I rarely use IE (we’re a security company, after all
. I’ve inserted a hack that seems to fix that bug in IE without interfering with Mozilla and Opera browsers.