XP Filter: I set up a non admin account for safer computing -- Am I safe enough now?
July 21, 2008 9:06 AM   Subscribe

I've read so much here lately 1 2 3 about not browsing as an admin, decided to check it out and yepper, I surely was using an admin account. I've set up a non admin account, made a few other changes (described inside), hoping to find out from The Hive Mind if I am now safe enough to breathe easy(er).

Ya'll put the fear of computer death into me, I finally decided to check and yeah, I was doing it wrong wrong wrong. So I set about trying to get my mind (and puter) right in the eyes of The Hive Mind.

I set up an account without Admin rights, and will use this for most everything from now on.

I left both accounts without passwords because of reading this post -- is this a good plan, or is this guy off the wall?

I am using a fairly fresh XP install (maybe two months) and I'm pretty sure I'm still clean -- I've run Spybot and AdAware, updated as needed, maybe every couple weeks.

I'm using AVG Anti-Virus Free and update it as it says it's needed.

I'm using the ZoneAlarm free firewall -- I LOVE that it allows me to determine when software decides to 'call home' and I get to decide -- Apple is pretty determined with this, I've found, and so is Open Office, a few others.

I've got Windows Auto Update turned on but not to auto download and install -- I want it to prompt me and let me decide if and when.

I'm using MS Windows Defender and upgrading as it suggests.

I'm using Firefox 3 upgraded automatically any time they suggest, and running AdBlock Plus and NoScript, updated when suggested.

If any site gives me problems in Firefox, I first try Opera (updated as needed) and then IE7, last resort. I run IE Tab through Firefox rather than firing up IE7, and I only use it on sites that demand IE7 (NetFlix, Sprint, a couple of others) -- I'm hoping this helps me but I don't actually know if it adds safety or not. I update IE7 as Windows Update suggests, pretty sure I'm always current.

I'm using Foxit PDF rather than Adope bloatware.

"Aye" suggested Disabliing all AutoRun and AutoPlay options with TweakUI (a Microsoft PowerToy) is this needed/wanted?

What have I missed? Where have I gone overboard? I want safety but don't want to live locked down so hard I cannot move.

Thanx in advance.


posted by dancestoblue to Computers & Internet (13 answers total) 11 users marked this as a favorite
Response by poster: Whoa -- Just logged in using my new 'neutered' account and found that it's like a fresh start on XP -- how can I get it to use the setup I've created for my Admin account ie Start Menu and misc settings and programs -- none of which now show up on my new Start Menu. Will I have to set up Firefox all over again ie all of my add-ons and bookmarks et all? Even the wallpaper on the new setup is NOT the wallpaper on the Admin account (the account which I'd been living with up til now.) HELP!!


posted by dancestoblue at 9:32 AM on July 21, 2008

Yep. Those are two different accounts, thus they have two different profiles (bookmarks, etc).

No, I dont consider running without passwords to be safe. Pick nice strong ones.

You can give yourself needed rights from your admin account. Lets say you need write access to the trillian folder (you will if you run it) then give 'users' modify rights to it.

Lastly, as admin you can play with gpedit.msc to make system-wide changes, give yourself extra rights as limited, etc.
posted by damn dirty ape at 9:45 AM on July 21, 2008

Best answer: Also you can make your limited account the admin and change your other account to limited user if its such a pain to move things.
posted by damn dirty ape at 9:46 AM on July 21, 2008 [1 favorite]

In my experience more problems are caused by accidentally clicking on things and installing things than some evil virus worming its way into your system unbeknowst to you. That being said moving to a limited account will prevent this since you lose the right to install without that admin account. So, to adjust your profile and get your settings/background/etc back do this.

1. Create a new user (this will be a throwaway account we will use just for this process).
2. Reboot
3. Log in as new user
4. Right click My Computer and go to Properties, click on the Advanced Tab and halfway down there's a "User Profiles" settings box. Click that.
5. Select the account you used to use to do everything and choose "Copy To"
6. Select C:\Documents and Settings\NewLimitedUserAccount\
7. Change the permissions to "Everyone" (no quotation marks), and click copy.

That could take a minute depending on how large the profile is but this will copy over all of your settings to your new profile. Once done relogon as the admin and delete that throw away account and you can begin using the limited account with all your settings in place.
posted by genial at 10:07 AM on July 21, 2008

Put passwords on both of those accounts and you're probably safe. You're actually getting borderline paranoid with the level of things that you're doing, but whatever floats your boat...

On my XP machine at home, I don't even run antivirus or antispyware, and I don't have any firewall besides the built-in Windows Firewall and my wireless router acting as a hardware firewall. I think contrary to a lot of the FUD out there, this is probably fine for a lot of people. For most people, though, including my mom or non-tech-savvy users, a simple application like the free versions of AVG or ThreatFire will probably do very well.

As genial sort of implied, I see many more problems caused by software that is not exactly malicious but very annoying and invasive than with viruses or spyware.
posted by joshrholloway at 10:16 AM on July 21, 2008

From the article:
"Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password (emphasis mine)." Don't use a password- use a passphrase. For instance, I could use "jmd82 rocks the c@sb@h!" for MeFi. Easy to remember and infinitely more secure than a blank password. And passwords beyond 14 characters are very hard to crack using brute force.
posted by jmd82 at 10:24 AM on July 21, 2008

Also you might want to play with DropMyRights which looks like a simplification of doing a runas as a limited user. This way you can stay logged in as admin. Its more risky, but might be good for some people who dont want to go whole hog.
posted by damn dirty ape at 11:00 AM on July 21, 2008

Best answer: What you've done is pretty good.

I wouldn't even bother with Anti-virus unless you plan on actually downloading and installing crap from random sites. Usually they do more harm than good.

However, let me suggest this as a safer alternative: don't browse the web from your primary OS installation at all.

Download Virtual PC and setup a VM from which you browse the web, and turn on the HD journaling feature where changes are not committed to the virtual drive unless you choose to commit them. This way, it doesn't freakin' matter if you get infected. You only infect the VM and you blow the changes to the virtual drive away every time you shut it down, thus every time you fire it up it's a clean slate.

The only down side is you lose your history (but you should be able to find a favorites-in-the-cloud service that you can use to sync bookmarks every time you fire it up). And you have to login to sites like gmail every time because you blow away the "remember me" cookies as well.

But really, you can't get much safer. Hardware hypervisors are the only safer way to go.
posted by jeffamaphone at 11:07 AM on July 21, 2008 [2 favorites]

Also, Windows Zones is a pretty decent product that gives you Vista-like privilege reduction.
posted by jeffamaphone at 11:09 AM on July 21, 2008

I'd second disabling autoplay, although it really shouldn't be necessary if you are actually running as a non-admin. There are plenty of USB "infections" going around, and disabling autoplay generally stops them.

I'd avoid DropMyRights. Go whole hog.

I use the Windows firewall and don't bother with antivirus.

Use strong passwords, or better yet, passphrases.

I've never had a problem as long as I do these things. And I've been using Windows desktops for a long time.
posted by me & my monkey at 11:54 AM on July 21, 2008

Best answer: I generally recommend setting up a new admin account (called Admin) rather than a new limited account, setting Admin up for convenient computer housekeeping, then using Admin to change the account type of your existing user account from Computer Administrator to Limited Account. Saves all that tedious mucking about with moving your user profile into the new account, which occasionally breaks things even if done exactly right.

I like to set the Admin desktop up as follows:
  • Really ugly wallpaper to discourage hanging around in there - the inbuilt Windows XP one is good for this
  • Quick Launch bar enabled, with only the following items on it:
    • Show Desktop
    • Maintenance Notes - a shortcut to Admin's Documents\Maintenance_notes.txt, in which I keep a log of all the stuff I've done while logged on as Admin
    • Add/Remove Programs - from the Control Panel
    • Installers - a shortcut to Admin's Documents\Installers, a folder containing subfolders which, in turn, contain the setup programs for software I've downloaded and installed; for example, Admin's Documents\Installers\Mozilla would contain installers for Firefox and Thunderbird
    • All Users Desktop - a shortcut to the folder C:\Documents and Settings\All Users\Desktop
    • User Accounts - from the Control Panel
  • Hidden files, system files and extensions for known file types all set visible in Tools->Folder Options->View
  • Hide Inactive Icons turned off for the system tray
  • Desktop Cleanup Wizard disabled
  • My Documents and My Computer as the only enabled icons under Display Properties->Desktop->Customize Desktop
Inside All Users Desktop, I like to create a subfolder called Shortcuts. When software installers leave desktop shortcuts behind, I like to open All Users Desktop (using my handy QuickLaunch button) and drag any shortcuts found in there to Shortcuts. That way, my limited accounts don't end up with a rash of desktop shortcuts they don't have permission to shift; instead, they can copy and paste what they need out of Shortcuts to their own local desktops. Some installers insist on leaving desktop shortcuts in Admin's local desktop instead of the All Users desktop. If the software concerned is intended for non-admin use, it's convenient to copy those, paste them into Shortcuts, then delete them (don't just drag and drop them into Shortcuts, or they will end up with NTFS permissions that make them useless to your limited accounts). A similar manoeuvre may be needed to make some software's Start menu shortcuts available to accounts other than Admin. I don't generally make QuickLaunch shortcuts to C:\Documents and Settings\Admin\Start Menu\Programs or to C:\Documents and Settings\All Users\Start Menu\Programs, since these can be conveniently opened with right-clicks from the Start Menu.

Use a strong password on the Admin account. This allows you occasional use of the Run As feature from inside your limited account, for those times when fast user switching is too slow to do some footling little admin task. Incidentally, because the standard Windows file selection dialog actually has most of the functionality of the Windows Explorer file browser, just firing up something like Notepad or Paint using Run As and then using its File->Open menu item is enough to let you do simple administrative file maintenance tasks without needing a full desktop environment switch.

You should also lock down the normally-hidden inbuilt Windows administrative account, Administrator. Easiest way to do this is to open a cmd window (Start->Run->cmd), enter

net user Administrator *

and then type a password when prompted. Using the same password as for your Admin account is fine.

In my opinion, Windows Defender is more trouble than it's worth. AVG 8 Free's inbuilt antispyware does a better job, and I wouldn't bother running both.
posted by flabdablet at 7:30 PM on August 16, 2008 [5 favorites]

Best answer: Here's the best way I know to disable all the Autorun/Autoplay stuff on a Windows box. Unlike other methods, it doesn't need to be repeated for each user account, and it doesn't involve the complete loss of device-insertion detection.

The long version: Microsoft KB953252

The short version for XP: download and save disable-all-autoruns.reg (sorry about the bogus MIME type) and Microsoft update KB950582, then use your Admin account to install the update, restart Windows, then double-click disable-all-autoruns.reg from your Admin account to add the appropriate registry values.

You should then find that USB devices, CD's and whatnot will be correctly identified and assigned drive letters etc. on insertion, but that their autorun stuff doesn't run, and that double-clicking them in Windows Explorer will open them rather than executing an autorun.
posted by flabdablet at 5:09 PM on December 29, 2008 [1 favorite]

I changed ISPs, so disable-all-autoruns.reg now has a new home.
posted by flabdablet at 1:33 AM on April 9, 2009

« Older Help My Stepsons Not Be Bored in the Bay Area   |   Hello, Maytag Man? Newer »
This thread is closed to new comments.