Re: How safe is a "Limited" XP account?
From: John Brock (jbrock_at_panix.com)
Date: 02/24/05
- Next message: Dan: "Re: MS and security: good effort but no cigar"
- Previous message: Ken Blake: "Re: Question on hard drive size"
- In reply to: Todd H.: "Re: How safe is a "Limited" XP account?"
- Next in thread: Todd H.: "Re: How safe is a "Limited" XP account?"
- Reply: Todd H.: "Re: How safe is a "Limited" XP account?"
- Reply: André Gulliksen: "Re: How safe is a "Limited" XP account?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 24 Feb 2005 16:39:57 +0000 (UTC)
In article <m03bvmvqyv.fsf@ripco.com>, Todd H. <comphelp@toddh.net> wrote:
>jbrock@panix.com (John Brock) writes:
>> What bad things can happen to me while using a plain vanilla
>> "Limited" Windows XP user account?
>> In general I am interested in both likely and worst case
>> scenarios. Any thoughts?
>There are more secure OS's out there.
>
>What are your goals? What need motivates your questions?
My motivation is very simple; I use a Limited account on my home
XP system, and I want to understand how much extra security this
buys me. I don't rely on it for security, and in fact I am quite
paranoid about security -- I have a hardware firewall and anti-virus
software, I have never used IE on this computer except to connect
to microsoft.com for updates, and I read all my email via telnet.
So far I seem to have avoided any viruses or spyware. I am well
aware that there are more secure OS's, and I'm appalled at how
poorly Windows is designed in terms of security. Still, you process
words with the computer you've got, and I just want to understand
the one I've got as well as possible.
I think my question really breaks down into two parts:
1) How well does the theoretical security provided by a Limited
account hold up in practice? I.e., how hard is it in practice to
"escalate privileges", and how long do bugs which allow this to
happen go unfixed?
2) How likely is it that a given piece of malware will be coded to
try to escalate privileges if it finds itself running on a Limited
user account, or even function effectively at all in this situation?
My impression is that most Windows users spend most of their time
in accounts with Administrator privileges, so maybe most virus
writers wouldn't consider it worth their effort to write code that
deals with Limited accounts. Or maybe not. I don't know, hence
my question.
I do notice that when I see lists of recommendations for securing
Windows PCs Limited accounts are often not even mentioned, and I've
wondered why that is. Maybe it's because some old or poorly designed
software won't run properly, and because you can't install most
software. Maybe it's assumed that the typical user can't be trusted
to understand and use a Limited account. Or maybe it just doesn't
add as much security as I think it does. Again, my question.
-- John Brock jbrock@panix.com
- Next message: Dan: "Re: MS and security: good effort but no cigar"
- Previous message: Ken Blake: "Re: Question on hard drive size"
- In reply to: Todd H.: "Re: How safe is a "Limited" XP account?"
- Next in thread: Todd H.: "Re: How safe is a "Limited" XP account?"
- Reply: Todd H.: "Re: How safe is a "Limited" XP account?"
- Reply: André Gulliksen: "Re: How safe is a "Limited" XP account?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
