Is it considered a "best practice" to generally use a limited (non-Administrator) XP account, and only use an Administrator-type XP account when performing functions which require it (instalilng certain programs, etc)?

I am relatively new to XP, and am not even clear on what types of activities require an Admin account.

Yes that would be a good idea that I don't follow myself, I have it set on my wifes computer though. Some programs like motherboard sensors may not load and you might not be able to run windows update in a user account.

Is it considered a "best practice" to generally use a limited (non-Administrator) XP account, and only use an Administrator-type XP account when performing functions which require it (instalilng certain programs, etc)?

I am relatively new to XP, and am not even clear on what types of activities require an Admin account.

It is certainly a "best practice".

Quite often it is not a "practical practice". Many programs require full rights to the directories they use, as well as to certain registry keys.

Quite often it can take more time that it's worth to get the rights set up well enough so that programs work, but the user is still somewhat restricted.

I usually wind up making a base image using Symantec's GHOST program and let my users know that, if they screw the ppoch somewhere along the line, I'll copy their documents folder & drop a new image on the system. But most of my users are fairly technical and it's not usually a problem.

I'm a huge advocate for using limited instead of admin accounts. For most day-to-day operations the typical user won't notice any difference in using a limited account, and the benefits greatly outweigh any minor disadvantages.

This webpage (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx) describes why it's best not to run as an admin (which is the default setting in WindowsXP).

At home I have 4 systems connected 24/7, and all of them are running as limited accounts. It's nice not having to deal with viruses and spyware. :D

More info on running in a limited account:

http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx
http://nonadmin.editme.com/RunningAsNonAdmin

RayG

Some programs like motherboard sensors may not load and you might not be able to run windows update in a user account.

I have no first hand knowledge of the first problem, but the second is easily solved by ensuring your computer is set for automatic updates, and then, once a month switch over to the admin account to download and install the updates.

Works for me. :)

RayG

It is certainly a "best practice".

Quite often it is not a "practical practice". Many programs require full rights to the directories they use, as well as to certain registry keys.

Most times this is solved by installing the program from the limited account using admin rights. I've had very few, if any, programs give me major headaches so far.

Quite often it can take more time that it's worth to get the rights set up well enough so that programs work, but the user is still somewhat restricted.

Depends on the environment. I find it easy to keep my 4 home systems running smoothly, and a single system should be a piece of cake. :cool:

I usually wind up making a base image using Symantec's GHOST program and let my users know that, if they screw the ppoch somewhere along the line, I'll copy their documents folder & drop a new image on the system. But most of my users are fairly technical and it's not usually a problem.

Sounds like your environment is not a home one. At the local community learning center they use a program called Deepfreeze (http://www.faronics.com/html/deepfreeze.asp) though that's not exactly a cheap solution for a home user. It's extremely effective, and a reboot automatically re-sets the computer desktop, and eliminates any downloads or installations. (sorry, I'm wandering)

Bottom line, switching to a limited account is safer than running as an admin, and I highly recommend it.

RayG

Sounds like your environment is not a home one.

True, I'm writing from a system administrator perspective. My users are mostly consultants who have to constantly load things onto their laptops for demo & testing purposes. Limited accounts just don't work in that situation.

The rest of my users are office workers who only utilize the programs that they need for their job. Firefox and Opera have alleviated a lot of the spyware problem.

In a home environment, especially one with kids, I would certainly recommend limited accounts. If you have machines that remain fairly static it's the best way to go.

It is certainly a "best practice".

Quite often it is not a "practical practice". Many programs require full rights to the directories they use, as well as to certain registry keys.
I have to agree with this. After dealing with this issue with Windows 2000 Professional (which basically forces it on you, unlike XP), I gave in. In my office I wanted to set other users up as Power User (whatever the highest level is under Admin), which, according to Windows, allowed installation of most software, while not allowing changes to be made to the operating system. Baloney. I have yet to find one program that can be installed under this setting. I discovered the biggest problem was that without Admin privileges you can't create a subfolder in the Program Files folder! WTF? How far do you expect to get like that? Also many things like HotSync for PDAs and such require admin privileges. And it's loads of fun to install software as Admin and then log on as a user and not be able to access the software you just installed.

the short and sweet answer if youre not completely paranoid but want some level of safety is this: if you are sometimes going to surf the web and go to somewhat "dubious" websites then create another (limited) account specifically for such surfing. Go to "start/switch user" when you want to toggle back and forth between this and your main user account (which should have administrator priveleges unless youre some sort of masochist...)

Is it considered a "best practice" to generally use a limited (non-Administrator) XP account, and only use an Administrator-type XP account when performing functions which require it (instalilng certain programs, etc)?

I am relatively new to XP, and am not even clear on what types of activities require an Admin account.


Yes, yes, yes, yes, yes! :)

You can also use the "Run as" command on the right click menu, this allows you to run the application as any account you know the password off.

Mutters nasty words at all the people saying this is too much of a hassle. People complain about Windows "lack of security" and then run their system in a way that bypasses the biggest single security feature!

(OK MS has and does seem to encourage this by making the first user or the installer of the system an admin as default.)

And further more - I've read a lot of people complaining about how Vista has adopted an approach very similar to OS X with its constant checking and asking for an admin user/password combo before allowing you to install anything that touches the OS.

It's like saying "I want my house to be totally secure but I don't want to install locks or doors", nice in some fantasy world but it ain't going to work in the real world.

I discovered the biggest problem was that without Admin privileges you can't create a subfolder in the Program Files folder! WTF? How far do you expect to get like that? Also many things like HotSync for PDAs and such require admin privileges. And it's loads of fun to install software as Admin and then log on as a user and not be able to access the software you just installed.

What I do is install new programs while logged into the limited account, but install it AS the administrator (right-click > Run as...) and it will create folders in the Program Files folder as necessary. I've had very few problems using this method.

RayG

Mutters nasty words at all the people saying this is too much of a hassle. People complain about Windows "lack of security" and then run their system in a way that bypasses the biggest single security feature!

Microsoft Windows forces people to run their system in a way that bypasses the biggest security feature (because many programs require the user to be running as the Admin account; this is why Microsoft requires developers to have admin rights on their development machines), and Microsoft Window's biggest security feature isn't very good at ensuring security.

Run as Power User. Normal user is currently too limited (can't change mouse settings? How retarded is that?) Hopefully this is fixed under Vista (although their current implementation is worse.)

Power User can install some software, but not very much. Power User gives you read/write over some of the Local Machine registry and the Program Folders directory. It can also change things about some of the hardware (like mouse settings!)

Unfortunately most spyware has learned how to install itself with power user permissions.

Cute trick:
Rename your adminstrator account to something else. Create a new account named Administrator with Guest privs only. Disable the fake Administrator account.

Cute trick:
Rename your adminstrator account to something else. Create a new account named Administrator with Guest privs only. Disable the fake Administrator account.

I do this myself. I renamed "Administrator" as something else, and then renamge the "Guest" account as "Administrator" and disable it. This prevents some casual hacking, but there is a problem, however.

Many of the exploits and tricks to access an account look at the user SIDs, rather than the name. And the SID for the Administrator account always ends in -500 (IIRC). So, a determined hacker can still find it easily, but it prevents some of the lower-skill people and poorer written exploits from accessing it (essentially, helps protect against brute-force password guessing and the like).

Another good idea, fi you do this, is to turn on monitoring for the fake admin account. That way, you get a notice in your event log if someone's been trying to log in (even if the account is disabled).

It can be a pain trying to get software installed, even as a Power User. Most installs need the "Run As" command, and to be run as an Admin account. This generally takes care of things. I have run into a few issues with poorly designed software that require you to log in with the Admin account to function. Kodak's EasyShare (that comes with their digital cameras) is one particular case...it runs at login, and if you aren't Admin it won't work.

There is software that allows you to assign Administrator rights to a particular program or folder. I've used it before, but can't recall the name now (of either the company or the software). It encrypts all the program information, the software itself can only be run as admin, and it records signature data for the exectuables granted admin rights. It requires you to reset the signature when you update a program, but it generally allows Admin-required software to run when the user is logged in via a non-admin account. I found it useful...I wish I could remember the name. I think the company name started with a "V", and the software was N-something. I'll see if I can recall any details if you're interested.

Where I worked before, we had basic accounts and no admin access at all, even the dev team. Even installing small programs was an irritant (no access to the Program Files/ directory, no access to the registry - lots of applications use it to save settings). It was a real pain. To install software we always had to request permission from the system dept., which was a waste of time (there was no actual reason for such extreme security, we weren't in a bank or anything).

One day we had a new boss which agreed with us was absurd to treat the developpers like children, and he had everyone in our team become "power users" (like the "guest"/regular accounts, but with extra privileges - not quite an admin) with access to the admin account. Our regular user accounts could install most software, and could be used to function well daily without being too restricted, but for some the "touchier" stuff, we could still temporarily login as an admin, do our work, then relogon as a power user and resume our work.
It worked quite well. I'm no longer at that job, and here I'm an admin, and it's fine, but I'm also not a moron. ;)

Many of the exploits and tricks to access an account look at the user SIDs, rather than the name. And the SID for the Administrator account always ends in -500 (IIRC). So, a determined hacker can still find it easily, but it prevents some of the lower-skill people and poorer written exploits from accessing it (essentially, helps protect against brute-force password guessing and the like).

Very true. I wrote the program we use to rename accounts and I use this trick to make sure i'm renaming the correct admin account. It's pretty easy for even unpriviledged accounts to dump SID's and identify the real admin account. This mainly is a dodge against scripts looking for administrator accounts with weak passwords and the unknowledgeable user.

Run as Power User. Normal user is currently too limited (can't change mouse settings? How retarded is that?)Well, the OP was about XP (Home edition - although I neglected to mention that), and as far as I can tell, it has only two types of users: "Limited" and "Computer administrator."

Well, the OP was about XP (Home edition - although I neglected to mention that), and as far as I can tell, it has only two types of users: "Limited" and "Computer administrator."

Home Edition pretty well limits your options. I use Pro myself.

I seem to recall that I was able to access the traditional users interface on a Home machine, but it's been a while since I've played with it. IIRC, I either copied the users control panel from another machine, or accessed it through Control Panel (classic view), Admin Tools, Computer Management.

But I may very well be misremembering. I'd offer to test it but we don't have anything still running XP Home.