csas 2009 running windows as a non- administrator or how i learned to love “user” by: kasey...
TRANSCRIPT
Running Windows as a Non-Administrator
• Here is what we are going to talk about today
– Why should I be running as a non-administrator on my machine?
– How do I run my machine properly as a non-administrator
– Common misconceptions surrounding running your machine as a non-administrator
Why should I be running as a non-admin?
• Here are 4 reasons you should not run as administrator– You could potentially lose control of
your entire system– Remote code execution– New services can be installed or old
services can be stopped– You could potentially become a risk to
the entire UI Network
How do I run as a non-admin
• So, now that I have successfully put the fear of being an administrator into you. What should you do?– Run as a user– Use software / hardware to allow
problematic or legacy programs to run with the rights they need
– Employ different software / hardware solutions to allow for users machines to be kept in a known good working state
Running as a user
• What is UAC?
• Benefits of having a separate admin account to make changes.
• Can you remotely work with UAC?
• Drawbacks for using UAC.
Running as a user
• What is UAC– (User Account Control) The management of
user accounts in Windows Vista. Because malware has greater control of the computer when it is running in administrator mode, UAC was designed to enable more users to run their computers as a standard user rather than as administrator. A computer is more secure against attack if it is running with fewer privileges.
– ZDNet Definition for UAC
Running as a user
• What is UAC - continued– Admin Approval Mode
The default mode in UAC is the Admin Approval Mode, which requires administrators to approve functions that were allowed in Windows XP without a prompt. For example, although standard users are unable to add programs, a user running as administrator does have the right to install new applications. However, in order to prevent unwanted programs from being slipped in "under the covers," the administrator must approve any installation first.
Running as a user
• Benefits of having a separate admin account to make changes– There are already exploits for bypassing
UAC when your account is already an admin– UAC will ask for a password– Access to network resources can also be
handled differently– Runas a different user without having to
grab sysinternals run as utility (just select Run as Administrator)
– Eat your own dog food (when managing other users)
Running as a user
• Can you remotely work with UAC?
– Microsoft's RDP works properly
– There are limitations with other remote client software
Running as a user
• Some common drawbacks for using UAC– Access to network resources is
different (don't expect your U: drive to be available in another session)
– Windows explorer cannot be run as another user, use xplorer or another alternative
Using software to solve problems……• Use software / hardware to allow
problematic or legacy programs to run with the rights they need
– Application Issues
– Virtualization
– Maintaining the integrity of my system
Using software to solve problems……
• Application Issues– Problems running– Writing data to profile folders
(redirection necessary)– Security (managing file and registry
permissions)– Working with the vendor– Using tools, like process monitor to
watch usage– Viewing registry before and after
Using software to solve problems……
• Virtualization
– Thinapp
– App-V
– Sandboxie (also can be used to determine registry and file permissions needed for application)
Maintaining the integrity of your systems• Employ different software / hardware
solutions to allow for users machines to be kept in known good working state
– Using AD sourced accounts
– Maintaining the system
– Default user profile
– Shared computer toolkit/Deepfreeze / SCCM (App-V)
Maintaining the integrity of your systems
• Using AD sourced accounts
– Maintaining access
– Disabling and deleting local admin access (physical access to machine allows break-in if necessary)
Maintaining the integrity of your systems
• Maintaining the system
– Auto-updates
– Installing new software
– Managing "All Users" content
– Sysprep
Maintaining the integrity of your systems
• Default user profile
– Common configuration
– How to...
– Redirecting folders to U: drive
How do I run as a non-admin – recap
• How do I run as a non-admin
– Run as a user on your machine
– Using software to solve problems……
– Maintaining the integrity of your systems
Common Misconceptions
• So now lets talk about some common misconceptions about not running as an admin on your machine.– #1 – I will not be able to do my job
unless I am logged in as an administrator
– #2 – I will not be as productive on my machine as I was as an administrator
– #3 – I really just don’t want to…..