The majority of users, even here on the avast web forum choose to log in using a full admin rights account on their computer, but to log in with limited rights brings you a lot of benefits. Roger Grimes, that snarled once at the protective actions of Windows Vista’s UAC, now mentions four large benefits working with limited user rights.
One - you are protected against 90% of to-day’s malware. "Miscreants can code around this if must be, but loads of malicious programs cannot run on a machine with limited rights.
Second - It is much, much harder for malware to make changes to your system that way. Even in user-mode malware can do quite some form of damage, but not being able to manipulate the system offers a form of added protection that users with full admin rights have to go without.
Third - It is harder for malware to hide for av-software and forensic experts and malware fighters. “Malware that has full access to the OS can hide as a rootkit, hide in memory more easily or use other obfuscating techniques.”
Four - So using limited rights helps malware fighters to take care of the rest of your defenses better, that is why it is desirable and necessary to follow this practice. The castle with four gates is less easy to be defended as one with just one single gate to watch.
I have my moments ;D
I recognised this prevention of malware inheriting the permissions of your account, either elimination or limiting potential damage.
For those without Vista and UAC there is DropMyRights.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob’s post, for setup instructions and importantly the dropmyrights.msi file needed as MS no longer promote DMR now Vista is out.
But if possible run as a limited user in preference to using an account with administrator privileges.
When I got the computer that I write this posting on now, I thought of your advice, and this is what I did. I created two accounts on this machine, one with full admin rights with SafeXP just to do my patches and updates, and a second one with normal user rights (so limited rights) and SafeXP for my Internet Activities etc. Believe me, I would do it again,
So are Vista users protected who have UAC enabled on an administrator’s account? And when malware would try to install, would that envoke a UAC elevation prompt, or would you not even know it happened?
UAC is supposed to limit permissions even in administrator accounts I believe. The problem being we are still seeing lots of Vista users getting infected, so unless they all have UAC disabled, it isn’t as good as it is made out. Unless UAC doesn’t protect accounts with administrator permissions.
So a limited user account wouldn’t have permission by default even if the UAC didn’t work. That is my understanding but I don’t use Vista.
The main problem I have come across with Vista is - and I quote" I got fed up with that uac pop up thing so I turned it off ". Hmm wonder how they were infected
UAC draws your attention to anything new happening to your system.
Pretty much the same WinPatrol does.
If you simply allow the new process or installation without knowing exactly what your allowing.
UAC or WinPatrol or anything else you use to alert you is useless.
As essexboy said PBKAC, there are so many things within the users control, unfortunately most don’t really know what response to give when one of these pop-ups appear.
You mean DavidR can be wrong?? :o :o NO Way!! I’ve learned a great deal from him.
What bothers me is when you go to some Vista forums the first thing some of the regulars tell new people is to turn UAC off, making Vista even less secure than XP.
And that is why the situation at hand (very, very profitable for some) will continue to exist, you have seen yourself that without the free possibilities for system change and an updated Sun Java version (older versions manually removed) we would not have the “virus and worms” flooded with Win32:BHO-KD and Win32:TratBHO infections as well as the latest vundo malware, where av-vendors can detect but not offer any full remedy, and essexboy, oldman, mauserme and little old me have their hands full with cleansing routines. If users would use secure, safe practices we could go back to crap cleaning and deleting temporary files,
How do you think I learn, by making mistakes, learning from them and try not to repeat them.
But, I wouldn’t go so far as I am never wrong, it happens to everyone and I’m no different ;D
Yawn, looks like another topic on its way to hell in a hand basket.
I never laid claim to its invention or anything like it, but had you been here for any time you would have seen how much I pushed people to use dropmyrights pre Vista when XP users had no such convenience of UAC.
Yes, and that makes you unique how? You the only one in the whole wide www using and recommending dropmyrights and similar methods?
Anyhow i have no beef with you David, and I know it’s not your fault the thread was titled this way that seems to give you a lot more credit than you actually deserve, but I was just amused at how Polonus (as usual) is making a mountain out of a molehilll.
Besides how are you “right all along”? Just because Roger (I can smash sandboxes without trying) Grimes changes his mind on the importance of UAC, doesn’t mean you automatically “win” the debate (not saying I am against UAC, just saying .i doubt grimes saying something is going to convince people who are dead set against the idea…)
Anyhow i have no beef with you David, and I know it's not your fault the thread was titled this way that seems to give you a lot more credit than you actually deserve, but I was just amused at how Polonus (as usual) is making a mountain out of a molehilll.
I am sure Polonus titled this thread as he did because he was addressing members of this forum and David was the most outspoken member on this forum for DropMyRights.
Hmm I got a PM from a long time and respected member here.
What he says confirms what I have observed.
“Have you noticed how these forums went to hell last few months ? It is incredible what’s happening here and I sure don’t like it. They are gathering here in these forums, and all this started to look more like some kind of a temple full of lunatics and fanboys”
“I am visiting these forums for the last few years, have many friends in here, but it looks like all of a sudden even I am not allowed to say anything that’s actually the truth in real life, but not approved by “them”. They simply censor everything immediately, same second you try to say something they don’t like.”
“It looks like they have few “icons” in here and no one can touch them. Every single thing they say, even when it’s complete nonsense, visitors in this forum take for granted and they blindly believe everything they say.”
“I hate when they gather like wild dogs, and jump on every single word you say in this forum… it is crazy and it is something stupid IMHO.”