Results 1 to 9 of 9

Thread: Logon as Administrator

  1. #1
    jwirt Guest

    Default Logon as Administrator

    Windows Help says this about logging in as an administrator (including the Administrator account):

    Running Windows 2000 or Windows XP as an administrator makes the system vulnerable to Trojan horses and other security risks. The simple act of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet site may have Trojan horse code that can be downloaded to the system and executed. If you are logged on with administrator privileges, a Trojan horse could do things like reformat your hard drive, delete all your files, create a new user account with administrative access, and so on.

    Does this still apply when one has ZoneAlarm 6.1?

    Does logging in as an administrator still pose a security risk like this?

    John Wirt

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro
    Software Version:6.5

  2. #2
    critterjoe Guest

    Default Re: Logon as Administrator


    <blockquote><hr>jwirt wrote:
    Windows Help says this about logging in as an administrator (including the Administrator account):

    Running Windows 2000 or Windows XP as an administrator makes the system vulnerable to Trojan horses and other security risks. The simple act of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet site may have Trojan horse code that can be downloaded to the system and executed. If you are logged on with administrator privileges, a Trojan horse could do things like reformat your hard drive, delete all your files, create a new user account with administrative access, and so on.

    Does this still apply when one has ZoneAlarm 6.1?

    Does logging in as an administrator still pose a security risk like this?

    John Wirt

    Operating System:
    Windows XP Pro
    Product Name:
    ZoneAlarm Pro
    Software Version:
    6.5

    <hr></blockquote>


    If you are using an administrator account for your routine computer and internet use, you are at more risk than using a user account. There is a danger that you could accidentally open an email attachment or click on a malicious link (for instance one that purports to be a multimedia file but is actually an executable, etc.), or be exposed to malicious javascript, active-X, etc. If one is logged on to their computer as a user account, however, the damage is much less since any activity in executable code, etc. would be confined to the privileges of that user. Under an administrator account, malicious code could launch with potentially full administrative privileges including the ability to take control of your PC. ZA, or any firewall/comprehensive security product, does offer protection to a certain extent, but with all the evolving nature of viruses/spyware/rookits/trojans, etc. ZA or any other firewall will not be foolproof, mainly for the fact that the human link in the chain, i.e. YOU, could click on a malicious link or open an email attachment that lets something into your system that may or may not be caught by security software. This is often referred to as &quot;social engineering&quot; or some trick to get you to visit a bad website or open a bad email/attachment, etc.

    There have been some Windows exploits recently where just visiting a malicious website can allow the downloading and execution of malicious code. These are patched periodically with Windows Updates, which should always be kept up to date, as well as updates in Microsoft Office products which have also have had some major security problems in recent months. Again, damage would have been less operating in a user account, which might prevent malicious programs from installing or at least limiting their privileges.

    So to harden one's system, it would be reasonable to have an administrator account and one or more user accounts. The administrator account would be used for maintenance of the computer, installing new software, setting program options, etc., while day-to-day activities including internet surfing can be done from your user account. It's really quite easy to do once you get used to the idea. You can even password-protect both accounts so any relative/friend who uses your computer can't change any of the administrator settings. If you and your wife use the same PC, you could have 3 accounts: Administrator, you as user, and wife as user. Either you or your wife (or both) could have access to the administrator account, too. The most-experienced of you should be the administrator. If you both are administrators, it could create some difficulty in not knowing what settings each other are choosing or changing. Because the idea of administrator and user accounts is becoming more and more common, many software programs now allow for installation in this manner, with individual options configurable according to each user's preferences, while the main program options are configurable only by the administrator. Occasionally you will run across some program you want to install that will only install and function correctly under the administrator account.

  3. #3
    jwirt Guest

    Default Re: Logon as Administrator

    Thank you for your detailed and informative answer.

    I will probably implement a user account. At this point the main impediment is that I understand any documents I created as Administrator cannot be viewed by the new user. This is a major deterrant.

    John

  4. #4
    critterjoe Guest

    Default Re: Logon as Administrator

    <blockquote><hr>jwirt wrote:
    Thank you for your detailed and informative answer.

    I will probably implement a user account. At this point the main impediment is that I understand any documents I created as Administrator cannot be viewed by the new user. This is a major deterrant.

    John
    <hr></blockquote>


    Hi. You can allow documents to be shared among various users. Windows XP has a folder called &quot;Shared Documents&quot;. If you want to share contents of another folder with other users, you can go into Windows Explorer and drag it to the &quot;Shared Documents&quot; folder. Conversely, if you have folders in one user or administrator account that you don't want to let another user see, you can go to Windows Explorer then Right-click the folder, and select &quot;Properties&quot;. In the box that pops up will be a tab called &quot;sharing&quot;. You can put a checkmark to &quot;make this folder private.&quot; Then if a user tries to access the contents of that folder, they will get an &quot;access denied&quot; error alert.

    There is a lot of info on all this in the Windows XP Help Center. Go to the Help Center and search for the topic by typing in this phrase in the search box: &quot;Sharing files and folders overview&quot; . This is called &quot;local sharing and security&quot; as opposed to &quot;network sharing&quot;. Be aware this is very different than &quot;file and printer sharing&quot; on a network, i.e., multiple PC's, which requires additional security steps. Unless you have multiple PC's on a network, that type of file and printer sharing should be disabled in your network properties since it can be a security risk.

    If you are both an administrator and user, you can switch back and forth between accounts by either using &quot;fast user switching&quot; or log on/log off (as opposed to shutdown/reboot). With fast user switching, files on both accounts can stay open in the background so you can go back and forth easily. With log on/log off, one account is closed (documents closed and saved) and the other opened. There is even a method of doing an administrative chore while you are logged on as a user. It involves selecting the program and doing a Shift-Right click on it, and choosing &quot;Run As&quot; then putting in your administrator account name and password. You can also do a &quot;Run As&quot; from a command line prompt. For more info on this topic, go to Windows Help Center and enter &quot;run as&quot; in the search box.

    Good luck. I hope this helps. Your mileage may vary depending on the type of network you have (single vs. multiple PC's, shared printers, etc.)

    Message Edited by Critterjoe on 11-26-200602:54 PM

  5. #5
    jwirt Guest

    Default Re: Logon as Administrator

    Thank you again.

    I have a local network established by a router that is connected to my cable modem. The network includes a small printer server.

    I have turned off &quot;Simple File Sharing&quot; in order to be able to use Shavlik NetChk Protect for patch management.

    I have three machines on the network at the present time. One runs infrequently.

    I have file sharing &quot;ON&quot; on most of the folders on all three machines.

    I have NETBEUI installed on all three computers.

    John Wirt

  6. #6
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: Logon as Administrator

    Yes, because a firewall doesn't prevent malware being delivered to your computer. A virus checker and anti-spyware programs can, but they are never perfect either.

    Because you are running XP Pro, you should always use "Limited User" as your account type for general use. XP Home can only access the Administrator account from Safe Mode so its not a problem.

    XP has the same account types that W2K has and if you know enough to access these, you should set the account type to "Power User" for most users which provides a lot of user priveleges but limited access to vital system functions including the Registry. the "User" account type is even more restrictive and suitable for guests!

  7. #7
    jwirt Guest

    Default Re: Logon as Administrator

    Thank you for responding. This helps. I can setup up a Power User account. John Wirt

  8. #8
    critterjoe Guest

    Default Re: Logon as Administrator

    <blockquote><hr>FrereOP wrote:
    ... XP Home can only access the Administrator account from Safe Mode so its not a problem.


    That's not entirely correct. Any account in Home, except &quot;guest&quot;, can be given administrator privileges. In fact, the DEFAULT account that XP Home installs is indeed an administrator account, in addition to the named &quot;Administrator&quot; account accessible in safe mode. That's the problem with XP Home. Millions of XP Home users (mom and pop types) are using the account that defaults on installation or purchase of their system, which is set for administrator privileges. The Help section of XP Home even warns people that there are dangers in running that way and should set up user accounts with limited privileges. Thus XP Home users have to take an active role in setting up a limited user account; those who don't do that will continue to have administrator privileges even in normal mode. I set up two accounts on my PC: User A has administrator privileges, User B has limited privileges. I try to do most of my Internet use and ordinary work on User B logon. I use User A only when I need to install some software or do some administrative/maintenance work and occasionally do some full-system scans that I can't do from the User B account.

    Home XP also has the option of setting up a &quot;Guest&quot; account, which is also a limited user account, but doesn't give a guest access to any files of a regular user. I keep &quot;Guest&quot; account disabled, since it cannot be password-protected like the other accounts.</blockquote>

    Message Edited by Critterjoe on 12-02-200605:26 PM

    Operating System:Windows XP Home Edition

  9. #9
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: Logon as Administrator

    Thanks Critterjoe, your helpful comments are much appreciated. I was under the impression that XP user accounts were Limited User but that is obviously not the case.

    Hence, users of XP home should heed the contents of Critterjoe's post and take appropriate action.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •