Do you "surf the Internet" from the Administrator-account ?

The standard behaviour of windowsXP etc. after installation is to automatically log the user in
as administrator, using a non-password protected administrator-account .
Many home-users never bother to set up a restricted user-account
but continue to use the admin-account, maybe adding a password …

This is a HUGE security-flaw in windows as ANY code that executes will run with administrative privileges (or even as SYSTEM), allowing the code to do ANYTHING to your machine !!
(and I DO mean anything, it could even fry your hardware by disabling your fans
and/or mess with the voltages!!)
So, it would be interesting to know how many Comodo-users have set up restricted user-accounts,
maybe the average Comodo-user is smarter than the average windows-user ? :slight_smile:

i’m not one of the smart users ;D. i have password for admin & admin right user account. and i have a limited account.
but i never use the limited user account ;D

(:KWL) hehe, I hear what you are saying… it IS ■■■■ annoying the way it works
(or rather doesn’t work) with restricted user accounts on windows unless you spend
A LOT of time on setting them up properly … not as easy and un-obtrusive as on linux…
I’m adding your reply as an option to the poll ;D

If they mess up my voltages, computer just won’t start, so I’ll just need to reset the BIOS. And my fans can’t be controlled from within the OS :wink:

I have a password, but password won’t really help, they’re easy to ■■■■■ ;D
Anyways, I run on an admin account, but with Defense+ I feel like I won’t need a restricted user, as it alerts me if something does something bad.

Cheers,
Ragwing

The way I see it you are basically using software to enforce something that the OS itself
really should be capable of enforcing on it’s own .
I seriously believe that if you disable all non-needed services, set up proper separate admin/ user-accounts, practice ‘safe-browsing’ and use a good firewall (Comodo) with HIPS (Comodo again :slight_smile: ) you don’t need anything else than some AV to scan files you download …
btw : even windows account-passwords are not that easy to ■■■■■ from a limited account …

But the reason I’m interested in this is because :
What if all the security-software DOESN’T detect the virus ( this does happen )
and it is allowed to run as admin/SYSTEM ?
Wouldn’t the damage-potential be much less if the virus also had to be able to increase privileges ?

And why have I never seen ONE single security-application perform a rights-check and warn the user against the potential dangers of using the administrator-account as your default account ?

A worrying thing i recently read was if even if you are using a limited account there is some malware which can elevate itself to run with user account priveliges,now this is scary :o

ps it would be hard for it to change voltages but possible.

Nice 1 Matty

Something like this, I guess. Just to give an example.

Exactly"just like that" in the words of the late great Tommy Cooper

Nice 1 Matty

I use a limited account, it makes sense that you don’t give full privileges to every proggy you use let alone the browser. I can understand the people who don’t bother about it, and I have no idea how Linux et al. handle this, but come on it’s NOT hard in the least, setting up user accounts is just click-click.

Well if your careful about what you do, and where you go, and have good protection installed, it should all be good.

I use my admin profile, but im careful where I go and i have good protection in place.

it’s not just click-click :stuck_out_tongue: need to re-set up the wallpaper, My document’s content, and, c’mon, this is MY own computer, i won’t restrict myself using it ;D

One account, no password. This isn’t a public computer, but a PC (where P = personal).

“All your computer are belong to us” :
http://ph33r.org/updates/2006/6/5/windows-xp-privilege-escalation-exploit.html?currentPage=3

Linux doesn’t give you the option, it always has a separate root-account
and makes you create a user-account during installation .
(you can change that and you could just log in with the root-account but Linux-users know better).

Oh wow, that’s an really easy method… Might try it in school sometime (doubt they have Task Scheduler disabled like me) ;D
Oh by the way, I turned on Task Scheduler to test this myself, but when the given time came, no cmd.exe was launched, and if I look in the list it says it’s scheduled to run tomorrow?
Has this somehow been patched by Microsoft to not allow svchost.exe launch cmd.exe?

Cheers,
Ragwing

EDIT: Seems like I can’t run anything this way using Tash Scheduler

It’s supposed to be not (only) about restricting what the user can do, but what malware and web-based attacks can do when run, of course, without the user’s consent or knowledge. When running as limited, what CFP calls protected files and protected registry keys are already protected by Windows itself.

Oh by the way, is there any other known way to gain access to the System account?

I suppose any of these vulnerabilities have been and will be fixed as soon as Microsoft learns about them, in Windows just like any other program…

Oh ■■■■, that’s just too bad. It would be cool to once in my life see the name System, but seems like Microsodt ruined that dream too :smiley:

I’m gonna give contradictory answers I’m afraid:

when I was on Linux (not the case anymore) I quite appreciated the fact and benefit of not being logged as root, although Linux is not supposed to be as vulnerable as Windows.

when I’m on Vista on another computer, which is not my main computer, I’m quite happy to have UAC activated and the benefit of it seems obvious.

…and when I’m on XP, on the computer that I use the most, I run it from an admin account as most of us do I suppose, a bad habit, and an habit we’ve had since 2001…I don’t feel the danger sorry, although I quite admit there is a huge potential, as it’s so easier for a malware to spread when it’s got admin rights. But hard to realize anyway, as my PC never ever got infected. And honnestly, restricted accounts really suck on XP, as there’s no fast way to bypass them like with UAC on Vista.

adding: that’s the big difference with Linux, where most programs don’t require an admin account to run, and only system configuration software require the root password.

I found a small utility called PsExec that will launch any process from the Local System Account :wink:
Oh anyways, it seems like it’s not able to do anything with my users (at least not from the control panel).
It says something like “‘null’ is null or not an objcet”.

EDIT: Found another way:
[b]
Open cmd.exe, then write this:

sc create testsvc binpath= “cmd /K start” type= own type= interact
[/b]

then write:

sc start testsvc

Will probably need admin rights to create a service tho.