Running as NON-ADMINISTRATOR

(question moved to top so you don’t have to read my non-admin rant/request if you don’t want to)

I actually have a help question as well, relating to CPF in a non-admin environment.

Q: When I log off of my restricted user, then log in to my admin user, then log back in to restricted, sometimes the CPF icon goes away from the systray. Also sometimes it reports all monitoring is off. But I did not turn it off. Is there anything that can be done about this? I like to see the icon in the tray :slight_smile:

Hello Comodo users,

Does anyone here run in a NON-ADMIN environment?

A site with very detailed information on this is here: http://nonadmin.editme.com/


Basically it is this in a nutshell:
Your computer should have ONE “administrator”, that is, ONE user account with Administrator privileges. All other user accounts, ESPECIALLY those that you use day to day and connect to the internet (browser, email, etc) should be “RESTRICTED USER” accounts. When you accidentally open viruses or visit websites pages that could automatically infect your computer – if you are running as a restricted user, they usually will not be able to.
because the software will not have “full administrator rights” over the system. It’s not 100%, but it closes a lot of doors, and at this point is definitely good security practice.

So in comes the issue… programs! Programs need to be written to be more friendly for users running in a restricted environment. On the site I listed above, there lists of programs that don’t always work out of the box (without modifications, or privilege escalation) in a non-admin environment.

I would think that an company like Comodo would want to push this idea more, and make their products with installation or configuration options for non-admin environment users.

Here’s an important question: Who can modifiy rules in Comodo Firewall?

I think the answer is: Everyone.

But perhaps switches for different levels of control for different users? Example: 1 setting where all users can modify all rules, 1 setting where only administrators can modify rules, or 1 setting where administrator user specifies what a list of users can do.

I realize that it would be quite annoying (and much more secure?) to restrict regular users from being able to add new rules when they add new software (Should they be?).

But perhaps it could be a little easier than that… perhaps on each desktop, or in the pop-up alert, there could be a FIREWALL RULES icon (or something with a better name to reflect the process I’m about to describe). When executed it would off course ask for the Administrator user password (it’s going to run-as admin), it would then show a list of RECENT (by default, last 1 hour) blocked accesses, WITH THE NAME OF THE SYSTEM USER who was blocked, and an ALLOW DENY button there.

Annoying extra-step, but this allows the user to access a quick-n-dirty screen to modify the rules that only effected them, and requires Administrator USER login, all without having to switch between administrator and restricted user accounts.

Ok…so in the pop-up instead of ALLOW / DENY buttons for all… IF you have CPF installed to only allows ADMINISTRATOR account to make any rule changes, THEN it would have this in place of the ALLOW / DENY: [Administrator, click here to ALLOW/DENY].

Anyway those are just some ideas.