Run as a limited user
Keep windows up-to-date
NOTE: When i refer to “virus” i mean Trojans, Worms as well.
When you install a firewall or antivirus, they install a driver as SYSTEM through the Administrator account and also “edit” the Kernel. You then create a limited user and use that instead, a virus as a limited user cannot:
Modify the TCP/IP stack
Edit/Create Global registry keys
Load a driver as a Administrator account
Access the Program Files folder and WINDOWS folder.
Edit the Kernel
End your firewall and Anti virus products.
The Trojan/virus/worm can still do the following:
Record keystrokes under the limited user (I think, i am not 100% sure on this one, someone correct me if i am wrong).
Launch a User-Mode rootkit. (This is the least useful and effective type of rootkit)
It makes it easier to recover from an infection:
Firewall and antivirus can detect the virus/trojan/user mode rootkit because you installed your security software as administrator and you got the infection as a limited user hence the virus cannot run at the same level as the antivirus/firewall software is.
When you get a virus that autoruns on bootup it only autoruns on the limited account, you can then logon on administrator (It CAN’T run when you logon to administrator, unless you install the virus again as administrator) and delete the infected account. Also check that all of your files are not infected as well.
Most viruses will just not execute under a limited user anyway.
When you need to open a program in a limited user account as an Administrator account, create a shortcut to the program, right click that shortcut and click “Runas” select the Administrator account to run it under and type the password (Note here, a keylogger running under a limited user could record your admin password and user name).
With accounts either have a strong password or no password at all, no password on an account means “runas” will not work.
DRM drivers on music cd’s cannot install under a limited user too (Only under the local limited user account, not globally), giving the user the power to decide whether they want to install the DRM drivers. I believe the user should always have the power to decide what is installed on their computers.
“http://msdn2.microsoft.com/en-us/library/ms972827.aspx” may do the job just as well, i have not read it fully but seen it is from a Microsoft guy it SHOULD be ok. Credit to “Mr_Ed” for pointing that out, his original post is below.
Edit: grammar, typos etc.