Limiting the number of administrator accounts

Broon

Broon

Broon

Associate
Joined
16 Oct 2005
Posts
360
Location
Edinburgh
Recently my system was infected with a right nasty bit of software which flooded my computer with trojans, caused it to slow down to an almost unusable speed and worst of all hijacked my admin account. The *******. I think I've got that sorted, or at least to lie dormant for now.
In the process of fixing it I came across a shocking number of similar incidents with the admin account being nicked, and there didn't seem to be any real consensus on how best to deal with it, with many cases ending in 'I decided just to format'. Got me thinking about prevention and one of the ways I thought of was to limit the number of admin accounts on the computer to one. Is it possible and if so how effective do you think this will be?
 
A computer will run fine with one admin account, and in many ways it is preferable to just have the one. Give the account a strong password and also consider renaming the account from something other than administrator or admin.

However if you continue to run in this account for day to day tasks then you'll be no better off. Create yourself a normal user account and reserve the admin account for admin tasks only. Running this way is a very effective mitigation for lots of malware attacks.
 
Sorry I wasn't very clear. I only intend to have one admin account and to use the computer with a power user account. I was wondering if there are any group policy settings, or anything similar that will permanently limit the system to only one admin account. When I got all virused up the last time something (hacker, malware etc) seemed to create a new admin account and then lock me out of some of the features of windows.
 
Broon said:
When I got all virused up the last time something (hacker, malware etc) seemed to create a new admin account and then lock me out of some of the features of windows.
Click to expand...

It can only do that by getting admin privileges anyway, so that's rather pointless as it already has all the access it needs.
 
Burnsy2023 said:
It can only do that by getting admin privileges anyway, so that's rather pointless as it already has all the access it needs.
Click to expand...

Exactly. This is why the best course of action would be to only log in as an Admin when you absolutely need to, and to run day-to-day as a normal user.
 
What OS are you on?
What security software do you have?
Do you have a router?


I'm not trying to be funny here, but I've not seen an actual virus warning on any of my pc's for about 8 years.

The only time I see them are when fixing people's machines, when they've been looking for 'free' stuff or cracks / porn.



Where did you get the virus from?
 
bledd. said:
Where did you get the virus from?
Click to expand...
bledd. said:
'free' stuff or cracks / porn.
Click to expand...

;)

Running xp pro with AVG (starting to question if this is up to much anymore) and spyware Search and Destroy and the windows firewall, routed through a D-link 615. The site that got me was for streaming tv shows, linked form one of the better known streaming sites. As soon as the page loaded up AVG went ape, too many infections to even keep up with the alerts as they appeared then the computer stopped responding and just kept looping the windows error beep. scary stuff. To be fair at the time I only had one user account, my own, as admin without a password. And guest accounts turned on. And all my folders shared on the network with 'Everyone'. I was overconfident as I'd had no real virus trouble for a while. No real surprise I got done but that's fixed now anyway. I'm going to, as I said make a second account for general use and stick an unbreakable password on the admin account.

Burnsy2023. said:
It can only do that by getting admin privileges anyway, so that's rather pointless as it already has all the access it needs.
Click to expand...

Could a stealthy virus not just lay in my power user account in wait of me logging on as admin then do the same again?

I wasn't locked right out of my account, just certain features like task manager, MSInstaller and regedit. I was still recognized as an admin account but couldn't really edit the Admin account(through my computer, manage, users, properties) I figure If my system only allowed one Admin account and that was me, this kind of thing couldn't happen again however careless I am in the future
 
Broon said:
Could a stealthy virus not just lay in my power user account in wait of me logging on as admin then do the same again?
Click to expand...

Not that I can think of.

Broon said:
I figure If my system only allowed one Admin account and that was me, this kind of thing couldn't happen again however careless I am in the future
Click to expand...

Like I said if it has the permissions to make another account you're already screwed.
 
I've never used a tv streaming site, I assume the quality is pants though, unless it's 4od / iplayer etc..

What browser were you using?


Ditch AVG, it's like using a table tennis paddle to stop a ball fired from a cannon :p

MSE, Avast, Avira -good free alternatives, I install MSE on each pc that I fix for a customer, doesn't take over the pc, and sits quietly in the background.

if you want to pay for AV, then try Nod32.
 
bledd. said:
I've never used a tv streaming site, I assume the quality is pants though, unless it's 4od / iplayer etc..

What browser were you using?


Ditch AVG, it's like using a table tennis paddle to stop a ball fired from a cannon :p

MSE, Avast, Avira -good free alternatives, I install MSE on each pc that I fix for a customer, doesn't take over the pc, and sits quietly in the background.

if you want to pay for AV, then try Nod32.
Click to expand...

The quality varies. Most shows are hosted elsewhere but the sites had been, until I got that crap, fairly safe. I use Firefox. I see where your coming form about AVG, it seems to have gotten worse instead of better over the past few years. It was fine when it was a stripoped down, sleek standalone AV package but now it seems like it's trying to do to much and failing. The free features seem to have been sacraficed to focus more on thier premium features.
Was thinking it may be time to get some paid up AV software, £40 a year ain't bad for ESET.
Back OT, and purely from an academic point of view, do you think can such a restriction be applied to XP?
 
http://en.wikipedia.org/wiki/Deep_Freeze_(software)

If you want to be absolutely sure you're PC isn't being mucked about with without you knowing then using an application like Deep Freeze or a hardware card such as a BodyGuard Card is the only way to do it outside of a domain. They aren't without their faults though and might not be suitable to how you use the PC.

As most of the guys have said though it's hard when it's a home PC, if you're logged in and elevate a program for it to run/install you've literally opened up your PC to the world unless you're sure what that program is and trust it completely.

The best course of action is simply not to access websites you're unsure of and if you are then make damn sure you have AV and spyware software running as you do it.

Next you should consider upgrading to Windows 7 - the UAC is a pain sometimes but it does it's job very well to protect against this sort of thing.
 
Broon said:
To be fair at the time I only had one user account, my own, as admin without a password.
Click to expand...

It doesn't matter weather or not there is a specific policy you can enable to restrict the creation of administrator accounts or any other security policy which you may have in-place, if you are a member of the administrator group and you are using the account for things such as web surfing and other daily activities, it will be highly susceptible to malware. Any malware which does infect your account will be running with rights of the said user, in your case; administrator rights, meaning it will be able to circumvent any policy at will.

Could a stealthy virus not just lay in my power user account in wait of me logging on as admin then do the same again?
Click to expand...

If we ignore the possibility of security vulnerabilities which haven't been patched, there shouldn't be anyway for a malicious user and / or software running in one user account to be able to access and modify another user account on the system, providing the account in question isn't an over-privileged user.

Broon said:
Back OT, and purely from an academic point of view, do you think can such a restriction be applied to XP?
Click to expand...

All that needs to be done is for you to password protect the administrator account, making sure you're the only one who knows the administrator password, and then use a standard user account for all your daily activities and making sure anyone else who may use the system is also running in a standard user account as well. Though, since you are using Windows XP, running as a standard user is slightly more difficult to do than if you were using Windows Vista or Windows 7 since Windows XP isn't a particularly standard user friendly operating system. You could switch to an administrator account when you need to perform any operations which request administrator rights and then switch back to your standard user account but that may get frustrating.

You could use MakeMeAdmin which will run applications in the administrator context from your standard user account. There is also something called SuRun where you can execute applications to run with administrator rights from a standard user account as well. I haven't got any experience with SuRun myself but there's a thread on the Wilder Security Forums here which should give you a nice introduction to things.

Alternatively, upgrade to Windows 7.

Please be aware though that running as a standard user doesn't solve all security related problems, all though, it is a very important layer in securing a system. It helps protect the configuration of the system and other users accounts. Running as a standard user will stop old malware which assumes administrator rights by default. However, any malware which will work correctly with standard user rights will still function correctly within a standard user account which will mean it will have access to the most important thing to the user; their data.
 
Cheers, I'm going to have a look at steady state and deep freeze. Not completely set against Windows 7, only used it briefly. It's just Vista that puts me of as I've heard that 7 is basically a completed version of Vista, and I had nothing but trouble with Vista. I see now that my idea for a super all in one security solution was hugely oversimplified. I'm a total novice when it comes to the inner workings of Windows security.

It's just about time for a new computer anyway, It's been six years and it's starting to show it's age. I was thinking of retiring my old system to a server role. Is there any way to incorporate an extra machine into my overall security, kind of like an extra firewall?
 
Yeah if you're serious about security Windows 7 (64 bit before you ask ;)) is a no brainer.

You could incorporate the old box as a proxy, but to be honest it is adding a lot of overhead. You're better off just installing Linux on it and using that to get your torrents.
 
Burnsy2023 said:
Get rid of your predisposition, put 7 back on and give it a chance. You won't be disappointed.
Click to expand...

I've not had seven before, my prejudice is based solely on Vista. Twice I had to format my HDD trying to get drivers for my graphics card. When I finally got it working I found it slow and prone to crashes and incompatibilities. Saying that I'll probably go for 7 when I get my new system. Has the first service pack for it been released yet?
 
The first service pack isn't due for a while, I think a release candidate has been recently leaked. There is no need to wait for a service pack however as it is simply a rollup of updates that are out now.
 
You must log in or register to reply here.
Back
Top Bottom