astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
2 edits |  Catch-22 Limited Account vs. Auto Updtes
On numerous occasions, people have strongly suggested that user accounts for Windows should be setup as a Limited account (or with restricted privileges). I decided to follow this advice on the setup of a new PC for a computer novice. Now I knew there were issues with doing this in respect to unusual applications. But in this case the system was only going to have minimal common applications (MS Word, MS I.E., MS Outlook Express).
What I ran into is a Catch-22 situation:
If you setup a person with a Limited User account, MS Windows XP (Pro / SP2) will not either: 1) Automatically update or 2) notify the user that updates are available. Additionally the user can not do a manual MS update either.
Norton Internet Security (NIS) will also not run from a Limited User Account. If NIS is setup under an account with Administrative privileges, NIS will not run via the Windows scheduler, even if Live-Update is scheduled with "Run as".
There are of course other security products, however I am finding issues with getting several of those to do Automatic updates via an Administrative account a headache. Spybot S&D appears to be an exception and updates correctly.
Anyway, you are back to giving the user full Administrative privileges to ensure the system is kept automatically up dated. Which means a system that can be easily compromised by a novice WWW surfer thanks to either "drive-by" malware or "social-engineered" malware that use numerous click-to-accept menus.
My reason for voicing this issue, is I am hoping that those with contacts to Microsoft, Symantec, and the various Security applications vendors will push for getting Automatic Updates to work without human intervention and will work when the user logged in has only Limited privileges. In short, automatic updates should have the capability to run in the background and unattended, even if no one is logged in at all.
Additionally the reliability of automatic updates needs to be drastically addressed. It is clear from others posts here that Windows Automatic updates will appear to be working when in fact it is not Auto updating. Symantec does give you some warning, but it would be less than clear to the novice or average user. For example from my own testing, Ad-aware SE run with "+update /smart +silent" skips the actual update. It appears to work if you just do a "+update".
From my experience (and input from others), with automatic-updates & live-updates -- it is no surprise that so many systems are being compromised and turned into BoTs for DDOS and SPAM boxes.
|
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
 ·Verizon FIOS
| need to be an administrator to administer
But the point of 'limited user' is that you can't make drastic modifications to the system. And there's not much more drastic than installing an update to the operating system.
Installing an OS update is surely 'administering' the system, which requires that you been an administrator.
--
As regards whether system-protection products ought to run under limited user accounts - sure, they're system protection tools, they should be installed by admins and the 'scanning' part should run as a service process. There should be a status UI accessible to any user, though (as usual) system-wide changes should require an adminstrator. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to astirusty
Re: Catch-22 Limited Account vs. Auto Updtes
it is a Pain..but still a good idea not to face the Internet as an Admin.
»www.windowsitpro.com/Article/Art···064.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
cwnorris
join:2000-01-17
Longmont, CO
 ·Mesa Networks
| reply to dave
Re: need to be an administrator to administer
said by dave  :But the point of 'limited user' is that you can't make drastic modifications to the system. And there's not much more drastic than installing an update to the operating system. Installing an OS update is surely 'administering' the system, which requires that you been an administrator. -- As regards whether system-protection products ought to run under limited user accounts - sure, they're system protection tools, they should be installed by admins and the 'scanning' part should run as a service process. There should be a status UI accessible to any user, though (as usual) system-wide changes should require an adminstrator. I don't use automatic updates, but...
Auto-update runs as a service. If it can't even notify you of updates, or even install them, it's useless.
If a user chooses to trust the auto-update service, they shouldn't have to do anything to take advantage of it. It should update regardless of the account used to login.
You also mention that scanning should run as a process, but everything else should be off-limits. Does that go for signature updates? That's a system-wide change, and analogous to Windows automatic updates. Useless if you have to have admin privileges for that. Can you imagine if you had to have admin privileges in order for your anti-virus to update? (actually, you do for some products, but that's just bad design.)
If it is suggested to run as a limited user, AND use automatic updates, why can't you both at the same time? Are you going to tell grandma to log out, then back with admin privileges every day to see if any updates are available?
Where's the upside to having automatic update run as a service? (In the corporate world, the advantage is obvious, you can easily disable the service, and push out updates yourself.)
I'm not arguing that ordinary users should be able to install updates, but this is a service we're talking about. If someone chooses to use it, it should operate as one, and install updates with whateve permissions the service runs as. It could still provide a UI to prompt for updates installs, if the administrator allows it. If people are uncomfortable with that, they shouldn't use the service. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to astirusty
Re: Catch-22 Limited Account vs. Auto Updtes
But help is on the way 
Powerful, Reliable & Secure
Microsoft hopes to make Longhorn what it calls a "high performance, robust, and safe operating system." To accomplish this, it will need to overhaul the way user accounts work in Windows. Today, Windows XP supports Limited User accounts, administrator accounts (and others, in XP Pro and newer), but few people use anything but administrator-level accounts because the Limited User account is almost useless.
In Longhorn, Microsoft will introduce the new least privileged user account (LUA), which is basically a secure code compartment in which most application code will typically run. When trusted applications need administrator-level access, they can temporarily run in Protected Admin mode. This feature will help sidestep most of the problems home users now face with Limited User accounts, but administrators in businesses can turn it off.
As with Windows XP SP2, Longhorn will provide strong security warnings and guidance when it detects errant actions. However, Longhorn's warning notifications can occur because of local code as well, and not just because of Internet-based communications, as in XP SP2. The idea is that users will feel safe, and they will be able to undo any action, further strengthening the security aura.
Overall, the security and management advancements in Longhorn will be evolutionary when compared with Windows XP with Service Pack 2. For example, the new security policy features in XP SP2 will be expanded dramatically in Longhorn, but will work the same way. So administrators will face a shorter learning curve with understanding how Group Policy works in Longhorn.
Longhorn will support a new updating model called hot patching, through which Microsoft will be able to apply updates to any non-kernel code, including drivers, without requiring a reboot. Longhorn will still need to be rebooted after certain patches, of course, but there will be much fewer than with Windows XP SP2 or Windows Server 2003: 70 percent less is the goal.
Additionally, Longhorn will feature a new instant-on capability that will see Longhorn-savvy systems resume from Standby in 2 seconds or less. And cold boot time should be 50 percent less than with XP on the same system, Microsoft claims.
»www.winsupersite.com/showcase/lo···2005.asp
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Goldengamego
Premium
join:2004-02-22
Okemos, MI
| reply to dave
Re: need to be an administrator to administer
said by dave :But the point of 'limited user' is that you can't make drastic modifications to the system. And there's not much more drastic than installing an update to the operating system. Installing an OS update is surely 'administering' the system, which requires that you been an administrator. -- As regards whether system-protection products ought to run under limited user accounts - sure, they're system protection tools, they should be installed by admins and the 'scanning' part should run as a service process. There should be a status UI accessible to any user, though (as usual) system-wide changes should require an adminstrator. You have missed the point here. This is a novice user not a battle hardened BBR/security reader and should at the very least be notified that updates are available....
--
Because Goldengamegod won't fit:p |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to cwnorris
I don't use automatic updates. I do normally login as a limited user.
I'm have mixed views as to whether automatic updates should be installed for a limited user. I do agree, however, that a limited user should still be notified that updates are available.
If you have it set to download patches, then it should do that even for a limited user. Then it should notify the user that the update is available. Personally, I would prefer the install of updates to be postponed until the Administator login.
I have auto-updates turned off, because they seem unreliable. I had them on (notify only) at the time SP2 was released. I received the notification (when logged in as an admin), and gave the go-ahead to download the updates. Two months later SP2 was still not installed, even though I made it a regular practice to periodically login as administrator. I finally went to the update site to manually install SP2. While I was installing, it downloaded the updates. This left a duplicate copy, taking excessive space on the disk.
That's not acceptable. I turned off auto-updates, because I want updating to be reliable. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to astirusty
Re: Catch-22 Limited Account vs. Auto Updtes
said by astirusty :What I ran into is a Catch-22 situation: If you setup a person with a Limited User account, MS Windows XP (Pro / SP2) will not either: 1) Automatically update or 2) notify the user that updates are available. Additionally the user can not do a manual MS update either. Regarding WU, did you have the updates set to be done automatically at a scheduled time? Sorry if I missed that in your post...
I coulda swore there was a thread about XP's version of Windows Update in the Microsoft Help forum recently that at least was tangential to this...
I believe that the XP SP2 version of Windows Update (the service) will apply "cached" updates during a shutdown or restart -- but that's because in that situation the limited user (or users) is logged out of the system during shutdown.
Apologies for being vague, but does anyone remember links to either the thread here or the Microsoft documentation? I thought I saw it in a Microsoft-related blog...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to astirusty
Re: Catch-22 Limited Account vs. Auto Updtes
would this help
from
»blogs.msdn.com/aaron_margosis/ar···721.aspx
MakeMeAdmin -- temporary admin for your Limited User account
Cudni |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to astirusty
Here's something regarding the XP SP2 implementation of WU:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
Value: ElevateNonAdmins
From:
»www.microsoft.com/technet/prodte···spx#EAAA
quote:
Boolean value indicating whether users in the Users security group are allowed to approve or not approve updates, and whether they can install or uninstall via the client API.
0 = false (normal users are not elevated)
1 = true (normal users are elevated)
You might want to Google on "ElevateNonAdmins" -- and also the default for "NoAutoRebootWithLoggedOnUsers" value which has been changed in SP2 -- to see about other gotchas, but Dave's point about updating the system being an administrative task still applies.
I think the "NoAutoRebootWithLoggedOnUsers" value speaks to the recent DSLR thread I'm thinking of...SP2 supposedly will force a reboot, even if there's unsaved work...I haven't tested this, though...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
| reply to psloss
said by psloss :Regarding WU, did you have the updates set to be done automatically at a scheduled time? Sorry if I missed that in your post... Yes, a scheduled time was set. Only if I logged in with Administrator privileges then WU would tell me updates were ready. If you were logged in under a Limited User account, you could shutdown, reboot and Log back in without the updates being installed or seeing a notification about the updates. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | said by astirusty :said by psloss :Regarding WU, did you have the updates set to be done automatically at a scheduled time? Sorry if I missed that in your post... Yes, a scheduled time was set. Only if I logged in with Administrator privileges then WU would tell me updates were ready. If you were logged in under a Limited User account, you could shutdown, reboot and Log back in without the updates being installed or seeing a notification about the updates. Was this system installed with SP2 or was SP2 applied to it? I can test the latter, although I don't have NIS, so I can't test the interactions between NIS rules and WU...
I assume that NIS is set to allow the WU service to connect out, right?
Also, have you looked at the "Windows Update.log" file in %windir%? I'm curious if there's anything useful in there...
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
|
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to astirusty
Hey! USE SOFTWARE THAT CAN UPDATE INDEPENDENT OF THE USERS ACCOUNT!!
All of my protection software updates on its own from the system account, independent from the account the user is running in, if you need to be an admin to update your anti-virus software definitions, or even its engine YOUR PROGRAM SUCKS. Mine will ask me to reboot to allow the update to be made to the system when it has updated the software, otherwise definitions do not require it.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to astirusty
Auto Updating is a bad idea. You then have no control. That is stupid and is stupid whether you are a newbie or a seasoned user. If you are a newbie you need to learn. If you don't want to learn then don't get a computer. There is no requirement that you must have a personal computer.
I applaud the AV vendors that do not bow to Microsoft's misguided wishes. Want to give me the list so I know where to look for my next av?
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to astirusty
This is the blog entry I was thinking of:
»blogs.msdn.com/tim_rains/archive···877.aspx
And as soon as I previewed my post, DSLR nicely pointed to old threads (I guess they were actually here in the Security forum):
»Re: Picasa 2 -- Google Still Programs Poorly?
»auto updates and limited user
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
cwnorris
join:2000-01-17
Longmont, CO
·Mesa Networks
| reply to Mele20
said by Mele20 :Auto Updating is a bad idea. You then have no control. That is stupid and is stupid whether you are a newbie or a seasoned user. Rather a misguided and short-sided comment. If you are in a corporate environment, you can run your own Windows Update Server, configure the clients to use it, and only apply the patches you want, when you want. You don't have to worry about users applying patches, or using scripting or a third-party solution to apply updates. Test the patches, approve them, the clients install them. I don't use that method at this time, but I also don't think it's stupid.
Maybe you should change this statement:
said by Mele20 :If you are a newbie you need to learn. To something like:
Gee, maybe there are valid ways of administering system(s),
that are different than mine, and maybe I should think
before I post. Oh, and maybe, things are not stupid just
because I don't agree with them. |
|
cwnorris
join:2000-01-17
Longmont, CO
·Mesa Networks
| reply to psloss
That looks like a reasonable setting. I wonder if there is a UI for the setting, or is everyone expected to delve into the registry to change it?
I won't even get into the fact that you have to have XP SP2 to even have that setting. Windows 2000 and pre-XP SP2 users shafted once again. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to astirusty
For what it's worth, I just tried this on a fairly clean XP Home SP2 test install (no third party security software) while logged in as a limited user and it "worked" -- the system downloaded and installed the patches and restarted, flushing my login in the process.
I've attached the relevant section of the Windows Update.log file...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to cwnorris
said by cwnorris :That looks like a reasonable setting. I wonder if there is a UI for the setting, or is everyone expected to delve into the registry to change it? I won't even get into the fact that you have to have XP SP2 to even have that setting. Windows 2000 and pre-XP SP2 users shafted once again. My guess is that the consumer default -- with SP2 -- is to encourage non-power-users to set the automatic update time. (The Windows Update screen is the first thing one sees on boot after applying SP2.) The Registry settings are policy settings for enterprises (large and small) and I believe there is a GUI for them. Not sure about standalone XP Pro systems, though, for example...
Regarding pre-XP SP2 users (including Windows 2000), I can try out SP1 (well, SP1a) for grins, but I'm not currently set up for that kind of Win2K test.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
