ConsciousVibes.com

Home | Links ( Motorcycles, Computers )

Principle of Least Privilege
( How to Get Programs to Run While Logged in as a Member of the Users Group )

All of the information, instructions, and recommendations on this Web site are offered on a strictly "as is" basis. Remember "Murphy's Law." Please take the proper precautions before attempting any of the tips or modifications listed here.

Contents

What is the Priciple of Least Privilege (PLP)?

In information security & computer science the principle of least privilege, or just least privilege, requires that a user, a program, or a process/service should only have access to the information and resources that are necessary to do its job.

Part of implementing least privilege is to not allow users to log in as members of the Administrators group or as a root user.

It's good practice to install and configure the required applications as an Administrator, then create a Custom Default User Profile,(XP / Vista), before allowing any users to log in for the first time.

Microsoft referes to the principal of least privilege as LUA. The acronym LUA generally refers to Least-Privilege User Account, but is sometimes defined as Limited User Account, Least User Access, and several other variations. But whatever the letters stand for, the concept is the same. LUA is a computer user account that cannot make changes that affect other users of the system or the operating system itself. In Windows, these are typically members of the built-in Users group. Members of this group are explicitly not members of powerful groups (such as Administrators, Power Users, and Backup Operators) and they do not hold elevated privileges (like Load and unload device drivers, and Act as part of the operating system). Unfortunately, LUA can surface a number of issues.

References

• The Protection of Information in Computer Systems by Saltzer and Schroeder
• Priciple of Least Privilege at the National Institute of Standards and Technology
• Priciple of Least Privilege at Wikipedia.org
• Role based access control (RBAC)
• Problems of Privilege: Find and Fix LUA Bugs
• Applying the Principle of Least Privilege to User Accounts on Windows XP
• Applying the Principle of Least Privilege to User Accounts on Windows Vista
• Applying the Principle of Least Privilege to User Accounts on Windows 7
• Windows Steady State

Why You Should Not Run as an Administrator or Root User

If a system is compromised, by malware or an unauthorized user, that user or malware will have the same privileges of the logged-on user. If the current user is an administrator or root user, then the malware/unauthorized user will have full reign to do whatever they wanted to the system, without the user's knowledge or interaction. If the current user was not an administrator or root user, e.g. a Limited User or Standard User, then the malware/unauthorized user should be restricted to what they can access and to how much damage they can inflict on the system.

If you're running as an administrator or root user, an exploit can:

• install kernel-mode rootkits and/or keyloggers (which can be impossible to detect)
• install and start services
• install ActiveX controls, including Internet Explorer and shell add-ins (common with spyware and adware)
• access data belonging to other users
• cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
• replace OS and other program files with trojan horses
• access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
• disable/uninstall anti-virus
• cover its tracks in the event log
• render your machine unbootable

Reference

• Why you shouldn't run as admin by Aaron Margosis
• The Desktop Files: Leaving the Administrator Behind by Wes Miller
• Windows Administration: Gaming in a Secure Environment by Matt Clapham
• Coding Horror: Trojans, Rootkits, and the Culture of Fear
• Windows 2000 Secondary Logon (Run As)
• Malware and administrative rights
• NonAdmin Wiki

How to Create a Custom Default User Profile in Windows XP Professional

[OS: Windows XP]

Summary

A custom default user profile is necessary when you want to install and configure the OS and software and have all users inherit the same standard configuration and settings. e.g. Desktop icons, default printer, etc.

A custom default user profile is also helpful if several people use the same computer but each user wants a separate profile and access to shared resources, but you want to pre-configure certain aspects of the OS or applications.

When a new user logs in, Windows XP uses the default user profile as a template for creating a new profile for that new user.

You can replace this built-in profile with a custom default user profile so that each new user receives a custom version of the profile.

Note:
You’ll need to modify the My Documents\desktop.ini of the master user profile before creating the custom default user profile.
The desktop.ini file contains the "owner= " parameter that specifies the username of the current user.  Windows XP will display the users name with certain special directories. e.g. Windows will display "Admin’s Documents" instead of "My Documents. "

This is an issue because when a different user logs in, their special directories will display the wrong user name.
To fix this issue, modify desktop.ini in My Documents and delete the user name leaving just "owner= "

Create a custom default user profile

1.	Log on to the computer as the administrator, and then create a local user account. Add that new local user account to the administrators group.
2.	Log off as the administrator, and then log on to the computer using the local user account that you just created. Caution: You will cause permission issues if you create the custom user profile when you are logged on as the administrator.
3.	Customize the profile: Install and configure applications, install printers and map network drives.
4.	Log off as the local user, and then log back on as the administrator.
5.	Replace the current default user profile with the customized default user profile. To do so, follow these steps: a. In Control Panel, double-click System. b. In the System Properties window, click the Advanced tab. c. Under User Profiles, click Settings. d. In the User Profiles dialog box, click the user profile that you just created, and then click Copy To. e. In the Copy To dialog box, under Copy profile to, click Browse, click the C:\Documents and Settings directory, and then click OK. Type \Default User after C:\Documents and Settings. f. Under Permitted to use, click Change, type Everyone, and then click OK. This is an important step because it will reset the access rights for the new Default User profile.

Windows XP will use the Default User profile as a template from which to create a new user profile for any new user who logs on to the computer.

This change is permanent, so it is a good idea to make a backup copy of the Default User directory that is in C:\Documents and Settings\ before starting.

Note: If you get an error about files being "in use" or "locked," just reboot into Safe Mode and try to copy the profile again.

References

• How to create a custom default user profile
• Applying the Principle of Least Privilege to User Accounts on Windows XP
• Applying the Principle of Least Privilege to Windows Vista
• Description of User Account Control and remote restrictions in Windows Vista
• Windows Steady State

How to Create a Custom Default User Profile in Windows Vista

[OS: Windows Vista]

Summary

A custom default user profile is useful if several people use the same computer but each user wants both a separate profile and access to shared resources.

When multiple users log on locally to the same computer, Windows uses the built-in default user profile as a template for creating a profile to each new user.

You can replace this built-in profile with a custom default user profile so that each new user receives a custom version of the profile.

Create a custom default user profile

Windows will use the Default User profile as a template from which to create a new user profile for any user who logs on to the computer for the first time.

This change is permanent, so it is a good idea to make a backup copy of the C:\Users\Default directory before starting.

Note: If you get an error about files being "in use" or "locked," just reboot into Safe Mode and try to copy the profile again.

References

• Modifying the default profile in Vista
• Applying the Principle of Least Privilege to Windows Vista
• Description of User Account Control and remote restrictions in Windows Vista
• Windows Steady State

How to Install VirtualDJ for use as a Standard User

VirtualDJ by Atomix Productions is software for audio and video mixing.

I had installed VirtualDJ as an Administrator, and VirtualDJ ran fine. But when tried to use VirtualDJ from a different account, that was a Standard user, I received the following error:

Installation Error! Please reinstall VirtualDJ from the official installer. If you have multiple user accounts on this computer, make sure you install from the account you are using, not from Administrator.

So, as the error message says, you need to install VirtualDJ while logged in as the user that you're going to run it under. I tried that, but VirtualDJ still failed with same error.

The "VirtualDJ 7 - Getting Started.pdf" manual makes no mention of this quirk/requirement.

I tried the following without a positive result:

• Installed VirtualDJ from the Standard user account I wanted to use.
• Installed VirtualDJ using "RunAs Administrator" from the Standard user account I wanted to use.

Problem Resolution

1. Log in as an Administrator
2. Temporarily elevate the User account you want to run VirtualDJ under to an Administrator
3. Log in as the elevated user account you want to run VirtualDJ under
   1. Install VirtualDJ
   2. Run VirtualDJ at least once
   3. Log out of Windows
4. Log in as an Administrator
5. Change the elevated User account you installed VirtualDJ under, back to a Standard User.

Reference:

• Installation error ? Disable NOD32 anti virus [See post from: Mensajes Sat 18 Dec 10 @ 1:41 pm]
• VirtualDJ needs admin rights to run?

BEST Plus

by CAL (Center for Applied Linguistics)

Issue / Error Message

When you run BEST Plus while logged in as a limited user, the following message is displayed:

Data Access Not Successful!
BEST Plus was unable to successfully update its program variables. This is usually due to inadequate user rights (permissions) on the computer, especially with Windows XP. You must be signed in with Administrator rights in order to use BEST Plus.

Fix, Part 1

• For the C:\BEST-Plus\ directory, allow "Modify" rights for the Users group.

Fix, Part 2

Use Regedit, while logged in as a member of the Administrators group, to modify the permissions for HKEY_CLASSES_ROOT\pztfile

• Right click on HKEY_CLASSES_ROOT\pztfile and choose Permissions...
• Click on the Advanced button
• Select Users, under Permission entries
• Click the Edit button
• Allow "Set value" and "Create Subkey"
  • Query Value, Enumerate Subkeys, Notify, Read control are already allowed, and are grayed out.
• Click the OK button (Permissions Entry for pztfile)
• Click the OK button (Advanced Security Settings for pztfile)
• Click the OK button (Permissions for pztfile)
• Close Regedit

Mavis Beacon Teaches Typing

Summary

When a user is logged in as a member of the Users group, an error is displayed when starting Mavis Beacon Teaches Typing v15.

Could not create file for system settings.  C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\MAVUSER\system.msy

The directory C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\MAVUSER\ requires "Modify" and "Write" rights.

These are instruction on how to get Mavis Beacon Teaches Typing v15 to run on computers running Microsoft Windows 2000, and XP and the user is logged in with an account that is a member of the group "Users." e.g. Student

Instructions

1. Login as a member of the Administrators group.
2. Install Mavis Beacon Teaches Typing v15 (MBTT).
3. Start MBTT at least once so that the "MAVUSER" directory is created.
4. Run Windows Explorer ( Windows Key + e ).
5. Right click on the MAVUSER directory located in C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\
   Note: The "Application Data" directory is hidden, so in the address bar, type \Application Data (the backslash is required) then press the enter key. Now you'll be able to open the Broderbund\Mavis Beacon directory.
6. Select "Properties" from the popup/context menu.
7. Click on the "Security" tab.
8. Click on the group name "Users."
9. In the "Permission for Users" section, under the "Allow" column, click "Modify."
10. Click the OK button.

Optional Changes

When MBTT is run, the menu that is displayed shows several options.  Run, Install/Uninstall, Register, etc.  It's best that the user isn't able to use these other options. 

1. Right click on the shortcut in the Start Menu for Mavis Beacon Teaches Typing.
2. Click on properties.
3. In the "Target:" field, replace run.exe with mavis15.exe.
4. Click on the OK button.

Further, delete all the other shortcuts that were installed with Mavis so that users don’t use them.  e.g. Register, Readme, & Internet.

ImgBurn: You need Administrative privileges to use SPTI

From ImgBurn Log:

   I 13:41:50 ImgBurn Version 2.4.1.0 started!
   I 13:41:50 Microsoft Windows XP Professional (5.1, Build  2600 : Service Pack 3)
   I 13:41:50 Total Physical Memory: 1,004,076 KB  -   Available: 386,980 KB
   I 13:41:50 Initialising SPTI...
   I 13:41:50 Searching for SCSI / ATAPI devices...
   E 13:41:52 CreateFile Failed! - Device: '\\.\CdRom0' (R:)
   E 13:41:52 Reason: Access is denied.
   W 13:41:52 Errors were encountered when trying to access a  drive.
   W 13:41:52 This drive will not be visible in the program.
   E 13:41:52 You need Administrative privileges to use SPTI.
   W 13:41:52 No devices detected!

______________________________________________________________________

Problem:

Fix:

By default on Windows XP, SPTI is available only to Administrators.

Here is a quick workaround for those people wanting to stick with SPTI:

1. Log in as an Administrator
2. Open a command prompt.
   1. Click 'Start' -> 'Run'
   2. Type "cmd" and click OK
3. Type "secpol.msc" and press [enter]
4. Expand "Local Policies"
5. Click "Security Options"
6. Change "Devices: Restrict CD-ROM access to locally logged-on user only" from "Disabled" to "Enabled"
7. Close the "Local Security Settings" window
8. Reboot the computer
9. Log in as a Limited user
10. Run ImgBurn

______________________________________________________________________

ImgBurn Log: After doing the fix, rebooting, and logging in as a Limited User...

   I 13:48:31 ImgBurn Version 2.4.1.0 started!
   I 13:48:31 Microsoft Windows XP Professional (5.1, Build  2600 : Service Pack 3)
   I 13:48:31 Total Physical Memory: 1,004,076 KB  -   Available: 393,284 KB
   I 13:48:31 Initialising SPTI...
   I 13:48:31 Searching for SCSI / ATAPI devices...
   I 13:48:31 Found 1 DVD±RW!

________________________________________________________________________________________

You can use the following reg key instead of manually configuring secpol.msc

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Winlogon]
   "allocatecdroms"="1"

______________________________________________________________________

Reference:

• ImgBurn FAQ
• ImgBurn Forum, Post #20

Allow a Limited User to Burn CD's & DVD's

Windows XP Professional's default configuration prevents Limited users from burning to optical media. To change this, follow the steps below:

1. Log in as an Administrator
2. Open a command prompt.
   1. Click 'Start' -> 'Run'
   2. Type "cmd" and click OK
3. Type "secpol.msc" and press [enter]
4. Expand "Local Policies"
5. Click "Security Options"
6. Double-click on "Devices: Allowed to Format and eject removable media"
7. Set this option to "Administrators and Interactive Users"
8. Close the "Local Security Settings" window
9. Reboot the computer
10. Log in as a Limited user

NDCMedisoft Advanced v9

Allow modify rights for the group "Users" to:

• C:\MediData\
• C:\Program Files\NDCMedisoft\Bin\
  

Issues with setting Internet Explorer's Internet Security to High

Downloading with Mozilla Firefox v3.6

Downloads of .exe files using Firefox v3.6 fails when IE's Internet Security is set to High.
When you initiate the download, the file shows up in the Firefox Download window as "Cancelled." If you "Retry," the download will start, but as soon as the download completes, the file disappears or has a size of 0 bytes.

Usually when Firefox is downloading a file, it creates a temporary file with a .part extension, then when the download is complete, Firefox renames the .part file to the proper filename.
With IE's Internet Security set to High, the .part file is not created.

RunAs from the Context Menu

When you attempt to run a program that requires elevated rights or try to RunAs, you get the following message:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

e.g. http://gtopala.com/download/siw.exe

Workaround for Downloading with Firefox

Method 1: Temporarily change the file extension

1. Set Firefox to prompt for a location to save the file:

• Tools > Options ... > General tab
• In the "Downloads" section, enable "Always ask me where to save files"

2. Download the file, but when prompted for the filename, change the extension to .zip
3. After the file is downloaded, rename the file back to its original name by changing the extension from .zip to .exe or .msi

Method 2: Set a custom level for security in the Internet zone.

1. Go to "Control Panel -> Internet Options -> Security (tab) -> Internet."
2. Set security to "High",
3. Click on "Custom level..."
4. Change, Miscellaneous > "Launching applications and unsafe files" from "Disable" to "Prompt (recommended)."
5. Change, Miscellaneous > "Launching programs and files in an IFRAME" from "Disable" to "Prompt (recommended)."
   

Reference:

• MozillaZine: Enable downloads blocked by Security Zone Policy - Windows
• I can't download exe files through Firefox