Windows: Standard User vs. Administrator

[Bunghole]

To increase my overall security, I created a separate Admin Windows login and downgraded my normal day-to-day account to a Standard User.

However, in my Standard account, I seem to be able to do everything I could when it was an admin account.  Can someone tell me what I need to do to vastly restrict what a standard user can do?  And don't say "switch to Linux" - I'm working toward that goal, but there's a million steps involved.

I want to limit what malware would be capable of doing on my PC.

[SomeoneWeird]

To increase my overall security, I created a separate Admin Windows login and downgraded my normal day-to-day account to a Standard User.

However, in my Standard account, I seem to be able to do everything I could when it was an admin account.  Can someone tell me what I need to do to vastly restrict what a standard user can do?  And don't say "switch to Linux" - I'm working toward that goal, but there's a million steps involved.

I want to limit what malware would be capable of doing on my PC.

Run everything in a sandbox.

[1MLyg5WVFSMifFjkrZiyGW2nw]

To increase my overall security, I created a separate Admin Windows login and downgraded my normal day-to-day account to a Standard User.

However, in my Standard account, I seem to be able to do everything I could when it was an admin account.  Can someone tell me what I need to do to vastly restrict what a standard user can do?  And don't say "switch to Linux" - I'm working toward that goal, but there's a million steps involved.

I want to limit what malware would be capable of doing on my PC.

Try "Administrative settings\Local security policy" in control panel.
What version of Windows are you using, and what do you want to restrict?

[Bunghole]

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.

[SomeoneWeird]

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.

Just install bitcoin in the VM then?

And as 1MLyg5WVFSMifFjkrZiyGW2nw said, look at the group policies and change everything to restrict what the other account can do

[1MLyg5WVFSMifFjkrZiyGW2nw]

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.

Running as normal user should already block installation of drivers (rootkits do that). The only way to protect against "normal" trojans that could read your wallet.dat is restricting the programs you can run to a small set. You can do that from "Local security policy" by creating Software Restriction rules (by file name, certificate or MD5 hash).

Note that it's still possible that some exploit takes over a trusted program and reads out your files. Only safe way is to make an user account for Bitcoin only and don't use it for anything else.

[SomeoneWeird]

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.

Running as normal user should already block installation of drivers (rootkits do that). The only way to protect against "normal" trojans that could read your wallet.dat is restricting the programs you can run to a small set. You can do that from "Local security policy" by creating Software Restriction rules (by file name, certificate or MD5 hash).

Note that it's still possible that some exploit takes over a trusted program and reads out your files. Only safe way is to make an user account for Bitcoin only and don't use it for anything else.

Um, even if they did that. Someone could steal their harddrive etc. And if they got a trojan on the system, odds are most people wouldn't be looking for wallets (just yet), and even then, it's only a matter of typing a few commands to get a system level console.

[1MLyg5WVFSMifFjkrZiyGW2nw]

Um, even if they did that. Someone could steal their harddrive etc. And if they got a trojan on the system, odds are most people wouldn't be looking for wallets (just yet), and even then, it's only a matter of typing a few commands to get a system level console.

If someone can get physical access to your computer, even Linux with encrypted hard disk is no protection. They could install a backdoored kernel that leaks your password.

You can actually restrict running cmd.exe using the software restrictions, but as I said this doesn't mean that another program you trust couldn't be hacked to do the same things.

[SomeoneWeird]

Um, even if they did that. Someone could steal their harddrive etc. And if they got a trojan on the system, odds are most people wouldn't be looking for wallets (just yet), and even then, it's only a matter of typing a few commands to get a system level console.

If someone can get physical access to your computer, even Linux with encrypted hard disk is no protection. They could install a backdoored kernel that leaks your password.

You can actually restrict running cmd.exe using the software restrictions, but as I said this doesn't mean that another program you trust couldn't be hacked to do the same things.

For the sake of arguing, how could they install a backdoored kernel on an encrypted hard drive.

[1MLyg5WVFSMifFjkrZiyGW2nw]

For the sake of arguing, how could they install a backdoored kernel on an encrypted hard drive.

The kernel has to be loaded from somewhere. Unless you boot from a CD or USB drive, it will be on an unencrypted partition of your hard disk.

[SomeoneWeird]

For the sake of arguing, how could they install a backdoored kernel on an encrypted hard drive.

The kernel has to be loaded from somewhere. Unless you boot from a CD or USB drive, it will be on an unencrypted partition of your hard disk.

lol. No.

Boot PC -> MBR loads (truecrypt) -> Truecrypt decrypts MBR on hdd (windows) -> control gets passed to that.

The kernel is encypted.

[1MLyg5WVFSMifFjkrZiyGW2nw]

lol. No.

Boot PC -> MBR loads (truecrypt) -> Truecrypt decrypts MBR on hdd (windows) -> control gets passed to that.

The kernel is encypted.

OK, the Windows kernel is encrypted, but the same problem applies to TrueCrypt. You need to enter a passphrase / insert a USB stick, and someone could install a modified version of TrueCrypt that saves the key to somewhere (like the last sector of the disk, or NVRAM).

[SomeoneWeird]

lol. No.

Boot PC -> MBR loads (truecrypt) -> Truecrypt decrypts MBR on hdd (windows) -> control gets passed to that.

The kernel is encypted.

OK, the Windows kernel is encrypted, but the same problem applies to TrueCrypt. You need to enter a passphrase / insert a USB stick, and someone could install a modified version of TrueCrypt that saves the key to somewhere (like the last sector of the disk, or NVRAM).

EvilMaid

[1MLyg5WVFSMifFjkrZiyGW2nw]

EvilMaid]http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html]EvilMaid

Exactly what I meant.
You need some way to verify that the boot sector hasn't been modified. If that requires booting from an USB stick, it is no better than having your OS (or at least the kernel / disk crypto) on the stick as well.