Bitcoin Forum
November 13, 2024, 01:00:21 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Windows: Standard User vs. Administrator  (Read 1722 times)
Bunghole (OP)
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
July 06, 2011, 08:26:58 PM
 #1

To increase my overall security, I created a separate Admin Windows login and downgraded my normal day-to-day account to a Standard User.

However, in my Standard account, I seem to be able to do everything I could when it was an admin account.  Can someone tell me what I need to do to vastly restrict what a standard user can do?  And don't say "switch to Linux" - I'm working toward that goal, but there's a million steps involved.

I want to limit what malware would be capable of doing on my PC.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
July 06, 2011, 08:31:34 PM
 #2

To increase my overall security, I created a separate Admin Windows login and downgraded my normal day-to-day account to a Standard User.

However, in my Standard account, I seem to be able to do everything I could when it was an admin account.  Can someone tell me what I need to do to vastly restrict what a standard user can do?  And don't say "switch to Linux" - I'm working toward that goal, but there's a million steps involved.

I want to limit what malware would be capable of doing on my PC.

Run everything in a sandbox.
1MLyg5WVFSMifFjkrZiyGW2nw
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 06, 2011, 08:40:03 PM
 #3

To increase my overall security, I created a separate Admin Windows login and downgraded my normal day-to-day account to a Standard User.

However, in my Standard account, I seem to be able to do everything I could when it was an admin account.  Can someone tell me what I need to do to vastly restrict what a standard user can do?  And don't say "switch to Linux" - I'm working toward that goal, but there's a million steps involved.

I want to limit what malware would be capable of doing on my PC.

Try "Administrative settings\Local security policy" in control panel.
What version of Windows are you using, and what do you want to restrict?
Bunghole (OP)
Member
**
Offline Offline

Activity: 64
Merit: 10


View Profile
July 06, 2011, 09:22:43 PM
 #4

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
July 07, 2011, 02:22:40 AM
 #5

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.


Just install bitcoin in the VM then?

And as 1MLyg5WVFSMifFjkrZiyGW2nw said, look at the group policies and change everything to restrict what the other account can do
1MLyg5WVFSMifFjkrZiyGW2nw
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 07, 2011, 04:40:49 AM
 #6

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.

Running as normal user should already block installation of drivers (rootkits do that). The only way to protect against "normal" trojans that could read your wallet.dat is restricting the programs you can run to a small set. You can do that from "Local security policy" by creating Software Restriction rules (by file name, certificate or MD5 hash).

Note that it's still possible that some exploit takes over a trusted program and reads out your files. Only safe way is to make an user account for Bitcoin only and don't use it for anything else.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
July 07, 2011, 04:47:10 AM
 #7

@SomeoneWeird: Eventually, running Ubuntu as my main OS and Windows in a VM is my goal, but it creates too many headaches at once.  For example, I really like my VPN WiTopia, but it doesn't have a Linux version.  Another example: my mobile broadband card technically will work with Linux, but it involves two pages of tedious instructions.

So, I am slowly phasing Windows out and Ubuntu in.  For example, I now do all of my web surfing in Ubuntu running in a VMware VM.


@1MLyg5WVFSMifFjkrZiyGW2nw: I am running Windows 7 and I am trying to restrict any possible malware from installing and/or running itself without entering the Admin password.

Running as normal user should already block installation of drivers (rootkits do that). The only way to protect against "normal" trojans that could read your wallet.dat is restricting the programs you can run to a small set. You can do that from "Local security policy" by creating Software Restriction rules (by file name, certificate or MD5 hash).

Note that it's still possible that some exploit takes over a trusted program and reads out your files. Only safe way is to make an user account for Bitcoin only and don't use it for anything else.

Um, even if they did that. Someone could steal their harddrive etc. And if they got a trojan on the system, odds are most people wouldn't be looking for wallets (just yet), and even then, it's only a matter of typing a few commands to get a system level console.
1MLyg5WVFSMifFjkrZiyGW2nw
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 07, 2011, 04:53:46 AM
 #8

Um, even if they did that. Someone could steal their harddrive etc. And if they got a trojan on the system, odds are most people wouldn't be looking for wallets (just yet), and even then, it's only a matter of typing a few commands to get a system level console.

If someone can get physical access to your computer, even Linux with encrypted hard disk is no protection. They could install a backdoored kernel that leaks your password.

You can actually restrict running cmd.exe using the software restrictions, but as I said this doesn't mean that another program you trust couldn't be hacked to do the same things.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
July 07, 2011, 05:00:02 AM
 #9

Um, even if they did that. Someone could steal their harddrive etc. And if they got a trojan on the system, odds are most people wouldn't be looking for wallets (just yet), and even then, it's only a matter of typing a few commands to get a system level console.

If someone can get physical access to your computer, even Linux with encrypted hard disk is no protection. They could install a backdoored kernel that leaks your password.

You can actually restrict running cmd.exe using the software restrictions, but as I said this doesn't mean that another program you trust couldn't be hacked to do the same things.


For the sake of arguing, how could they install a backdoored kernel on an encrypted hard drive.
1MLyg5WVFSMifFjkrZiyGW2nw
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 07, 2011, 03:00:57 PM
 #10

For the sake of arguing, how could they install a backdoored kernel on an encrypted hard drive.

The kernel has to be loaded from somewhere. Unless you boot from a CD or USB drive, it will be on an unencrypted partition of your hard disk.
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
July 07, 2011, 03:34:02 PM
 #11

For the sake of arguing, how could they install a backdoored kernel on an encrypted hard drive.

The kernel has to be loaded from somewhere. Unless you boot from a CD or USB drive, it will be on an unencrypted partition of your hard disk.

lol. No.

Boot PC -> MBR loads (truecrypt) -> Truecrypt decrypts MBR on hdd (windows) -> control gets passed to that.

The kernel is encypted.
1MLyg5WVFSMifFjkrZiyGW2nw
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 07, 2011, 03:57:00 PM
 #12

lol. No.

Boot PC -> MBR loads (truecrypt) -> Truecrypt decrypts MBR on hdd (windows) -> control gets passed to that.

The kernel is encypted.

OK, the Windows kernel is encrypted, but the same problem applies to TrueCrypt. You need to enter a passphrase / insert a USB stick, and someone could install a modified version of TrueCrypt that saves the key to somewhere (like the last sector of the disk, or NVRAM).
SomeoneWeird
Hero Member
*****
Offline Offline

Activity: 700
Merit: 500


View Profile
July 07, 2011, 04:04:02 PM
 #13

lol. No.

Boot PC -> MBR loads (truecrypt) -> Truecrypt decrypts MBR on hdd (windows) -> control gets passed to that.

The kernel is encypted.

OK, the Windows kernel is encrypted, but the same problem applies to TrueCrypt. You need to enter a passphrase / insert a USB stick, and someone could install a modified version of TrueCrypt that saves the key to somewhere (like the last sector of the disk, or NVRAM).

EvilMaid
1MLyg5WVFSMifFjkrZiyGW2nw
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
July 07, 2011, 04:17:18 PM
 #14


Exactly what I meant.
You need some way to verify that the boot sector hasn't been modified. If that requires booting from an USB stick, it is no better than having your OS (or at least the kernel / disk crypto) on the stick as well.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!