- As someone who runs as a non-admin, I'll share a
few tips I've learned on how best to make everything work...
- 1) Download CPAU
[joeware.net], which works somewhat like RunAs but will let you
create "job" files so you don't need to type a password
each time.
- 2) Make three accounts, a "guest"
(don't use the built-in guest account for this) user, a "poweruser",
and an "admin" (don't use the built-in admin account for
this). For the rest of this post, I'll call your real account
"fred", the lower-permissioned account
"barney", and the higher-permissioned account "gazoo".
- 3) Set the root of all drives to explicitly
"deny" all permissions to "gazoo". This
wouldn't even slow down an interactive attacker, but few hostile
programs expect to need to take ownership and change permissions
from an account already having admin privs.
- 4) Give "fred" write permission on
"Documents and Settings\barney". Give "barney"
read permission on "Documents and Settings\fred". Give
"fred" read permission on "Documents and Settings\gazoo".
That alone will solve 99% of permission problems you'll have.
- 5) Use CPAU to set up job files to run all your
networking programs (browser, email, IM, etc) as
"barney". Do the same for all programs that legitimately
need admin access (many CD/DVD rippers, for example) to run as
"gazoo".
|
|
- 6) To install most software (even well-behaved
software that doesn't require admin to run), log in as admin (the
real one, not "gazoo") and create its directory under
Program Files, giving "fred" (or "barney" if
it will run with reduced permissions) write permission to that
dir. Then, install it while logged in as "fred" (or,
again, as "barney" if applicable). Also, some pesky
software will work best if you install it first as the user it
will run as, and then as "fred". Firefox and Thunderbird
fall into this category, because of the way they handle user
profiles (Using the highly-recommended "Portable
[portableapps.com]" versions of both will completely avoid
this problem, btw).
- The above will take care of most common problems
you might have. Other problems will still pop up, however.
- For example, good luck printing from your web
browser - you can use Microsoft's TweakUI to edit the relevant
ACLs, but that seems like about a 50/50 shot of working. I
curently have two machines at home set up more-or-less as
described above, and basically identical. One of them can print
from "barney" and one can't. Wierd.
- Also, get used to using UNC names. Mapped drives,
even if mapped under all three accounts, will not show up for
programs running as anyone but the currently logged-in user.
- And some "experts" wonder why so many
Windows users still run as admin.
|
