Admin rights vs. User rights 1

[grez]

Hi! Spyware, as we all know, is a major situation. I have been working with two pretty reliable, real time protection programs for spyware: webroot's spysweeper and sunbelt's counterspy. Both outstanding programs. However, they will only operate on users that have admin rights, nothing less, and I have confirmed this with both companies.

So, if you were setting up an XP Pro machine, would you either

1)Give all users (besides the administrator) admin accounts, but restrict their accounts via Group Policy editor, which would still allow them to install their own programs (would like to avoid this)...

OR

2)Give the normal users "user" accounts and not have the real time spyware protection, but, this would not allow users to install their own programs. Would have to run spyware sweeps in admin mode.

Any thoughts out there? Thanks in advance!

 

[linney]

Have a look at Greg PALMER's free program, see if you can make use of that?

http://www.palmersoft.co.uk/runasuser.htm

294676 - HOW TO: Enable and Use the "Run As" Command When Running Programs in Windows

http://support.microsoft.com/default.aspx?scid=kb;en-us;294676&FR=1&PA=1&SD=HSCH

"To start a program as an administrator" in the Help and Support program.

Isn't CounterSpy closely related to Microsoft AntiSpyware Beta 1, the reason I ask is that Microsoft's program seems to run OK as a Limited User having been installed by the Administrator?

Other things you could look at are installing the programs in each users Document and Settings folder (done while temporally promoting the user to an Administrator just for the install).

 

[dbushway]

Is there any place that lists the specific differences between Administrator rights, Power users' rights and users rights....(On XP or 2000, either will do) I"m trying to get a handle on what can and cannot be done or restricted in each category.

Thanks for your help.

Duane

Duane R. Bushway
IT Specialist
US Food and Drug Administation,
Office of the General Counsel

 

[smokeyd]

I chose to grant Users rights to the users, not administrative or Power Users. This will prevent the spread of spyware, since users can't install anything, so also not any serious spyware. I have created a domain user that is member of the local Power Users group so users can use that account to install software. Maybe that is also a solution for you. See my thred:

http://www.tek-tips.com/viewthread.cfm?qid=1069069&page=1

 

[dbushway]

Thanks for the info, great idea...However I still need a list of specific rights/restrictions (in essence the differences in the user levels).

Duane R. Bushway
IT Specialist
US Food and Drug Administation,
Office of the General Counsel

 

[grez]

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

I got this link above from bcastner. I've purchased and tested this tool. This tool is AWESOME! It will help restrict users (customized by user) even without a server OS. Maybe this could help. Very inexpensive too.

 

[bcastner]

Use of the now Beta Microsoft Antispyware program includes as a planned feature the use by limited users. It is planned for Beta 2, which should should be released before the end of July. Steve Dodson, from the Microsoft antispywre team noted: "You have a limited user account running the application looking for spyware on all files and folders. This includes the administrator account which
limited users may not be able to access. So we have to approach this carefully in order to remove the spyware from all locations, but also preserve file and folder permissions and access.

In short, we are addressing this for a future release, but it involves some major coding and testing."

 

[bcastner]

dbushway,

http://www.microsoft.com/resources/...ddocs/en-us/windows_security_differences.mspx

 

[Dollar]

I've had great times with this type of thing, and normally, I'd use regmon - run the program and unlock the individual directories in the registry to allow the program to run as standard users. I've had to do this with plenty of programs, and some of them are quite a task to work out as regmon won't give absolutely everything (like a "classpath" change), but it should highlight everywhere in the registry. Run the program as a user with regmon highlighting ACCDENIED, and the program filtered and unlock those areas.
You may also need to unlock the explorer folder.

Typically, for a program, I normally start by unlocking:
HKLM\Software\<program name>
c:\program files\<program name>

In a lot of cases, you find that there's a config file in c:\windows that needs opening so it can be written to. And in some more awkward programs, the programs create a key in HKLM and remove the key when closed (Business Objects pre version 6 is a good example of that).

Once you've worked out what needs unlocking - it's fairly simple to apply to other PC's. If you have a large network, ask the admin to script something to unlock and you should be set once deployed.

I'll give the program a once over, and see if I can come up with something for you.

Hope this helps.

 

[Dollar]

Hi again.

Well, there's loads of CLSID entries for the Counterspy program and the HKCU area in the registry should be available to the logged on user - so nothing there.

I have found a workaround for you - if at all practical...when the program is installed it uses only the current users configuration. I was unable to use the program as a second administrator, nevermind just user. It's not a lock-down issue, but a program badly written rather. Yes, it may do a good job, but what's the point if it only works for the user who installed it?

Anyways, giving a user administrator rights, installing the program (run it once) and then removing the administrator rights works.

Don't know if that practical or not for your environment, but at least you can tell Sunbelt their program only installs for the logged on user and maybe they can fix it.

That's all I have...hope it helps a little.

Cheers
Dollar