- This topic has 14 replies, 5 voices, and was last updated 13 years, 6 months ago by
.
- Posts
-
I’m running Server 2008 R2 as my day to day desktop, and everything works great, but the one thing bugging me is whether I should be logging in with the built in admin account. I have taken some precautions to make things a little more secure, both related to running as the local admin and not (or only barely) related, such as:
Change Administrator account name (Just in case someone happened to get on my network, at least they don’t know the user name?)
User Account Control: Admin Approval Mode for the Built-in Administrator Account – Enabled
The second should be prompting for non-Windows binaries. Not asking for my password, but at least asking if I really want to do something. I figure this would be closer to how Windows 7 operates. I know better than running just any old link or executable from the internet, so the prompts seemed like a horrible annoyance when I heard about it happening in Vista, but after using OS X for a while, and using Server as a workstation in a non-admin account (entering password every time was what made that too much to bare), I don’t mind it. A little nagging from Windows won’t hurt my feelings.
Is this enough, or should I really not be risking using the admin account at all? I have a fair amount of experience with Windows, but not Server, so looking for any input / advice that might be out there.
To protect yourself from outside attack I would focus mainly on network security. Securing your router, do not leave all ports open on your router (DMZ-mode), invest in a firewall, stuff like that. To be honest it really isn’t going to matter if you set high security standards for your computer because there are other methods around User Account Control. For example the C++ buffer overrun injection method. Even under good intentions, depending on how well the application you downloaded was written, if the programmer didn’t secure the code a hacker could use a buffer overrflow exploit to impersonate a service account on the local computer (NETWORK SERVICE, LOCAL SYSTEM, etc) run as an admin and modify the app in a way making it useless. While he’s an Admin he can wreck havoc to other processes/apps on your computer he if choses, modify registry, etc. This is just one measly example (which is an obsolete one). There other ways around getting in a back door for Administrator account and or impersonating Administrative privileges. I would advise implementing safe security practices.
1) Secure your router/modem
Even if you don’t have a wireless router, hackers can use packet sniffing programs to gather information about your IP address and start a malicious attack on you. All of this can be prevented by implementing a secure firewall.
2) Scan every file you download before you open it
I cannot stress this is enough to everyone. Almost every time I do a side job fixing computers (mostly removing spyware/malware) I teach them to scan before they open.
3) Disable Autorun
Some of those annoying viruses will inflirate its way into your machine via your buddy’s flash dirve (pre-loaded with porn and spyware) that you mistakenly put into your usb port and then a day later you are like “what the heck did I do? Google causes viruses now!”
The firewall is something I have been exploring for a while. I’m assuming you mean something a bit more robust than just a router, including those with something like DD-WRT running on them? This is all for home personal use, and I don’t have a lot of pocket money to invest on a commercial firewall appliance. Any software solutions worth looking into? Any reasonably priced hardware? Is slightly dated hardware worthwhile? (I’m thinking Craigslist for that.)
Already had taken care of the other two. I don’t follow the scanning as carefully as I probably should, but I also don’t download all that much. That which I do is usually from reputable locations, though I know assuming that that is sufficiently safe isn’t the best idea.
Just in case anyone is reading through this thinking the same thing about just using the built-in account, there are reasons not to use the admin account. The one I recently came across was moving profile data to a different drive. I have a 64GB SSD as my boot drive, and don’t want to have all of my profile information and my AppData folder on there. Setting this up was easy enough for me, it involved making a junction and a few other things that are likely detailed very nicely in a tutorial somewhere. Setting this up with the administrator account seemed like a bad idea. So I made an account in the Admin group and set it up to be in the correct location. That way, if anything breaks in a horrible way I can still log in to the default Administrator account to try to fix it. Just one example, specific to my situation, but I am guessing there are many more where that came from.
Nah you should be fine, most modern routers have a firewall built into them. Mine for example has stateful packet inspection, MAC filtering, DoS protection, and WPA2 security. Also your antivirus should have a software firewall for added layer of protection. I would guess by your browsing habits that an expensive commercial firewall to protect your network is a complete waste of money.
As far as migrating your user profile from one drive to another, have you tried Easy Transfer? I was able to get it working here.
@halladayrules wrote:
2) Scan every file you download before you open it
I cannot stress this is enough to everyone. Almost every time I do a side job fixing computers (mostly removing spyware/malware) I teach them to scan before they open.
Doesn’t pretty much every antivirus software scan any files in real-time as they’re written to the hard drive anyway? What additional benefit does manually re-scanning them afterwards bring?
@Indrek wrote:
Doesn’t pretty much every antivirus software scan any files in real-time as they’re written to the hard drive anyway? What additional benefit does manually re-scanning them afterwards bring?
Yes you are right. I do a lot of torrenting and sometimes I like to find cracks (not illegal) for stupid games that I use (trainers, cheats, etc) for the fun of it and almost every time its done downloading my AV picks it up as a trojan and quarantines it. I find it much more convenient to just manually scan everything I download to the skip the annoyance of the nagging false positives all the time. But your right most AVs now a days have some real-time scanner included that will scan the file before you even attempt to open it. The only thing I don’t like that about is no AV is perfect and if you suspect the file to be a virus you can always do an online malware scan (jotti for example) to be absolutely sure. Trusting your real-time scanner doesn’t always work 100% of the time. I’ve had AVG before and when i downloaded the file nothing happened and when I opened up the file nothing happened and I was like, “oh crap.” AVG picked up the virus after it was already infiltrated into my system. Strange how some AVs work that way? Why does it all of a sudden decide to pick it up after its infected the machine. AVG would say it deleted the threat but it was missing a key system file that would regenerate the virus and every time I would reboot it would go in a endless loop of “infection found”. I had to manually remove it which took a little while.
@halladayrules wrote:
As far as migrating your user profile from one drive to another, have you tried Easy Transfer? I was able to get it working here.
Isn’t this just for moving from an old computer / drive to a new one? If there is a tool, especially a MS-provided one, that lets you move your user folder to a secondary drive I would rather do that than go with a hard link.
Just remembered how I did that to begin with, so I will post it here. I think this is the source I started with:
http://justenoughtechnology.com/move-user-profile-to-2nd-drive-in-win-7/To (attempt to) summarize:
Make account with Administrator account > log out
Log in to new account > shut down
Boot to install CD to command line
Use robocopy to duplicate user folder onto target drive
(For example, calling it X:PATHTOusername)
Delete (or back up?) user folder from source drive
Create link using “mklink /J C:usersusername X:PATHTOusername”
Reboot and log in to new accountThat got me set up with my main, non-default account storing data on a secondary drive. Keeps all of my user folders from accidentally ballooning and overloading my SSD.
Ok nevermind I get what you are talking about. You don’t want to store your profile data on your SSD because its small, you have a larger hard drive that you want to host the files on.
Simple. You don’t need to create any symbolic links or go through that crazy process its really simple.
Step 1. Click start, choose run.
Step 2: Type in shell:usersfilesfolder
Step 3. Right-click on Documents and choose Properties
Step 4. Click the Location tab
Step 5. Change the path from C:UsersUSERNAMEDocuments to D:UsersUSERNAMEDocuments or whatever drive letter is assigned to your larger HDD.
(Replace USERNAME with your actual username for example if your username is Bob it would be c:usersbobdocuments)
Step 6: Repeat Steps 1-5 for the Downloads, Pictures, Music, Videos folder and other folders you plan to store large amounts of data on.Also if you open up registry editor (go to start type in “regedit” without quotes)
Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Locate the ProgramFilesDir and ProgramFilesDir (x86) entries, if you change the value from C:Program Files to D:Program Files your programs will be installed D: drive instead of C: so if you want your SSD to host only operating systems files and configuration you can do that.
While that works for MOST user documents / data, it leaves out the hidden AppData folder, which is unfortuantely where a lot of the bloat winds up getting placed. Google Chrome stores all of its data there, and Outlook puts your mailboxes there by default. Some half-hearted searching for how to move my Gmail IMAP mailboxes turned up empty, and I don’t know that you can move the Chrome data, so rather than hassle with it I just redirected the whole profile folder. Just to give some perspective, in about two days of use my AppData folder has already reached 1.5GB. I don’t expect this rate to persist, but that’s still a pretty quick climb.
I suppose I could have junctioned only the AppData folder with the previous steps, but that just felt messier than doing it up one level.
edit – I think it may be possible to configure the system to place all profile folders in a different location, but I believe that is more for Active Directory purposes than anything else. I didn’t want to take the time to research it before having my system up and running, may revisit it as I have time.
I’m leaving my programs installed on my OS drive, since there are so few. I haven’t done much looking at the ProgramData folder, it can probably stay as well, though I have seen people moving that to a different drive along with the AppData folder. Other than fairly lightweight utilities, I don’t have any need for much else. Eventually, Visual Studio, but not right now. Right now I have 47.3 out of 59.6GB free, so a nice big cushion in case I do happen to install anything moving forward. Outlook takes a little while to load, since all the mailboxes are on the 500GB, but Word loads in about a second. Much better than before the SSD.
Games I’m installing through Sandboxie, and I’m installing them on a 500GB SATA drive. Keeps them as far from the OS as possible. Not perfect, but safer than it could be.
@halladayrules wrote:
Yes you are right. I do a lot of torrenting and sometimes I like to find cracks (not illegal) for stupid games that I use (trainers, cheats, etc) for the fun of it and almost every time its done downloading my AV picks it up as a trojan and quarantines it. I find it much more convenient to just manually scan everything I download to the skip the annoyance of the nagging false positives all the time. But your right most AVs now a days have some real-time scanner included that will scan the file before you even attempt to open it. The only thing I don’t like that about is no AV is perfect and if you suspect the file to be a virus you can always do an online malware scan (jotti for example) to be absolutely sure. Trusting your real-time scanner doesn’t always work 100% of the time. I’ve had AVG before and when i downloaded the file nothing happened and when I opened up the file nothing happened and I was like, “oh crap.” AVG picked up the virus after it was already infiltrated into my system. Strange how some AVs work that way? Why does it all of a sudden decide to pick it up after its infected the machine. AVG would say it deleted the threat but it was missing a key system file that would regenerate the virus and every time I would reboot it would go in a endless loop of “infection found”. I had to manually remove it which took a little while.
That sounds nasty…
I do a fair amount of torrenting as well, and occasionally do a manual scan before opening/running something, but in all cases my antivirus has picked up potential threats automatically (as soon as that particular file finishes downloading), and manual scans come up clean. I can see the problem with regular false positives, though, and you make a good point about running an online scan with multiple AV engines on suspected files.
@Indrek wrote:
That sounds nasty…
I do a fair amount of torrenting as well, and occasionally do a manual scan before opening/running something, but in all cases my antivirus has picked up potential threats automatically (as soon as that particular file finishes downloading), and manual scans come up clean. I can see the problem with regular false positives, though, and you make a good point about running an online scan with multiple AV engines on suspected files.
Yeah it does sound nasty but its controlled in a way, I only disable real-time scanning just long enough to extract the zipped contents of my torrent or to run a scan on it. It’s still risky no matter which way you look at it because most of the times even if its a harmless no-cd crack alot of antiviruses will pick them up as trojans and you have to use common sense to figure out if its legit or not. “hmm I see the original exe is 14,075 kb while this cracked one is only 4,550. Not going to trust it” stuff like that.
Don’t put too much faith into online virus scanners. Virus writers have the same access to those scanners to test their load, and they can simply pack their exe, among other methods. If you still use one, at least scan a already scanned file again in case new virus definitions catch something. Have said that, though, there’s something nice about VirusTotal: it prints the function calls. But if you see LoadLibrary/GetProcAddress, then the rest is meaningless.
There’s no need to run as admin for day to day use. If a game insists admin access, and you want to play it so badly, you can change its manifest, or, in the worst case, use appcompat to redirect registry, etc.
Use firewall to deny all incoming AND outgoing connections, and only allow those you know require them.
Then the only remaining thing is local root escalation. Nothing much you can do, other than keeping things updated and knowing what you run. Easier said than done.
- You must be logged in to reply to this topic.
