Trying To Do The Right Thing On WinXP
Apr. 23rd, 2005 06:08 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fj(And don't tell me The Right Thing is to ditch for Linux. I haven't enjoyed my Linux experiences much, and I have a GPRS card and random Firewire cards to run on this subnotebook.)
Coming from a technical UNIX background it seem intuitively obvious not to run as root in this dangerous world. This wasn't always an option on Windows at all, and not very practical on Win2K when it runs the personal machine with which you constantly explore new programs. Work machine, sure, you actually have to go through a special procedure at Nokia to get Administrator rights on the standard Win2K image on the desktops. And I fully understand why: keeping 40K users from corrupting the Intranet and taking everybody down is not just a matter of avoiding nuisances, it is vital to the company. I remember the pain we suffered when mail wasn't working for a day or two, and I understand that Nokia Business Infrastructure is in no mood to re-live those days just because somebody needs weatherbug in their task bar tray.
I am basically the sysadm at home. So I try to explore best practices some. And I don't click on received executables and I don't click "OK" on pop-up windows for a Bonzi Buddy -- if I even see them, I asked![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
pinkfish to switch to Firefox as soon as I had tested it out and knew it would do. You see, for me safe computing is about avoiding nuisances, but Dean makes money off our home network, and I always need to make sure that best practices don't get in his way.
So now that we are both on XP I am experimenting with having my daily account have Power User priviledges, and no more. To stay safe. SO nothing I may run or do can hose the machine, it just hoses the 'fj' account. I did make an Administrator account -- which I couldn't call 'Administrator', much to my chagrin, because XP says that account already exists eventhough I can't find it. And XP allows a user to easily switch accounts without having to shut down work like 2K made you do. And even as 'fj' I can run an install as Administrator by right-clicking and selecting 'Run As...' and entering the Administrator account credentials.
Actually, not quite. If I download a program I want to install under the 'fj' account, I first have to move it to the Shared Documents directory, and do 'Run As...' Administrator from there, because if I try to run it with Administrator priviledges from the 'fj' desktop, the execution will always fail because the Administrator account can't see 'fj''s files. Some root that is.
So I make the install work by running it from the right place with the right credentials -- most installations insists on being run with full Administrator powers -- and then most will leave program shortcuts on everyone's desktops. Which I can't remove from 'fj''s Desktop. Logged in as 'fj', I do not have the priviledges to remove a shortcut that an Administrator left. Logged in as an Administrator account, I cannot access 'fj''s Dektop. Obviously I have to give the Administrator account access to 'fj''s files, but I can't find the Properties tabs for that.
I am sure there is a way, but the second problem is that many applications are not happy being run by someone else than the account that installed them, and certainly not with fewer priviledges. I tried out Dean's new webcam and I installed the application software fine -- as Administrator -- but the shortcuts on 'fj''s Desktop simply would not run.
Doing The Right Thing is turning into a pain. I think I may delete the Administrator account soon after I add 'fj' back to the Administrator group. XP may be ready for lesser priviledged users running as default, but the vendors are not.
Coming from a technical UNIX background it seem intuitively obvious not to run as root in this dangerous world. This wasn't always an option on Windows at all, and not very practical on Win2K when it runs the personal machine with which you constantly explore new programs. Work machine, sure, you actually have to go through a special procedure at Nokia to get Administrator rights on the standard Win2K image on the desktops. And I fully understand why: keeping 40K users from corrupting the Intranet and taking everybody down is not just a matter of avoiding nuisances, it is vital to the company. I remember the pain we suffered when mail wasn't working for a day or two, and I understand that Nokia Business Infrastructure is in no mood to re-live those days just because somebody needs weatherbug in their task bar tray.
I am basically the sysadm at home. So I try to explore best practices some. And I don't click on received executables and I don't click "OK" on pop-up windows for a Bonzi Buddy -- if I even see them, I asked
pinkfish to switch to Firefox as soon as I had tested it out and knew it would do. You see, for me safe computing is about avoiding nuisances, but Dean makes money off our home network, and I always need to make sure that best practices don't get in his way.So now that we are both on XP I am experimenting with having my daily account have Power User priviledges, and no more. To stay safe. SO nothing I may run or do can hose the machine, it just hoses the 'fj' account. I did make an Administrator account -- which I couldn't call 'Administrator', much to my chagrin, because XP says that account already exists eventhough I can't find it. And XP allows a user to easily switch accounts without having to shut down work like 2K made you do. And even as 'fj' I can run an install as Administrator by right-clicking and selecting 'Run As...' and entering the Administrator account credentials.
Actually, not quite. If I download a program I want to install under the 'fj' account, I first have to move it to the Shared Documents directory, and do 'Run As...' Administrator from there, because if I try to run it with Administrator priviledges from the 'fj' desktop, the execution will always fail because the Administrator account can't see 'fj''s files. Some root that is.
So I make the install work by running it from the right place with the right credentials -- most installations insists on being run with full Administrator powers -- and then most will leave program shortcuts on everyone's desktops. Which I can't remove from 'fj''s Desktop. Logged in as 'fj', I do not have the priviledges to remove a shortcut that an Administrator left. Logged in as an Administrator account, I cannot access 'fj''s Dektop. Obviously I have to give the Administrator account access to 'fj''s files, but I can't find the Properties tabs for that.
I am sure there is a way, but the second problem is that many applications are not happy being run by someone else than the account that installed them, and certainly not with fewer priviledges. I tried out Dean's new webcam and I installed the application software fine -- as Administrator -- but the shortcuts on 'fj''s Desktop simply would not run.
Doing The Right Thing is turning into a pain. I think I may delete the Administrator account soon after I add 'fj' back to the Administrator group. XP may be ready for lesser priviledged users running as default, but the vendors are not.
no subject
Date: 2005-04-23 11:12 pm (UTC)The name is reserved and attached to the first account created on the machine. Should that account lose its admin privs, then "Administrator" moves to next account with admin privs.
Just a fyi :)
no subject
Date: 2005-04-25 02:34 pm (UTC)don't delete
Date: 2005-04-24 02:24 am (UTC)I am still something of a newbie on XP but the admin account not being able to see the various user's files seems wrong to me.
OK, I don't know why i send this reply. I'm not really helping.
cheers.
Re: don't delete
Date: 2005-04-24 04:27 am (UTC)"keep up the struggle, comrade." Can't understand the biz
about hidden anything. It drives me crazy. -Max
no subject
Date: 2005-04-24 04:31 am (UTC)Yeah, "run as" doesn't always play well with installers. My usual approach is to create a separate user with admin privileges, and I only log into that account when installing software. Most modern installers will ask you whether to install for only the current user, or for everyone. Unfortunately, a badly-written installer might lack that functionality, or they sometimes put the option in a non-obvious location. I find it's too easy to end up installing a program that no one else can use.
Since you seem interested in the topic, my former colleagues at MIT have a pretty good primer (http://itinfo.mit.edu/article.php?id=7324) on how to configure XP to increase its overall security. It's aimed at campus users of XP Pro, but much of it applies to XP in general.
no subject
Date: 2005-04-25 02:35 am (UTC)Most of the time I use a Macintosh running MacOS X and my life is way easier and more productive. Incidentally, someone may or may not have said this before to you, but a Mac will go much better with your decor... ;-)