More Bulletproof Windows XP


Today, on Win XP, you can effectively block most all malware and spyware by putting "least privilege" to work for you.  There is no need to wait, there is nothing more to buy, and there is not even anything to download.

In the computing world outside the Microsoft sandbox, the term "least privilege" is widely used in the security context.  The essential idea is, for any given task, to use an account with the lowest level of "privileges" that can do the job.   Earlier this year, Microsoft introduced the concept to readers of its TechNet site.

begin quote

The Security Principle of Least Privilege

If low-privileged processes are compromised, they will do a lot less damage to a system than high-privileged processes are capable of doing. Consequently, using a non-administrator account instead of an administrator account while completing daily tasks offers the user added protection against infection from a host of malware, external or internal security attacks, accidental or intentional modifications to system setup and configurations, and accidental or intentional access to confidential programs or documents.

end quote

http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

Using a Least-Privileged User Account

The above TechNet article makes clear that Microsoft plans to promote the wider use of "the principle of least privilege" with the upcoming Windows release, "codenamed 'Longhorn'", now scheduled for the for the end of 2006.

In the meantime, Win XP is fully least-privilege capable.  There are only two rubs, 1) Microsoft does not support the use of least-privilege on Win XP; you are basically on your own, and 2) deploying least privilege in Win XP may be more or less convenient, depending on the applications used on each computer.  With respect to the "convenience factor", many applications today are not least-privilege compatible.  However, there are three items of good news:
The only bad news is that setting up least privilege definitely requires some setup in the Control Panel, and may require moving files from one location to another.  If you are not comfortable with tackling such tasks on your own, it would be better for you to pass, or get help if you really want least privilege protection for your computer.

System Requirements

Least privilege protection is available in Windows XP systems installed on NTFS hard drives.  The other hard drive option for Win XP is the Fat32 file system, but Fat32 offers no protection against malware and spyware.  Luckily, 1) checking for NTFS is easy, 2) if you are on Fat32, converting to NTFS is easy, and 3) most Win XP systems are on NTFS in the first place.  To check your file system, go to Windows Explorer, right click on your C: drive, and choose Properties.  The "File System" is on the third line down, and it says "File System:".  On most Win XP systems, it will say NTFS.

If your File System is Fat32, you can convert to NTFS by closing all applications, going to a Command Prompt (Start, All Programs, Accessories, Command Prompt) and typing this command:

 convert c: /fs:ntfs

Where c: is the drive you want to convert (normally, that would be c:).

The conversion process will start after reboot.  FAT32 will be converted to NTFS "without of data loss", but the wise would do a complete backup, "just in case".


How Bulletproof is "More Bulletproof"?

Use of least privilege in Windows XP on NTFS file systems has completely blocked all malware and spyware tested.  The term "block" is used here to mean that the malware and spyware cannot install itself on the computer -- even if you press all the wrong buttons!  You flush all malware simply by logging off (going back to the initial account login screen) -- you do not even have to reboot for all malware tested so far.  The tests were performed using absolutely no anti-virus and no anti-spyware protection.  (Some readers can repeat these tests on their own and verify the results -- see the sidebar entitled "You CAN try THIS at home!".)

Caveat!  Although the malware and spyware could not install itself on the computer, some malware can be active in memory until you log off.  Using least privilege, your browser can get jammed up.  The solution here is simple -- just log off and back on.  Also, the Netsky worm tested can access the Outlook address book and send out worm-laden emails, even when running as least privilege.  However, Netsky could not install itself, and logging off flushed the worm.  Interestingly, in the outgoing emails, for the "from" address, Netsky used other addresses from the address book, not the actual "from" address, thus disguising the real source of the worms!

It would be theoretically possible for malware to get into memory and erase all your files (not program and system files, but user files).  Logging off would flush the malware, so when you logged back in the malware would be gone, but all your files would be gone as well.  There is no malware going around now that will do this, but it would be theoretically possible.  The moral is you still probably want to use anti-virus software and keep your definitions up to date.

Finally, least privilege would not protect against all vulnerabilities.  For example, we have been informed that malware could get to a computer that was connected to the Internet without any firewall.  

Now that you have been warned, the good news is worth repeating: least privilege makes your system invulnerable to the vast majority of malware and spyware now out there.  Although one should still implement other measures to protect your PC, it can be one additional defensive layer, and it would be one that effectively blocks most all malware and spyware out there today.


How It Works

When using a least privilege account, you have write access to your own user files and to shared user files, but you have NO write access to the system directories (c:\Windows and below), and you have NO write access to the location for application programs (c:\Program Files).  Because you have no write access, you cannot install or remove programs when using a least privilege account, and neither can malware and spyware install itself (with or without your permission).  

For malware to be there next time you turn on your computer, it must put make changes in the system file and application file areas.  But from a least privilege account, malware cannot do so.  Not one bit.  So when running as least privilege, logging off flushes most malware.

It is helpful to keep how least privilege works in mind.  Any task that would seem to require write access to system files must probably be performed from within an administrator account.  These would include install/remove software, install/remove hardware drivers for new hardware or removed hardware, install/remove printer drivers for new/removed printers, add/remove/change Users and user account types, install "Critical Updates" from Microsoft, and apply virus definition updates.  
Some applications do not work properly from within a least privilege account (discussed below under "Convenience/Inconvenience Factor").  This is because such applications were written expecting write privileges in system and program file directories.  When such programs attempt to write to the system or program file directories, they cannot do so, with untoward results.  It is fair to say that such applications are no "least privilege compatible"  

Why Least Privilege is Better than Anti-Virus Software

The vendors of anti-virus software find out about new malware only after computers are infected and the problem is reported.  Customers of anti-virus software vendors get the fix after the vendors figure out a fix, vendors make the fix available in the form of updated virus definitions, and customers download and apply the updated definitions.  So by the time an updated definition is available for download, some number of systems is infected with the new malware and such systems are waiting for a fix.  Look at it this way: most computers in the world today function as guinea pigs for the anti-virus vendors.  

In most cases, least privilege prevents the infestation in the first place.  For most malware, YOUR computer would no longer function as a guinea pig for the anti-virus vendors.

Setting Up Least Privilege

In Win XP, accounts come in two flavors, Administrator and "Limited".  You must have at least one administrator account to install/remove software, install/remove hardware drivers, install "Critical Updates" from Microsoft, and apply virus definition updates.  To protect a Win XP computer against most all malware and spyware, create a "Limited" account, and use that account to surf the web and access your email (the two activities with the greatest malware exposure).  One can use the administrator account(s) for all other tasks (although for convenience, you may want to explore performing other tasks from within a "Limited" account, in addition to surfing and email).  On one level, that is all there is to it.

The word "Limited" is in quotes because the label is unfortunate -- superficially, who wants to be "limited"?  In Linux and Unix, the same kind of account has a more neutral label: "regular user".  One can look at the "Limited" label this way: use of a "Limited" account will limit the damage malware and spyware can inflict on your computer.

Microsoft has recently decided to downplay the term "Limited" by referring to the least privilege account by its initials, "LUA", for Limited User Account, and pronouncing the initials as "loo-ah".

Before creating a "Limited" account for surfing and email, it would be best to have already chosen the names for your Administrator and "Limited" accounts.  Ideally, you should choose names that make it easy to remember whether an account is Administrator or "Limited".  I would personally recommend that you covert any account with a person's name to a "Limited" account, and set up one or more administrator accounts with functional names.  Putting the name "Administrator" on an account would be OK (although I use "Grand Wizard" for the administrator accounts on the machines that I administer).  In many situations, it would generally be better to keep the issue of who gets administrator access separate from the naming issue, and to do this by making all accounts with any person's name equal and "Limited".  

Also note that some information from Microsoft implies that each person can have one and only one account -- this is not so.  Each person that uses a computer can have more; for example, can have two accounts, one administrator and one "Limited" account.  To get the most out of least privilege, every user of a computer should surf the web and access your email from a "Limited" account, as malware and spyware that can get on the computer through one account affects the whole computer, including everybody else who uses that computer.

Naming decisions here are not set in concrete -- you can always add more accounts later.  You can rename existing accounts, but this makes for inelegant subdirectory names under "Documents and Settings" -- see the section below "Win XP User Files".  I personally prefer to create a new account and delete the old account rather than rename.  If you take this approach, be extra careful to copy all files and "favorites" settings from the old account to the new account before deleting the old account.

To create a new account, go to the Control Panel, select User Accounts, and click on "Create a new account".  The screen will prompt you to give the account a name.  The name does not need to be a person's name, but can be.  (All the Win XP machines that I administer have a "Limited" account called "Surfer", for -- you guessed it -- surfing the web.)  As stated above, it is better to decide on a naming plan that makes sense for you before launching into this.  

There is an option here, you can either keep the new account as an Administrator or make it "Limited".  The default choice is Administrator under Win XP.  You can choose to make the new account a "Limited" account by clicking on that option.  Later, you can come back to the User Accounts dialog (accessed through the Control Panel) and change the account type, from administrator to "Limited" or vice versa.  In actual practice, it is sometimes necessary to do this.  

People who already have two or more accounts on a Win XP system will know the initial screen that says, "To begin, click your user name".  If your Win XP system has a single account only, Windows bypasses the initial screen.  So after setting up a "Limited" account, you must make a choice after turning on your computer.  Once you are in an account, you can tell which account you are in by clicking on the Start button -- the name of the account is at the top of the Start Menu.  

I would also recommend protecting all administrator accounts with passwords.  This will prevent some future, clever malware from getting administrator privileges even though you are using least privilege account.  Without password protection, malware would be theoretically able to access administrator privileges and install itself even though the person is using a least privilege account.  On a shared computer, it would be OK for all users who get administrator access to know the single password for a single administrator account (that is the way it works in my office, but my office is small).  Different arrangements would work in different settings, but leaving any administrator account without password protection is inviting trouble down the road.  

One possible incentive system that could work in some homes and office settings would be to password protect all administrator accounts, while not password protecting some or all least privilege accounts.  From the user's perspective, getting into a least privilege account is easy (no password required), while getting into an administrator account requires putting in a password.  Hence the incentive for using a least privilege account.  

Convenience/Inconvenience Factor

Say you now have one or more least privilege accounts that you use for surfing and email.  It is OK to try all your other applications from within the least privilege account -- they may work fine, or they may not.  If any one or more applications do not work properly, one option is to access such applications from an administrator account.  The INconvenience factor is that one must switch back and forth the least privilege and administrator accounts, probably more frequently than one would prefer.  The next option is to explore work arounds.

(Note: There is a "Run As" option, but this has never worked for me, and I think it unnecessarily complicates Windows XP.  You may want to consider this, but I suggest doing so only after you get some hands on experience using least privilege accounts.)

MS Office 2000 and later is least privilege compatible, but Office 2000 (and perhaps others) needs to access the install CD once with system write privileges from within each least privilege account.  The trick that worked for me is to temporarily change all least privilege accounts to administrator accounts.  After doing so, go into each account, one by one, and open Word or Excel.  Give the computer the install CD when it asks for it.  After doing all the accounts, for all accounts that should be "Limited", go into the Control Panel from an administrator account and change them back to "Limited".

The prior paragraph gives the "work-around" for MS Outlook.  There are work arounds for many other applications.  If you get to the point of wishing some application could be made to work from a least privilege account, this "least privilege blog" comes highly recommended:

http://weblogs.asp.net/aaron_margosis/

It bears repeating that you must have at least one administrator account, to perform tasks like those described for MS Outlook above, as well as to install/remove software, install/remove hardware drivers for new hardware or removed hardware, install/remove printer drivers for new/removed printers, add/remove/change Users and user account types, install "Critical Updates" from Microsoft, and apply virus definition updates.  

There is good news here for persons who use their computer for no more than surfing the web and accessing email and MS Office applications: least privilege will be absolutely no problem.  You will only need to go into an administrator account once per week or so, to download and install "Critical Updates" and new virus definitions.   There are also many applications out there that work under a least privilege account without a hitch, and users of those applications will also be able to spend 99% of their computing time in a least privilege account.  For users of applications that are not 100% least privilege compatible, they will have to switch between accounts on a regular basis to get least privilege protection now -- the inconvenience factor.  


Games Do Not Work

Many games do not work from a least privilege account.  On a home computer, this could be a problem.  A solution that could work in some homes is to set up an administrator account called "Games", in addition to an administrator account called "Administrator", along with one or more least privilege accounts.  Ask the kids to use the "Games" account for games, and to surf the web and do email from the appropriate least privilege account.  One might get better compliance by 1) explaining the reason for this request, and 2) as a reminder, removing the Internet Explorer (and/or FireFox) and Outlook icons and quick launch from the Games account.

To remove the Internet Explorer ("IE") (and/or FireFox) icon and quick launch from the Games account, first go into every other account and make sure there is an IE quick launch in each account:  Right click on Start, choose Properties, click on the Taskbar tab, make sure "Show Quick Launch" is checked, and click on OK.  There may be an IE quick launch already, but if not, click and hold on the IE desktop icon, drag to the quick launch area in the lower left, and then drop on the quick launch by releasing the mouse button.  There should now be a little IE "e" in the quick launch.  After making sure that every other account has an IE quick launch, then go into the Games account and delete the IE desktop icon and quick launch (in both cases, right click, delete).  This will probably delete the IE desktop icons in all accounts.  If so, for every account (other than "Games") in which you want an IE desktop icon, go into that account right click on the IE quick launch, select Copy, then move the pointer over the desktop, right click, and choose Paste.


Win XP User Files

If you want to access Outlook from a "Limited" account, and Outlook is presently under an administrator account, you will need to move the Outlook files.  One must move the files because from a "Limited" account, you have no read or write privileges to the file areas of any other account (except "All Users").

It helps to know a little about where Win XP keeps the My Documents for each user, and the Shared Documents for all users.  Above was mentioned the system and application files directories (c:\Windows and c:\Program Files, respectively).  Also off the root of c:\ is Documents and Settings, under which all user files are stored.  Under c:\Documents and Settings is one subdirectory for each user account, in addition to one named All Users.  Under each user directory and All Users there are various directories including My Documents (for each user's My Documents), and Desktop, where desktop icons are stored.  The desktop icons under All Users appear on the desktops of all users.  If you are not familiar with these areas of your hard drive, it might be helpful do take a look in Windows Explorer now.

Renaming an account does not rename the user directory under Documents and Settings as you might expect.  Rather, renaming the account changes the name that appears on the initial screen but the directory keeps the old name.  For this reason, I prefer to create a new account with the new name, move the files from the old to the new user directory, and then delete the old account.  

When you are in Windows Explorer and open up My Computer, Shared Documents is listed on the bottom.  As the name implies, that folder is shared among all users, and is physically stored in c:\Documents and Settings\All Users\Shared Documents.  The location shown near the bottom of My Computer is a shortcut to the actual physical location.

The Outlook files are under the user directory for the account in which Outlook was originally set up.  In Outlook Express, you can find the file location by going to Tools, Options, click on the Maintenance Tab, and the Store Folder is shown, but the actual path may be longer than the width of the box.  You can click inside the box and press Ctrl-a to select all.  There is a change option that allows you to navigate to the new directory, but you must first create the directory to which you want move the files.  In MS Outlook 2000, part of MS Office 2000, the file is hard to find, but here is the location for the version I use:

c:\Documents and Settings\{account name}\Local Settings\Application Data\Microsoft\Outlook\outlook.pst

In Win XP, write privileges in files moved from an Administrator account do not always work the way you want them to.  To make sure you will be access the Outlook files after moving them to Shared Documents, I recommend first moving the files to a temporary directory.  I create a c:\temp directory on all the Win XP machines that I administer, and this might work for you.  So in an administrator account, select all files in the Outlook directory, cut, then paste into an empty directory, such as c:\temp\Outlook.  Log off the administrator account, and go into the least privilege account from which you want to access Outlook.  Create an Outlook directory under Shared Documents.  You can first try cutting from c:\temp\Outlook and pasting into Shared Documents\Outlook.  If Windows will not allow the cut, copy instead, and log off, go back into the administrator account, and rename c:\temp\Outlook to c:\temp\hold4now.  Log off, go back into the least privilege account, and open Outlook.  Outlook will not be able to find the files, so choose Browse, and navigate to Shared Documents\Outlook.

This is the easy solution to the Outlook files issue: Make the account from which you currently access Outlook or Outlook Express a “Limited” account.  If you do this, you do not need to move the Outlook files.  


Conclusion

Every Win XP user can make their computer invulnerable to most malware and spyware by putting least privilege to work today.  Whether the inconvenience of doing so is worth the added protection is a choice each computer user can make.  



sidebar:

You CAN try THIS at home!

If you have any doubts about least privilege protection being so effective, consider testing it and finding out for yourself.

I have found that not everything the "security experts" say or write hold up under actual tests.  I guess that is so in part because they are not accustomed to anyone checking on the accuracy of what they say and write.

You can try this at home (or in an office or lab), but a certain amount of expertise and extra hardware is required.  If you do not have expertise and extra hardware as described below, you would be well advised not try any of this -- at home or otherwise.

As for expertise, I would suggest performing your own malware experiments only if 1) you know how to set the little master/slave jumpers on hard drives, and 2) you have experience installing hard drives, including going into computer CMOS on startup.

As for extra hardware, if you have an extra, Win XP capable hard drive which you do not mind reformatting, you are set up to perform your own malware tests.  The extra hard drive is already in an existing computer, all the better, but this is not necessary.  An extra hard drive only needs to be 4 gigs or bigger, and these can typically be purchased for about $10-20 at used computer stores.

To perform malware tests with your extra hard drive ("test drive") on an existing computer, open up your computer, unplug the drive cables from your permanent hard drives, plug in the test drive as the primary master, and then install Win XP on the test drive.  You do not need to permanently mount the test drive -- rather leave the permanent drives mounted, and just set the test drive in a convenient location that the length of the cables will allow.  To determine whether you picked up any malware after performing the tests, plug your regular drive back in -- as far as it is concerned, it will be as if nothing happened.  Plug in the test drive in instead of the CD drive, and then scan the test drive with your normal virus scanner.

In general, it is best to reformat the drive and reinstall Win XP before you begin.  This is to insure you are testing a bare Win XP install only, without any anti-virus software -- you want to test least privilege, not anti-virus software.  You would also reformat the drive to wipe clean any malware or spyware you might get in your tests.   You should also start with a clean install if you want to do tests for spyware.  Spyware scanners will detect "problems" even on a fresh Win XP install that has never been exposed to the Internet.  So to scan for any spyware, you should first do a "baseline" scan, perform your tests, do an "after" scan, then compare the after against the baseline.

If the test system is on a network with other computers, make sure the workgroup on the test system is not the same as any other computer on the network.   Clever malware might be able to propagate to other computers through the network connection.  To check or change the workgroup, from an administrator account, click on Start, and you will see "My Computer" about half way down the right column.  Click right, and then choose Properties.  Click on the Computer Name tab.  The workgroup is identified on the line half way down.  Use the "Change" on the last line to change the workgroup.  After rebooting, using Windows Explorer, verify that you cannot access the files on any other network computer.

Then, you are ready to test malware.  One test for starters is the "Virtual Bouncer site test".  Virtual Bouncer tricks unsuspecting surfers into installing it, applies a restriction that slows the Internet connection to a crawl, and offers a "subscription" for a price to remove the restriction.  It has been termed "extortion ware", and is described on Spyware Guide here:

http://www.spywareguide.com/product_show.php?id=514

Here is the "Virtual Bouncer site" test (but do not try this until you are ready, as described above):

Go here,

http://www.spywarelabs.com/downloads.html

Click on "CLICK HERE TO TRY VIRTUAL BOUNCER NOW".

In our tests, a "Limited" account on a machine with the NTFS file system passes the test -- Virtual Bouncer cannot install.
 
To test for Spyware, we have used "SpyBot", available here as a free download:

http://www.safer-networking.org/en/index.html

Install SpyBot, but do NOT turn on SpyBot protection for the PC. Go without to test the effectiveness of just least privilege. (And of course, I did not install anti-virus software on the test drive.)

SpyBot considers some cookies to be spyware. Cookies may be spyware by some definitions, but cookies are not the most malicious spyware. Also, whether you accept cookies is determined by your browser settings, not by whether you are running under a "Limited" account on an NTFS install.

You can wipe all cookies with the click of a single button -- almost.  There are several ways to get to the button. The easiest way to explain is go into IE, click on Tools, Internet Options. A dialog will appear. Half way down toward the left is a button "Delete cookies". The button does what it says.

I ran SpyBot before and after clicking the button. After showed less "spyware" by about 75% or so.

This would be a step to cut down the noise in tests for the more malicious spyware. So before running SpyBot, I recommend deleting all cookies.

An alternative is to adjust the "Advanced" SpyBot settings to ignore cookies. PC World put out instructions here:

http://www.pcworld.com/howto/article/0,aid,116990,00.asp.

To test for Spyware, I used the list of spyware/malware sites available here:

http://www.mvps.org/winhelp2002/hosts.txt

I selected some of the sites listed as spyware, when to several, and pressed all the wrong buttons.  Afterwards, a spyware scan showed no new spyware, other than cookies and what was originally there in the baseline scan.  

Testing worms is more involved, for two reasons, 1) you have to get the worms, and 2) worms can send out worm-infested emails without the user knowing it.  So I had to ask for volunteers, to be in the Outlook address book of the test system.  For volunteers, I got one Mac user, one Linux users, and a couple of Windows users who were confident of their malware protection.  I tested two worms, a Netsky and a Beagle.  Least privilege stopped the Beagle cold.  As noted above, Netsky was able to send out emails to the addresses listed in the Outlook address book, complete with spoofed "from" addresses.  Logging off effectively flushed both Netsky and Beagle.  

After running spyware tests, you can plug your test drive into a regular PC instead of your CD drive. This will allow you to run a virus can on the test drive, to determine whether the test drive picked up any viruses.

Of course, as a control, one can repeat the above experiments from an administrator account, as Microsoft leads its customer base to use Windows XP computers.  But I promise, you will get the malware and/or spyware!


Rick Graves
email me here
18 May 2005