More Bulletproof Windows XP
Today, on Win XP, you can effectively block most all malware and
spyware by putting "least privilege" to work for you. There is no
need to wait, there is nothing more to buy, and there is not even
anything to download.
In the computing world outside the Microsoft sandbox, the term "least
privilege" is widely used in the security context. The essential
idea is, for any given task, to use an account with the lowest level of
"privileges" that can do the job. Earlier this year,
Microsoft introduced the concept to readers of its TechNet site.
begin quote
The Security Principle of Least Privilege
If low-privileged processes are compromised, they will do a lot less
damage to a system than high-privileged processes are capable of doing.
Consequently, using a non-administrator account instead of an
administrator account while completing daily tasks offers the user
added protection against infection from a host of malware, external or
internal security attacks, accidental or intentional modifications to
system setup and configurations, and accidental or intentional access
to confidential programs or documents.
end quote
http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx
Using a Least-Privileged User Account
The above TechNet article makes clear that Microsoft plans to promote
the wider use of "the principle of least privilege" with the upcoming
Windows release, "codenamed 'Longhorn'", now scheduled for the for the
end of 2006.
In the meantime, Win XP is fully least-privilege capable. There
are only two rubs, 1) Microsoft does not support the use of
least-privilege on Win XP; you are basically on your own, and 2)
deploying least privilege in Win XP may be more or less convenient,
depending on the applications used on each computer. With respect
to the "convenience factor", many applications today are not
least-privilege compatible. However, there are three items of
good news:
- As far as we are aware, of the many applications out there that
are NOT least-privilege compatible, none block the use of least
privilege. Rather, they just make the use of least privilege
protection less convenient for the end users of such
applications. For everyone else, it is clear sailing.
- The highest risk activities are surfing the web and opening
email, and the applications most commonly used (Internet Explorer and
Outlook/Outlook Express) are least-privilege compatible. (FireFox
is also least-privilege compatible.) So today, every Win XP user
can apply least-privilege protection where it is needed most.
(Internet Explorer and Firefox are least-privilege compatible right out
of the box, while Outlook might require some setup steps, namely moving
the Outlook data files to a new directory -- see the section "Win XP
User Files".)
- Trying least privilege is risk free, and zero cost. This is
the worst-case scenario: you go back to using the computer exactly as
you are using it now -- without least privilege protection (for the
vast majority of Windows XP users).
The only bad news is that setting up least privilege definitely
requires some setup in the Control Panel, and may require moving files
from one location to another. If you are not comfortable with
tackling such tasks on your own, it would be better for you to pass, or
get help if you really want least privilege protection for your
computer.
System Requirements
Least privilege protection is available in Windows XP systems installed
on NTFS hard drives. The other hard drive option for Win XP is
the Fat32 file system, but Fat32 offers no protection against malware
and spyware. Luckily, 1) checking for NTFS is easy, 2) if you are
on Fat32, converting to NTFS is easy, and 3) most Win XP systems are on
NTFS in the first place. To check your file system, go to Windows
Explorer, right click on your C: drive, and choose Properties.
The "File System" is on the third line down, and it says "File
System:". On most Win XP systems, it will say NTFS.
If your File System is Fat32, you can convert to NTFS by closing all
applications, going to a Command Prompt (Start, All Programs,
Accessories, Command Prompt) and typing this command:
convert c: /fs:ntfs
Where c: is the drive you want to convert (normally, that would be c:).
The conversion process will start after reboot. FAT32 will be
converted to NTFS "without of data loss", but the wise would do a
complete backup, "just in case".
How Bulletproof is "More Bulletproof"?
Use of least privilege in Windows XP on NTFS file systems has
completely blocked all malware and spyware tested. The term
"block" is used here to mean that the malware and spyware cannot
install itself on the computer -- even if you press all the wrong
buttons! You flush all malware simply by logging off (going back
to the initial account login screen) -- you do not even have to reboot
for all malware tested so far. The tests were performed using
absolutely no anti-virus and no anti-spyware protection. (Some
readers can repeat these tests on their own and verify the results --
see the sidebar entitled "You CAN try
THIS at home!".)
Caveat! Although the malware and spyware could not install itself
on the computer, some malware can be active in memory until you log
off. Using least privilege, your browser can get jammed up.
The solution here is simple -- just log off and back on. Also,
the Netsky worm tested can access the Outlook address book and send out
worm-laden emails, even when running as least privilege. However,
Netsky could not install itself, and logging off flushed the
worm. Interestingly, in the outgoing emails, for the "from"
address, Netsky used other addresses from the address book, not the
actual "from" address, thus disguising the real source of the worms!
It would be theoretically possible for malware to get into memory and
erase all your files (not program and system files, but user
files). Logging off would flush the malware, so when you logged
back in the malware would be gone, but all your files would be gone as
well. There is no malware going around now that will do this, but
it would be theoretically possible. The moral is you still
probably want to use anti-virus software and keep your definitions up
to date.
Finally, least privilege would not protect against all
vulnerabilities. For example, we have been informed that malware
could get to a computer that was connected to the Internet without any
firewall.
Now that you have been warned, the good news is worth repeating: least
privilege makes your system invulnerable to the vast majority of
malware and spyware now out there. Although one should still
implement other measures to protect your PC, it can be one additional
defensive layer, and it would be one that effectively blocks most all
malware and spyware out there today.
How It Works
When using a least privilege account, you have write access to your own
user files and to shared user files, but you have NO write access to
the system directories (c:\Windows and below), and you have NO write
access to the location for application programs (c:\Program
Files). Because you have no write access, you cannot install or
remove programs when using a least privilege account, and neither can
malware and spyware install itself (with or without your permission).
For malware to be there next time you turn on your computer, it must
put make changes in the system file and application file areas.
But from a least privilege account, malware cannot do so. Not one
bit. So when running as least privilege, logging off flushes most
malware.
It is helpful to keep how least privilege works in mind. Any task
that would seem to require write access to system files must probably
be performed from within an administrator account. These would
include install/remove software, install/remove hardware drivers for
new hardware or removed hardware, install/remove printer drivers for
new/removed printers, add/remove/change Users and user account types,
install "Critical Updates" from Microsoft, and apply virus definition
updates.
Some applications do not work properly from within a least privilege
account (discussed below under "Convenience/Inconvenience
Factor"). This is because such applications were written
expecting write privileges in system and program file
directories. When such programs attempt to write to the system or
program file directories, they cannot do so, with untoward
results. It is fair to say that such applications are no "least
privilege compatible"
Why Least Privilege is Better than Anti-Virus Software
The vendors of anti-virus software find out about new malware only
after computers are infected and the problem is reported.
Customers of anti-virus software vendors get the fix after the vendors
figure out a fix, vendors make the fix available in the form of updated
virus definitions, and customers download and apply the updated
definitions. So by the time an updated definition is available
for download, some number of systems is infected with the new malware
and such systems are waiting for a fix. Look at it this way: most
computers in the world today function as guinea pigs for the anti-virus
vendors.
In most cases, least privilege prevents the infestation in the first
place. For most malware, YOUR computer would no longer function
as a guinea pig for the anti-virus vendors.
Setting Up Least Privilege
In Win XP, accounts come in two flavors, Administrator and
"Limited". You must have at least one administrator account to
install/remove software, install/remove hardware drivers, install
"Critical Updates" from Microsoft, and apply virus definition
updates. To protect a Win XP computer against most all malware
and spyware, create a "Limited" account, and use that account to surf
the web and access your email (the two activities with the greatest
malware exposure). One can use the administrator account(s) for
all other tasks (although for convenience, you may want to explore
performing other tasks from within a "Limited" account, in addition to
surfing and email). On one level, that is all there is to it.
The word "Limited" is in quotes because the label is unfortunate --
superficially, who wants to be "limited"? In Linux and Unix, the
same kind of account has a more neutral label: "regular user".
One can look at the "Limited" label this way: use of a "Limited"
account will limit the damage malware and spyware can inflict on your
computer.
Microsoft has recently decided to downplay the term "Limited" by
referring to the least privilege account by its initials, "LUA", for
Limited User Account, and pronouncing the initials as "loo-ah".
Before creating a "Limited" account for surfing and email, it would be
best to have already chosen the names for your Administrator and
"Limited" accounts. Ideally, you should choose names that make it
easy to remember whether an account is Administrator or
"Limited". I would personally recommend that you covert any
account with a person's name to a "Limited" account, and set up one or
more administrator accounts with functional names. Putting the
name "Administrator" on an account would be OK (although I use "Grand
Wizard" for the administrator accounts on the machines that I
administer). In many situations, it would generally be better to
keep the issue of who gets administrator access separate from the
naming issue, and to do this by making all accounts with any person's
name equal and "Limited".
Also note that some information from Microsoft implies that each person
can have one and only one account -- this is not so. Each person
that uses a computer can have more; for example, can have two accounts,
one administrator and one "Limited" account. To get the most out
of least privilege, every user of a computer should surf the web and
access your email from a "Limited" account, as malware and spyware that
can get on the computer through one account affects the whole computer,
including everybody else who uses that computer.
Naming decisions here are not set in concrete -- you can always add
more accounts later. You can rename existing accounts, but this
makes for inelegant subdirectory names under "Documents and Settings"
-- see the section below "Win XP User Files". I personally prefer
to create a new account and delete the old account rather than
rename. If you take this approach, be extra careful to copy all
files and "favorites" settings from the old account to the new account
before deleting the old account.
To create a new account, go to the Control Panel, select User Accounts,
and click on "Create a new account". The screen will prompt you
to give the account a name. The name does not need to be a
person's name, but can be. (All the Win XP machines that I
administer have a "Limited" account called "Surfer", for -- you guessed
it -- surfing the web.) As stated above, it is better to decide
on a naming plan that makes sense for you before launching into this.
There is an option here, you can either keep the new account as an
Administrator or make it "Limited". The default choice is
Administrator under Win XP. You can choose to make the new
account a "Limited" account by clicking on that option. Later,
you can come back to the User Accounts dialog (accessed through the
Control Panel) and change the account type, from administrator to
"Limited" or vice versa. In actual practice, it is sometimes
necessary to do this.
People who already have two or more accounts on a Win XP system will
know the initial screen that says, "To begin, click your user
name". If your Win XP system has a single account only, Windows
bypasses the initial screen. So after setting up a "Limited"
account, you must make a choice after turning on your computer.
Once you are in an account, you can tell which account you are in by
clicking on the Start button -- the name of the account is at the top
of the Start Menu.
I would also recommend protecting all administrator accounts with
passwords. This will prevent some future, clever malware from
getting administrator privileges even though you are using least
privilege account. Without password protection, malware would be
theoretically able to access administrator privileges and install
itself even though the person is using a least privilege account.
On a shared computer, it would be OK for all users who get
administrator access to know the single password for a single
administrator account (that is the way it works in my office, but my
office is small). Different arrangements would work in different
settings, but leaving any administrator account without password
protection is inviting trouble down the road.
One possible incentive system that could work in some homes and office
settings would be to password protect all administrator accounts, while
not password protecting some or all least privilege accounts.
From the user's perspective, getting into a least privilege account is
easy (no password required), while getting into an administrator
account requires putting in a password. Hence the incentive for
using a least privilege account.
Convenience/Inconvenience Factor
Say you now have one or more least privilege accounts that you use for
surfing and email. It is OK to try all your other applications
from within the least privilege account -- they may work fine, or they
may not. If any one or more applications do not work properly,
one option is to access such applications from an administrator
account. The INconvenience factor is that one must switch back
and forth the least privilege and administrator accounts, probably more
frequently than one would prefer. The next option is to explore
work arounds.
(Note: There is a "Run As" option, but this has never worked for me,
and I think it unnecessarily complicates Windows XP. You may want
to consider this, but I suggest doing so only after you get some hands
on experience using least privilege accounts.)
MS Office 2000 and later is least privilege compatible, but Office 2000
(and perhaps others) needs to access the install CD once with system
write privileges from within each least privilege account. The
trick that worked for me is to temporarily change all least privilege
accounts to administrator accounts. After doing so, go into each
account, one by one, and open Word or Excel. Give the computer
the install CD when it asks for it. After doing all the accounts,
for all accounts that should be "Limited", go into the Control Panel
from an administrator account and change them back to "Limited".
The prior paragraph gives the "work-around" for MS Outlook. There
are work arounds for many other applications. If you get to the
point of wishing some application could be made to work from a least
privilege account, this "least privilege blog" comes highly recommended:
http://weblogs.asp.net/aaron_margosis/
It bears repeating that you must have at least one administrator
account, to perform tasks like those described for MS Outlook above, as
well as to install/remove software, install/remove hardware drivers for
new hardware or removed hardware, install/remove printer drivers for
new/removed printers, add/remove/change Users and user account types,
install "Critical Updates" from Microsoft, and apply virus definition
updates.
There is good news here for persons who use their computer for no more
than surfing the web and accessing email and MS Office applications:
least privilege will be absolutely no problem. You will only need
to go into an administrator account once per week or so, to download
and install "Critical Updates" and new virus definitions.
There are also many applications out there that work under a least
privilege account without a hitch, and users of those applications will
also be able to spend 99% of their computing time in a least privilege
account. For users of applications that are not 100% least
privilege compatible, they will have to switch between accounts on a
regular basis to get least privilege protection now -- the
inconvenience factor.
Games Do Not Work
Many games do not work from a least privilege account. On a home
computer, this could be a problem. A solution that could work in
some homes is to set up an administrator account called "Games", in
addition to an administrator account called "Administrator", along with
one or more least privilege accounts. Ask the kids to use the
"Games" account for games, and to surf the web and do email from the
appropriate least privilege account. One might get better
compliance by 1) explaining the reason for this request, and 2) as a
reminder, removing the Internet Explorer (and/or FireFox) and Outlook
icons and quick launch from the Games account.
To remove the Internet Explorer ("IE") (and/or FireFox) icon and quick
launch from the Games account, first go into every other account and
make sure there is an IE quick launch in each account: Right
click on Start, choose Properties, click on the Taskbar tab, make sure
"Show Quick Launch" is checked, and click on OK. There may be an
IE quick launch already, but if not, click and hold on the IE desktop
icon, drag to the quick launch area in the lower left, and then drop on
the quick launch by releasing the mouse button. There should now
be a little IE "e" in the quick launch. After making sure that
every other account has an IE quick launch, then go into the Games
account and delete the IE desktop icon and quick launch (in both cases,
right click, delete). This will probably delete the IE desktop
icons in all accounts. If so, for every account (other than
"Games") in which you want an IE desktop icon, go into that account
right click on the IE quick launch, select Copy, then move the pointer
over the desktop, right click, and choose Paste.
Win XP User Files
If you want to access Outlook from a "Limited" account, and Outlook is
presently under an administrator account, you will need to move the
Outlook files. One must move the files because from a "Limited"
account, you have no read or write privileges to the file areas of any
other account (except "All Users").
It helps to know a little about where Win XP keeps the My Documents for
each user, and the Shared Documents for all users. Above was
mentioned the system and application files directories (c:\Windows and
c:\Program Files, respectively). Also off the root of c:\ is
Documents and Settings, under which all user files are stored.
Under c:\Documents and Settings is one subdirectory for each user
account, in addition to one named All Users. Under each user
directory and All Users there are various directories including My
Documents (for each user's My Documents), and Desktop, where desktop
icons are stored. The desktop icons under All Users appear on the
desktops of all users. If you are not familiar with these areas
of your hard drive, it might be helpful do take a look in Windows
Explorer now.
Renaming an account does not rename the user directory under Documents
and Settings as you might expect. Rather, renaming the account
changes the name that appears on the initial screen but the directory
keeps the old name. For this reason, I prefer to create a new
account with the new name, move the files from the old to the new user
directory, and then delete the old account.
When you are in Windows Explorer and open up My Computer, Shared
Documents is listed on the bottom. As the name implies, that
folder is shared among all users, and is physically stored in
c:\Documents and Settings\All Users\Shared Documents. The
location shown near the bottom of My Computer is a shortcut to the
actual physical location.
The Outlook files are under the user directory for the account in which
Outlook was originally set up. In Outlook Express, you can find
the file location by going to Tools, Options, click on the Maintenance
Tab, and the Store Folder is shown, but the actual path may be longer
than the width of the box. You can click inside the box and press
Ctrl-a to select all. There is a change option that allows you to
navigate to the new directory, but you must first create the directory
to which you want move the files. In MS Outlook 2000, part of MS
Office 2000, the file is hard to find, but here is the location for the
version I use:
c:\Documents and Settings\{account name}\Local Settings\Application
Data\Microsoft\Outlook\outlook.pst
In Win XP, write privileges in files moved from an Administrator
account do not always work the way you want them to. To make sure
you will be access the Outlook files after moving them to Shared
Documents, I recommend first moving the files to a temporary
directory. I create a c:\temp directory on all the Win XP
machines that I administer, and this might work for you. So in an
administrator account, select all files in the Outlook directory, cut,
then paste into an empty directory, such as c:\temp\Outlook. Log
off the administrator account, and go into the least privilege account
from which you want to access Outlook. Create an Outlook
directory under Shared Documents. You can first try cutting from
c:\temp\Outlook and pasting into Shared Documents\Outlook. If
Windows will not allow the cut, copy instead, and log off, go back into
the administrator account, and rename c:\temp\Outlook to
c:\temp\hold4now. Log off, go back into the least privilege
account, and open Outlook. Outlook will not be able to find the
files, so choose Browse, and navigate to Shared Documents\Outlook.
This is the easy solution to the Outlook files issue: Make the account
from which you currently access Outlook or Outlook Express a “Limited”
account. If you do this, you do not need to move the Outlook
files.
Conclusion
Every Win XP user can make their computer invulnerable to most malware
and spyware by putting least privilege to work today. Whether the
inconvenience of doing so is worth the added protection is a choice
each computer user can make.
sidebar:
You CAN try THIS at home!
If you have any doubts about least privilege protection being so
effective, consider testing it and finding out for yourself.
I have found that not everything the "security experts" say or write
hold up under actual tests. I guess that is so in part because
they are not accustomed to anyone checking on the accuracy of what they
say and write.
You can try this at home (or in an office or lab), but a certain amount
of expertise and extra hardware is required. If you do not have
expertise and extra hardware as described below, you would be well
advised not try any of this -- at home or otherwise.
As for expertise, I would suggest performing your own malware
experiments only if 1) you know how to set the little master/slave
jumpers on hard drives, and 2) you have experience installing hard
drives, including going into computer CMOS on startup.
As for extra hardware, if you have an extra, Win XP capable hard drive which you
do not mind reformatting, you are set up to perform your own malware
tests. The extra hard drive is already in an existing computer,
all the better, but this is not necessary. An extra hard drive
only needs to be 4 gigs or bigger, and these can typically be purchased
for about $10-20 at used computer stores.
To perform malware tests with your extra hard drive ("test drive") on
an existing computer, open up your computer, unplug the drive cables
from your permanent hard drives, plug in the test drive as the primary
master, and then install Win XP on the test drive. You do not
need to permanently mount the test drive -- rather leave the permanent
drives mounted, and just set the test drive in a convenient location
that the length of the cables will allow. To determine whether
you picked up any malware after performing the tests, plug your regular
drive back in -- as far as it is concerned, it will be as if nothing
happened. Plug in the test drive in instead of the CD drive, and
then scan the test drive with your normal virus scanner.
In general, it is best to reformat the drive and reinstall Win XP
before you begin. This is to insure you are testing a bare Win XP
install only, without any anti-virus software -- you want to test least
privilege, not anti-virus software. You would also reformat the
drive to wipe clean any malware or spyware you might get in your
tests. You should also start with a clean install if you
want to do tests for spyware. Spyware scanners will detect
"problems" even on a fresh Win XP install that has never been exposed
to the Internet. So to scan for any spyware, you should first do
a "baseline" scan, perform your tests, do an "after" scan, then compare
the after against the baseline.
If the test system is on a network with other computers, make sure the
workgroup on the test system is not the same as any other computer on
the network. Clever malware might be able to propagate to
other computers through the network connection. To check or
change the workgroup, from an administrator account, click on Start,
and you will see "My Computer" about half way down the right
column. Click right, and then choose Properties. Click on
the Computer Name tab. The workgroup is identified on the line
half way down. Use the "Change" on the last line to change the
workgroup. After rebooting, using Windows Explorer, verify that
you cannot access the files on any other network computer.
Then, you are ready to test malware. One test for starters is the
"Virtual Bouncer site test". Virtual Bouncer tricks unsuspecting
surfers into installing it, applies a restriction that slows the
Internet connection to a crawl, and offers a "subscription" for a price
to remove the restriction. It has been termed "extortion ware",
and is described on Spyware Guide here:
http://www.spywareguide.com/product_show.php?id=514
Here is the "Virtual Bouncer site" test (but do not try this until you
are ready, as described above):
Go here,
http://www.spywarelabs.com/downloads.html
Click on "CLICK HERE TO TRY VIRTUAL BOUNCER NOW".
In our tests, a "Limited" account on a machine with the NTFS file
system passes the test -- Virtual Bouncer cannot install.
To test for Spyware, we have used "SpyBot", available here as a free
download:
http://www.safer-networking.org/en/index.html
Install SpyBot, but do NOT turn on SpyBot protection for the PC. Go
without to test the effectiveness of just least privilege. (And of
course, I did not install anti-virus software on the test drive.)
SpyBot considers some cookies to be spyware. Cookies may be spyware by
some definitions, but cookies are not the most malicious spyware. Also,
whether you accept cookies is determined by your browser settings, not
by whether you are running under a "Limited" account on an NTFS install.
You can wipe all cookies with the click of a single button --
almost. There are several ways to get to the button. The easiest
way to explain is go into IE, click on Tools, Internet Options. A
dialog will appear. Half way down toward the left is a button "Delete
cookies". The button does what it says.
I ran SpyBot before and after clicking the button. After showed less
"spyware" by about 75% or so.
This would be a step to cut down the noise in tests for the more
malicious spyware. So before running SpyBot, I recommend deleting all
cookies.
An alternative is to adjust the "Advanced" SpyBot settings to ignore
cookies. PC World put out instructions here:
http://www.pcworld.com/howto/article/0,aid,116990,00.asp.
To test for Spyware, I used the list of spyware/malware sites available
here:
http://www.mvps.org/winhelp2002/hosts.txt
I selected some of the sites listed as spyware, when to several, and
pressed all the wrong buttons. Afterwards, a spyware scan showed
no new spyware, other than cookies and what was originally there in the
baseline scan.
Testing worms is more involved, for two reasons, 1) you have to get the
worms, and 2) worms can send out worm-infested emails without the user
knowing it. So I had to ask for volunteers, to be in the Outlook
address book of the test system. For volunteers, I got one Mac
user, one Linux users, and a couple of Windows users who were confident
of their malware protection. I tested two worms, a Netsky and a
Beagle. Least privilege stopped the Beagle cold. As noted
above, Netsky was able to send out emails to the addresses listed in
the Outlook address book, complete with spoofed "from" addresses.
Logging off effectively flushed both Netsky and Beagle.
After running spyware tests, you can plug your test drive into a
regular PC instead of your CD drive. This will allow you to run a virus
can on the test drive, to determine whether the test drive picked up
any viruses.
Of course, as a control, one can repeat the above experiments from an
administrator account, as Microsoft leads its customer base to use
Windows XP computers. But I promise, you will get the malware
and/or spyware!
Rick Graves
email me here
18 May 2005