Sudo for Windows?

[JennyB]

I got into a bit of a tangle lately converting my default Win XP account to Restricted.

This is a machine where I am the sole user and like most people here, I download a lot of programs. The trouble was, some assumed that I wanted to instal for only one user, so if I installed them on the admin account, I couldn't use them properly on the restricted account. So I had to log in as admin, change the type of the user account, log in as user, install the program, login as admin again to change the account back...

Am I right in thinking I can avoid all that by right-clicking the installer and selecting "Run As"? It seems I can't do that on "Add/Remove programs, or am I missing something?

[mwb1100]

Running as non-admin has many benefits - you're far less likely to be hit by a virus or other malware - but many normal operations in Windows can become frustratingly difficult.

A pretty good starting point for information on how to effectively run as non-admin (and unfortunately there a ton of  stuff you need to know) is:

    http://nonadmin.editme.com/

[f0dder]

Dunno if there's an easy way to handle the uninstall - but that ought to happen rarely, so logging into an administrative account shouldn't be that bothersome. Right-clicking the installer and "run as" (or use the "runas" command from a shell) ought to do the trick for installation, I think.

[JennyB]

Running as non-admin has many benefits - you're far less likely to be hit by a virus or other malware - but many normal operations in Windows can become frustratingly difficult.

A pretty good starting point for information on how to effectively run as non-admin (and unfortunately there a ton of  stuff you need to know) is:

    http://nonadmin.editme.com/

-mwb1100 (January 22, 2007, 11:37 AM)

Thanks, that sorted out my main problem -why sometimes when I installed a new alpha version of FARR, it wouldn't open pages in the browser. Turns out ZoneAlarm was popping up a confirmation request because the program had changed, but I couldn't see it because I was in a limited account!

For my situation (single user, XP Home) I think the simplest way to go is as described here:
http://blogs.msdn.co...7/158806.aspx#763277

Separate accounts, run as restricted by default, use Fast User Switching.

Any ideas on the best antivirus/firewall setup for this scenario?

[Edvard]

FTW-

Sudo for Windows (sudowin) allows authorized users to launch processes with elevated privileges using their own passphrase. Unlike the runas command, Sudo for Windows preserves the user’s profile and ownership of created objects.

http://www.lostcreat....com/sudowin/sudowin

from Google

[mwb1100]

Any ideas on the best antivirus/firewall setup for this scenario?

-JennyB (January 23, 2007, 08:38 AM)

I don't know about the best, but here's the little bit I do know:

 - I don't run a high-power firewall; I use the WinXP firewall and depend on a NAT router to keep attacks from the Internet anyway from my machine.  I suppose that this leaves me open to software 'phoning home', but right now I'm not too worried about that.  I found that 3rd party outbound firewalls were always asking me questions that I had no idea what the right answer was to and required far too much maintenance than I was willing to deal with.

 - F-Prot did not run well for me as non-admin out of the box, but a tweak to the permissions for the registry keys it wanted to write to solved that problem.

I've heard the Norton AV runs OK in non-admin, except for Live Update which only works from an admin logon (that was a while ago - they may have fixed that by now).

Many people believe that if you run as non-admin then having a real-time AV check isn't needed and simply running an explicit AV check periodically is sufficient - I've heard good things about ClamAV/ClamWin for this.

[f0dder]

Many people believe that if you run as non-admin then having a real-time AV check isn't needed and simply running an explicit AV check periodically is sufficient - I've heard good things about ClamAV/ClamWin for this.

-mwb1100

That's wrong, though - unfortunately there's been a few ways to elevate from user->admin from time to time, and I'd be surprised if there aren't a few holes left on XP... and holes to be found on Vista.

[mwb1100]

That's wrong, though - unfortunately there's been a few ways to elevate from user->admin from time to time, and I'd be surprised if there aren't a few holes left on XP... and holes to be found on Vista.

-f0dder (January 24, 2007, 05:14 PM)

Then again, the same can be said about exploits that get past AV programs - they crop up every now and again.  I think it boils down to diminishing returns - some users believe that adding the costs and potential problems of those programs to a system running in non-admin mode isn't justified by whatever additional protection is provided.

[f0dder]

Keep in mind that some security holes exist in the OS for years before they're (publicly!) found, and some exist for quite a long time before they're fixed. An exploit in an AV program is going to be fixed ASAP.

Iirc it doesn't take anything more than the "at" service being enabled to elevate user privileges.

[nontroppo]

Did anyone try sudowin in the end? Their documentation is excellent and this looks to be just the right balance between lock-down and liberty.

http://www.lostcreat...ns.com/sudowin/about
http://www.lostcreat...udowin/documentation

See also: http://sudown.sourceforge.net/index.php