SLAC Computer Security		Search SLAC
SLAC Home | Computing Home | Computing Outages | Help

Running With Least Privilege on Windows XP

Often an exploit discovered will describe how the attacker can obtain the privileges of the logged on user. If we can do our jobs and be using the lowest privileges possible then we are giving less opportunities to any criminal that makes it through the exploit and into our computer.

If you have a Desktop Administrator they would be the best person to advise you as to which method would work for you.

Warning: Making the wrong changes to these accounts could cause you to lose access to your computer. Depending on the level of the error it could mean you would have to get your operating system re-installed!

If you are not sure if you are an Administrator on your computer do the following: Start; Settings; Control Panel; Double-click on User Accounts.

• If you get a User Accounts window that is asking for Administrator password then you are _not_ administrator and that is good. You don't need to do anything else.
• If you get a User Accounts window with a list of User Names, Domains, and Groups then you _are_ an Administrator and should take action. What that action is depends on your level of Windows expertise. Go back and read the Warning above.

If you are not a Windows expert then please have a discussion with your Desktop Admin and develop a plan to remove your userid from the Administrators group. We have the following suggestions:

• Preferred Method: Remove your regular account from the Administrators group and have your Desktop Administrator do all installations/updates for you (automated patching at SLAC will still work even if you are not logged in with administrator account); or

• Good for Laptops: Create a local administrator account on your computer with a good password and then remove your regular account from the Administrators group. When you need to install/update software, etc. you would logout of your regular account and login locally only long enough to do the privileged work.

NOTE: If you use Remote Desktop to access to your computer from remote locations you will need to add your regular account into the Remote Desktop Users Group on your computer. Instructions. You should do this BEFORE removing yourself from Administrators Group. You have to add your account individually because by default all members of Administrators Group automatically have this right. Once you remove yourself from Administrators group you've lost the right unless your userid is individually entered. Only an account with Administrator privileges can edit the Remote Desktop Users Group.

Various Ways to Temporarily Raise Privileges

When you are working on your computer using a regular account and you find you need to run a program with elevated privileges you could use one of the following methods. With the options below the program will be able to run under the privileged account but you are still using your unprivileged account for all your other work. You could certainly use the "Good for Laptops" method above too. These are just other options.

Warning: Please see your Desktop Administrator for assistance if you are not confident your actions won't cause irreparable harm to your computer.

• Use "run as" if the program supports it. Right click on the program and select "Run as...". You then enter your privileged account credentials and the program will run. More info on RunAs.
• Use MakeMeAdmin (not for the novice).
• You could try SudoWn (again, not for the novice).