Source: http://www.dusko-lolic.from.hr/semilimited/
Published: June 13, 2011

Dostupno i na hrvatskom


Home page

Running Windows XP in semi-limited mode

Despite the global prevalence of Windows 7 and spreading the notion of it being the most secure ever, good old XP will be with us for quite some time due to antique hardware that came preinstalled with it and lacks the power to run anything else. With proper setup it can be made just as secure, if not even more secure than Windows 7. The major part of XP's reputation for being insecure comes from the fact that all new users are by default given full administrative privileges. This creates a wide open door for viruses, worms, spyware and all other kinds of malware to install freely deep into the roots of the system. On the other side, limited user account creates impermeable barrier against installing anything into the system, including malware. I will stop right here and spare you of explanation why is it so, enough has been written about the subject already. A simple explanation is here, really detail (and unnecessary for casual users) explanation is here.
I'm not going to persuade you now to run your Windows XP in full limited mode. I know it is not easy. It requires more self-discipline than most casual users posses. Each and single system-wide change (even the most elementary one, e.g. changing the system time) would mean logging off, logging in as administrator, doing the change, logging of from administrator account, logging in as regular user...
To simplify it, Windows provide the command RunAs which can be used by a limited user to temporarily run a program with administrative privileges.
There is an alternative way that binds together the freedom of administrative privileges and the security of limited account.

Setup

If you are the only user on your computer, then you are the user with administrative privileges, as no other way is possible with only one user account. We need to create a limited user account for our course of action. In the Control Panel open User Accounts. Create a new user, give it the name limited. Create the password for the user as the command RunAs can't work without a password. For simplicity choose the password limited. It is necessary to log in at least once as the newly created user in order to create the user profile and user folders. So, click on Start -> Log Off..., choose the new user limited, enter the password limited, a short pause while the profile is created, log off immediately and log on back to your usual account. 

To hit the heart of the problem we'll be protecting the web browser (Mozilla Firefox in this case) since surfing the web is the most likely activity to result with malware infection (the second most critical is over USB flash drives). We will be using the command RunAs turned upside down. With its help the administrator will run the browser as limited user.
Open the properties of the Firefox shortcut (Right-click -> Properties from the menu). In the Target field add runas /user:limited /savecred in front of the program name. Don't touch anything else. The /savecred option will remember the password for successive starts (it has no effect under XP Home). It should look like this...

Close the dialog with OK. Start the browser with the modified shortcut. The password limited will have to be entered just the first time (except in the case of XP Home which cannot remember RunAs passwords). On succesive runs a console window will flash shortly which is a handy indication that RunAs is called to run the program with limited rights.
To check whether the protection works try to do something forbidden to non-administrators. Choose File -> Save Page As..., enter the file name %WINDIR%\VIRUS.EXE and click  Save. You should get something like this...

The message says it all. Looks a lot like windows 7 UAC confirmation dialog with the significant benefit that whatever you choose here, you cannot infect your system. If a real virus tries to attack, it will be denied access from the very beginning and no warning will be given about it.

Conclusion

I personally advocate working all the time under full limited user account. Such configuration can survive some seriously irresponsible user behaviour. And if some malware gets through, it will infect only the user's folders, not the whole system. A new user can be created and old (infected) deleted in a matter of seconds.
Alternatively, this semi-limited mode applied only to selected critical programs provides something like 95% protection compared to fully limited account with virtually zero negative side effects.
The only inconvenience that one has to get used to can arise when something is saved from semi-limited account, say to Desktop. It will be the Desktop of the limited user, the location of which is C:\Documents and Settings\limited\Desktop. The same applies to My Documents, Downloads, etc. No problem at all, as long as you know where to look for it.
Finally, add this to your registry and you won't even know that there is another user in the system (it will log you on automatically, and will prevent the screen saver from locking you off).

Comments