Security Catalyst: Family Security Series Podcast, Episode 2 – Using a Non-Administrative User
You are invited to learn how to reduce the effectiveness of attacks and sleep better at night by using a non-administrative user account. In this brief podcast, we explain:
- why you should be using a non-administrative user account
- how to determine which type of account you are currently using
- how to create normal user accounts
- how to change to a regular user account
Thanks to a dedicated team of professionals, this podcast has been made better. If you see them on the street, give them a big hug. They worked hard (and continue to) to improve our efforts to make a difference:
• Gary Morgan, CISSP
• Alvin Liau, CISSP
• George Viconovic, MCIW/D
• James Costello, Security + SME
• John Biasi
• Peter Clark, CISSP
If you have not yet joined the conversation in the Security Catalyst Community, please do so now: http://community.securitycatalyst.com/forums/index.php
The specific link for this discussion is here: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
(note: joining the community costs nothing – except your active participation!; we enforce a naming standard of using your full name. It helps us keep the supportive environment positive. We look forward to sharing ideas and learning with you.)
Links and Information Mentioned During the Program
Least Privilege
In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.
Source: Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege
Determine the current status of a user account
Two basic options in windows XP
Windows XP: Option 1
• Start -> Run -> CMD (bring up a command prompt)
• type ipconfig /renew (this will be in the show notes)
• Limited Users will be given an error that access is denied. Administrators will be allowed to renew their IP address.
Windows XP: Option 2
• Start –> Control Panel
• Launch the User Accounts application
If you are a Limited User you will be presented with the option to Change your picture or to click on Mail or User Accounts. • You are limited to changing your own password
• changing your picture
• or to set up your account to use a .NET Passport.
If you are an Administrator you will be given the option to Change an account, create a new account or change the way users log on or off.
For more ways, join the discussion in the catalyst community forums: http://community.securitycatalyst.com/forums/index.php/topic,335.0.html
Mac OSX
• System Preferences –> Accounts
• Right under the name it tells you the kind of account they have
Create a non-admin account
Mac OSX
• System Preferences –> Accounts
• Check that the lock is unlocked; if not, click it and enter your password
• click on the + sign
• Enter in the information, including a password
• DO NOT check (make sure you leave blank) the box for ‘Allow user to administer this computer’
Windows, pre-vista
• Start -> control panel
• Select ‘User Accounts’
• Select ‘Create a new account’
• Type in the name of the new user account
• Select the ‘Next >’ button
• Select the ‘Limited’ radio button
• select the ‘Create Account’ button
you’re not done! Time to select a good password
(We will go into details on good passwords in the future)
• You will be presented with a ‘User Accounts’ screen, with a ‘Pick a task’ option. Select ‘Change an account’ option
• Select the account you just created
• On the next screen ‘What do you want to change about Child 1’s account?’ select ‘Create a password’
• Then enter a strong password, in the first two boxes, enter a password hint in the Third box. Then press the ‘Create Password’ button’
Support the efforts of The Traveling Catalyst!
RV Tour (our pre-tour warmup for the Security Revival Tour)
• Nashville (April 24 – 25)
• Atlanta (April 26 – May 3 or 4)
• Key West (May 3 or 4 until May 
• Baltimore/Washington/Northern Virginia (May 10 – May 18)
We’re working now to set up some public sessions of
• Are You Making a Living or a Life?
• Career Compass Coaching
• Speaking About Security
We’re also interested in offering some public keynotes in each of the areas to support the efforts of security professionals. Send me an email if you’re interested (securitycatalyst@gmail.com)
We are in the process of selecting cities for our ”security revival tour” for the second half of 2007. If you would like us to bring our training to your city, send me an email: securitycatalyst@gmail.com
Thanks for listening - now go make your user account changes and be safe out there!
If you enjoyed this post, make sure you subscribe to my RSS feed!
Posted in Information Protection |
Print this post
|
Permalink
Cd-MaN said,
April 14, 2007 @ 10:43 am
Hello.
I’m very happy that the idea of limited user accounts seems to get some traction, since this is one of the most important things which could reduce security problems. I think you’ve done a very good job explaining the gist of the issue (btw. OpenID rocks :)), however one thing I missed from the explanation, and personally I think it is needed to give a truthful picture to those who wish to embark on this journey are the possible problems they might encounter (like programs refusing to install / run). While this doesn’t look good when you “try to sell” them to the idea of running as limited user, it might be good if they were at least warned. Also, there are many methods of temporarily elevating your privileges (I covered it a while back on my blog - http://hype-free.blogspot.com/2006/09/non-hacking-tutorial-on-elevating.html) which should have been discussed (imho) in the podcast.
Santa said,
April 14, 2007 @ 1:50 pm
Great point - I’ll mention this in the next episode.