You’ve Been Haacked 1K Times

Axe Well this post marks my 1000th post on this blog. Since I am totally on board with the base 10 system, that makes this noteworthy to me. If we all used the hexadecimal system (base 16), then this post would be my 3E8th post which really wouldn’t warrant me even mentioning it in the first place. Be glad we are on base 10.

So how shall I observe the 1000th time that you’ve been Haacked? Obviously by writing about ways to avoid getting hacked.

I have a nice brand spanking new workstation so I figured now is as good a time as any to make the jump to running as a non-admin. This is what the security folks refer to as the principle of running with the least privileges. This is also referred to as LUA which stands for Least-Privileged User Account or Limited User Account depending on who you ask.

Hopefully I am behind the times and most of you are already running as LUA. But just in case, I will continue to plod on. This will be my third attempt to run as a non-admin, but the tools have gotten better since I last made the dive.

Temporarily Elevated Privileges

One of my favorite approaches to dealing with privileges is the idea of temporarily elevating privileges. This is in contrast to the approach in which you use RunAs to run a program using another user’s credentials. There are two ways to do this.

MakeMeAdmin

First of of all, there is the excellent batch file MakeMeAdmin written by Aaron Margosis and announced in this blog post.

This batch file temporarily elevates your normal account to an admin. This is useful in those scenarios when you need to install software and you want the per-user settings to apply to your profile, not the administrator’s profile.

WinSUDO

WinSUDO was inspired by the MakeMeAdmin script, but consists of a client and server piece. Instead of relying on a command window, WinSUDO installs as a shell extension. Right click on a program in Explorer and select the Sudo menu option. I haven’t tried it just yet as the author is in the middle of a rewrite, but it’s worth keeping an eye on it.

Setting Shortcuts To Prompt For User

If you right click on a shortcut and click the Properties menu item. Then click the Advanced button. You can check an option to Run with different credentials. When you double click on the shortcut, it prompts you with an option to run as yourself, or run as a different user.

Create Your Own Control Panel Shortcut

Control panel applets are a bit of a challenge since the RunAs option is not there when you right click an applet or Control Panel itself. So I went ahead and created my own control panel shortcut.

Right Click on the desktop and select New | Shortcut from the context menu.
For the location, just enter control.exe. For the name, I entered Control Panel.
Right click on the shortcut and click Change Icon… (looks matter!).
Select the icon that looks like the control panel (see the image below).
Now click on the Advanced… button and check the Run with different credentials option.

Control Panel
Selection

Visual Studio Development {.clear}

The article Developing Software in Visual Studio .NET with Non-Administrative Privileges is quite helpful in outlining the issues you may run into as a developer.

One particularly challenging issue is debugging ASP.NET applications on your local machine as a non-admin. Since a normal user doesn’t have the rights to debug applications running in the context of other users’s accounts. The article suggests editing machine.config and configuring ASP.NET to run under your own account.

I really don’t like this solution. If you open up the Group Policy Editor (Start | Run | Type in “gpedit.msc” without the quotes) you can find a “Debug programs” policy option. I may try adding that to my account instead, but I need to find out if it would open up a security risk that totally invalidates the security benefits of running as a LUA in the first place.

Community

If you are interested in learning more, check out this site devoted to a community of PC users who want to run without admin privileges. They have some great pointers to articles and tools to help mitigate the royal pain it is to run as non-admin on Windows XP.

Conclusion

Hopefully this time running as a non-admin will stick. I will keep you posted during the next 1000 posts.

Comments

10 responses

dhananjay singh (dhananjay123@ • April 27th, 2006
Dear Phil,
I find many big enterprises admins apply this technique of promoting and demoting normal user to admin group,during some software installation, but there is down side of it.
It makes non admin user temporarily admin, which make security hole, now user can do anything like creating new local admin on that machine and letter use it as he want :)
But any on personal machine this is very useful and secure technique.
Thanks
Dhananjay
Keyvan Nayyeri • April 27th, 2006
Congrats man.
Haacked is really a great useful blog. Keep it up as the past :-)
I can remember those 5 great blogs that were listed some weeks ago and it was absolutely right ;-)
Vittorio Pavesi • April 27th, 2006
I would like to suggest another small tool I created MyRunAs available for free.
jayson knight • April 27th, 2006
Damn dude, you are just a lean mean blogging machine over there...happy thousandth!
You've inspired me to give this a shot. Again. Haven't had much luck in the past with it though.
Thomas Wagner • April 27th, 2006
Congrats on being such a prolific blogger. I can't wait for you to have some kids! :-)
Luc Spiguel • April 27th, 2006
Thank you! Good info!
On every machine I run Linux, I did use LUA, as it is an easy thing to do, and it comes as the default from many years now.
I wonder why I never did on Windows... this looks like the time to start.
Congratulations on your 100th hack!
Luc.-
Jon Galloway • April 28th, 2006
Congrats!
I'd be more impressed if I didn't know you can whip a brilliant post together in a few few seconds while waiting for a project to compile. Grrr...
For those who haven't phoned Skype'd Phil while he's at his desk - no, that's not popcorn poppin'... that's Phil typin' up the next Haacked post!
Matt Ellis • May 1st, 2006
Run as for control panel - hold down shift and right click!
you've been HAACKED • August 30th, 2006
MakeMeAdmin And Console MatchMaker
StevenHarman.net • January 22nd, 2007
I Hit the Century Mark