Understanding Windows XP Accounts:
Windows XP offers three different types of accounts:
- Administrator
- Limited
- Guest
The Administrator Account has complete and unrestricted access to the system. Administrators have the ability to add/remove programs or hardware, modify the registry and add/modify/delete files from anywhere on the hard drive.
A Limited User Account on the other hand is as the name implies, limited in its abilities. Limited users are limited to the least amount of privileges necessary for carrying out day-to-day activities such as browsing the web, checking e-mail, and working with documents that are within the users own account.
A Guest Account is even further limited than a standard limited user.
The Problem:
The biggest security hole that exists in Windows XP, is the use of the default "Administrator Account." Chances are very good that you are currently logged on as an administrator right now, which gives you complete access to the entire operating system and registry, unfortunately this also means that viruses, spyware and other malware will have the same access to the system as you currently have.
The Solution:
Use a Limited User Account for all your day-to-day activities while at your computer. This greatly reduces the privileges of malware executing from within the context of your Limited User Account because it will not have complete and unrestricted access to the operating system.
Perhaps 90 percent (or more) of all of today's malware will not function correctly, or at all, if the logged-on user is not an Administrator.
Roger A. Grimes, Security Adviser, InfoWorld
Security in Layers - Step One
The first action step we are going to perform in building our security in layers approach is to eliminate the use of the Administrator Account for our daily use by transforming our account into a Limited Account. This step only applies if you are logged on as an administrator and is also the account you use daily. To check which account type you are using go to Control Panel -> User Accounts, if indeed your account type is Administrator proceed.
1. Go to Control Panel -> User Accounts ->Create a new account. Name it whatever you want. Leave it set to be an Administrator. Set a password for the account. Now log out of the account to let Windows finish setting up the account.
2. Log back into your newly created Admin account and go to Control Panel -> User Accounts and select your original account and switch it to a Limited User Account.
At this point you have now greatly minimized the attack surface available to malware, however, the method we just used to convert your old admin account into a limited account left a few remnants of your old account that still have write permissions and ownership of at least some sub-folders of c:|Program Files and c:|Windows. This contradicts the purpose of the Limited User Account (LUA) approach and is dangerous.
In order to correct this we are going to need two different add-ons. One is secedit, used to restore default security settings and is available in Windows XP Professional but not in the Home Edition, we will get it from the Windows XP Service Pack 2. The other add-on is actually a script that will enable security tabs in the Properties window of files, folders and registry keys. Security tabs are already available in XP Professional. They are also available in XP Home but to access them you will need to boot into Safe Mode, this method allows for easier access.
Restoring default security settings:
1. Download Service Pack 2 from Microsoft and save it to a folder called "sp2" (without the quotes) to drive C. It should look like this c:\sp2 . Once the file (WindowsXP-KB835935-SP2-ENU.exe) has downloaded rename it to xpsp2.exe.
2. Now extract it. Go to Start Menu -> Run and type in c:\sp2\xpsp2.exe -x.
Click on Run on the next dialogue window.
Accept the default location to extract the file to by clicking Ok in the next dialogue window.
3. With the file extracted go to Start Menu -> Run and type in cmd. With the command window now open type in cd\sp2\i386\ip
Now enter expand -r secedit.ex_ c:\windows\system32
Now secedit has been extracted to the Window\System32 folder.
4. To restore the file settings default security settings copy the following into your command prompt window.
secedit /configure /db %temp%\temp.sdb /cfg %systemroot%\inf\defltwk.inf /areas filestore
5. To restore the registry keys to their default security settings copy the following into your command prompt window.
secedit /configure /db %temp%\temp.sdb /cfg %systemroot%\inf\defltwk.inf /areas regkeys
We are now ready to take ownership of the files that were created with our old admin account and also deny our new limited account write privileges to a few files and registry keys.
In order to accomplish this we need the Security tabs made available. There are actually three different alternatives to choose from, although I will only be going to cover one of them here.
If you are not familiar with setting permissions you may want to get a better understanding of their workings first.
How to set, view, change, or remove special permissions for files and folders in Windows XP
How to take ownership of a file or a folder in Windows XP
The first alternative is to boot your Windows XP Home in Safe Mode and access the security tab. This method will work fine but you will not have the options to change or view security settings readily available.
The second alternative is to download and install an extension called FaJo XP File Security Extension (XP FSE).
The third alternative is to download and install pcwXPProme. This is the method that I will be covering here. One caveat, the website and installation process is in German but this is no problem and the Security tab will be in English.
The choice is of course yours as to which method you prefer.
Enabling security tabs - taking ownership:
1. Download pcwXPProme. Start the executable and extract the files therein. Now start pcwXPProme.exe, it will ask you in German if you want to turn your Home into a Pro version. Select yes (or ja) and the tool requests a reboot. After reboot you will now have the Security tabs.
2. Open the Explorer, right-click your c: drive and chose "Properties". Select the "Security" tab and click the "Advanced" button. You will see the "Owner" tab. As we want to take ownership of all objects below the root directory, select the "Replace owner on subcontainers and objects" check box and click the OK button. This will take some moments since Windows has to traverse through all folders and files on your drive.
3. Now we need to apply the changes to the Registry as well. Go to Start Menu -> Run and type in regedit to open the registry editor. Right-click on,
HKEY_CLASSES_ROOT
and select Permissions. Again, click the Advanced button and go to the owner tab. It should only contain "Administrators" (if not, delete any others). Select again the "Replace owner on subcontainers and objects" check box and deselect any other check box if available. Repeat these steps for:
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
Denying your Limited Account of write privileges
1. Open the Explorer and navigate to
C:\Documents and Settings\Start Menu\Program \Startup
Right-click on the Startup folder and select Properties and then select Security and highlight your user account name and then tick the Deny box in the Write row.
Repeat the process for
C:\Documents and Settings\all users\Start Menu\Program \Startup
2. Open up regedit again. Start Menu-> Run and type in regedit. Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Again right-click on it and select Permissions and deny your user account write privileges by ticking only the Allow box in the Read row.
Repeat the process for
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
You have now successfully converted your original admin account into a Limited User Account. As a limited user you no longer have write privileges to the C:\Program Files or the C:\Windows folder and also the majority of the registry as well as the auto-start locations. Congratulations, this also means that malware is simply prevented from seriously compromising your system.
