Conscious Vibes Logo
ConsciousVibes.com
Home |

Principle of Least Privilege
( How to Get Programs to Run While Logged in as a Member of the Users Group )

All of the information, instructions, and recommendations on this Web site are offered on a strictly "as is" basis. Remember "Murphy's Law." Please take the proper precautions before attempting any of the tips or modifications listed here.

Contents


What is the Priciple of Least Privilege?
Why You Should Not Run as an Administrator or Root User
How to Create a Custom Default User Profile in Windows XP
How to Create a Custom Default User Profile in Windows Vista
How to customize default user profiles in Windows 7
How to Install VirtualDJ for use as a Standard User
BEST Plus
Mavis Beacon Teaches Typing v15
ImgBurn: You need Administrative privileges to use SPTI
Allow a Limited User to Burn CD's & DVD's
NDCMedisoft Advanced v9
Issues with setting Internet Explorer's Internet Security to High
Disable AutoRun / AutoPlay / Auto Insert Notification
Security & Privacy Tips
Links to: Principle of Least Privilege
Computer Tips Index

 


[ Top ] [ Home ] [ Contact ]

 

What is the Priciple of Least Privilege (PLP)?

In information security & computer science the principle of least privilege, or just least privilege, requires that a user, a program, or a process/service should only have access to the information and resources that are necessary to do its job.

Part of implementing least privilege is to not allow users to log in as members of the Administrators group or as a root user.

It's good practice to install and configure the required applications as an Administrator, then create a Custom Default User Profile,(XP / Vista), before allowing any users to log in for the first time.

Microsoft referes to the principal of least privilege as LUA. The acronym LUA generally refers to Least-Privilege User Account, but is sometimes defined as Limited User Account, Least User Access, and several other variations. But whatever the letters stand for, the concept is the same. LUA is a computer user account that cannot make changes that affect other users of the system or the operating system itself. In Windows, these are typically members of the built-in Users group. Members of this group are explicitly not members of powerful groups (such as Administrators, Power Users, and Backup Operators) and they do not hold elevated privileges (like Load and unload device drivers, and Act as part of the operating system). Unfortunately, LUA can surface a number of issues.

References

 


[ Top ] [ Home ] [ Contact ]

 

Why You Should Not Run as an Administrator or Root User

If a system is compromised, by malware or an unauthorized user, that user or malware will have the same privileges of the logged-on user. If the current user is an administrator or root user, then the malware/unauthorized user will have full reign to do whatever they wanted to the system, without the user's knowledge or interaction. If the current user was not an administrator or root user, e.g. a Limited User or Standard User, then the malware/unauthorized user should be restricted to what they can access and to how much damage they can inflict on the system.

If you're running as an administrator or root user, an exploit can:

Reference

 


[ Top ] [ Home ] [ Contact ]

 

How to Create a Custom Default User Profile in Windows XP Professional

[OS: Windows XP]

Summary

A custom default user profile is necessary when you want to install and configure the OS and software and have all users inherit the same standard configuration and settings. e.g. Desktop icons, default printer, etc.

A custom default user profile is also helpful if several people use the same computer but each user wants a separate profile and access to shared resources, but you want to pre-configure certain aspects of the OS or applications.

When a new user logs in, Windows XP uses the default user profile as a template for creating a new profile for that new user.

You can replace this built-in profile with a custom default user profile so that each new user receives a custom version of the profile.

Note:
You’ll need to modify the My Documents\desktop.ini of the master user profile before creating the custom default user profile.
The desktop.ini file contains the "owner= " parameter that specifies the username of the current user.  Windows XP will display the users name with certain special directories. e.g. Windows will display "Admin’s Documents" instead of "My Documents. "

This is an issue because when a different user logs in, their special directories will display the wrong user name.
To fix this issue, modify desktop.ini in My Documents and delete the user name leaving just "owner= "


Create a custom default user profile

1. Log on to the computer as the administrator, and then create a local user account. Add that new local user account to the administrators group.
2. Log off as the administrator, and then log on to the computer using the local user account that you just created.

Caution: You will cause permission issues if you create the custom user profile when you are logged on as the administrator.
3. Customize the profile: Install and configure applications, install printers and map network drives.
4. Log off as the local user, and then log back on as the administrator.
5. Replace the current default user profile with the customized default user profile. To do so, follow these steps:
a. In Control Panel, double-click System.
b. In the System Properties window, click the Advanced tab.
c. Under User Profiles, click Settings.
d. In the User Profiles dialog box, click the user profile that you just created, and then click Copy To.
e. In the Copy To dialog box, under Copy profile to, click Browse, click the C:\Documents and Settings directory, and then click OK. Type \Default User after C:\Documents and Settings.
f. Under Permitted to use, click Change, type Everyone, and then click OK.
This is an important step because it will reset the access rights for the new Default User profile.
 
Copy Profile to

Windows XP will use the Default User profile as a template from which to create a new user profile for any new user who logs on to the computer.

This change is permanent, so it is a good idea to make a backup copy of the Default User directory that is in C:\Documents and Settings\ before starting.

Note: If you get an error about files being "in use" or "locked," just reboot into Safe Mode and try to copy the profile again.

References

 


[ Top ] [ Home ] [ Contact ]

 

How to Create a Custom Default User Profile in Windows Vista

[OS: Windows Vista]

Summary

A custom default user profile is useful if several people use the same computer but each user wants both a separate profile and access to shared resources.

When multiple users log on locally to the same computer, Windows uses the built-in default user profile as a template for creating a profile to each new user.

You can replace this built-in profile with a custom default user profile so that each new user receives a custom version of the profile.

Create a custom default user profile

1. In Windows Vista, the administrator account is disabled by default. You don't need to enable it.  The first account that the Vista setup lets you create is a member of the Administrators group.  We'll use that for the configuration. Let’s call it Admin.
2. Create a 2nd user account that is also an Administrator. Let’s call it Admin2.

Caution: You will cause permission issues if you create the custom default user profile when you are logged on as the 1st administrator level account that you used to configure the system.
3. Customize the profile: Install and configure applications, install printers, map network drives, etc.
4. Log off as the 1st administrator account, Admin, and then log on to the computer using the 2nd user account that you created, Admin2.
5. Replace the current default user profile with the customized default user profile. To do so, follow these steps:
a. Press <Windows Key> + <Break> to open the System window or use Control Panel > System and Maintenance > System.
b.

In the System window, open Advanced System Settings from the Tasks list and click Continue on the UAC permission prompt.

c. Under the User Profiles section, click the Settings button
d. In the User Profiles dialog box, click the user profile that you just created, and then click the Copy To... button.
e.

In the Copy To window, click Browse and select the C:\Users\Default directory or just type C:\Users\Default into the Copy Profile To field.

f. Under Permitted to use, click Change, type Everyone, and then click OK.
Note: This is an important step because it will reset the access rights for the new Default User profile.
 
6. Use RegEdit to remove references to the source user profile from the Default user profile:
a. Open RegEdit
b.

Highlight the HKEY_USERS key

c. From the Files menu, select Load Hive
d.

Select the C:\Users\Default\ntuser.dat file and click Open 

  • If you don't see Default when you're in C:\Users\, just type Default and click Open.
  • If you don't see ntuser.dat when you're in C:\Users\Default\, just type ntuser.dat and then click Open.
e.

You will be asked for a Key Name.  Use DEFAULT_USER

f. Highlight the HKEY_USERS\DEFAULT_USER key
g. Search for any values that contain the path information for the source profile's user folder (e.g. C:\Users\Admin) and delete them. 
Note: Be certain you only delete these entries from the HKEY_USERS\DEFAULT_USER hive that you loaded into the registry.
h.
After removing all the necessary entries, Highlight HKEY_USERS\DEFAULT_USER again
i. Select Unload Hive from the Files menu and click Yes to confirm
j. Close RegEdit and delete the ntuser.dat.log file from the C:\Users\Default directory
k. Reboot the computer

Windows will use the Default User profile as a template from which to create a new user profile for any user who logs on to the computer for the first time.

This change is permanent, so it is a good idea to make a backup copy of the C:\Users\Default directory before starting.

Note: If you get an error about files being "in use" or "locked," just reboot into Safe Mode and try to copy the profile again.

References

 

 


[ Top ] [ Home ] [ Contact ]

 

How to Install VirtualDJ for use as a Standard User

OS

Windows 7 (64-bit)

Program

Virtual DJ 7.0.5b (Home Free)

 

March 2012

VirtualDJ by Atomix Productions is software for audio and video mixing.

I had installed VirtualDJ as an Administrator, and VirtualDJ ran fine. But when I tried to use VirtualDJ from a different account, that was a Standard user, I received the following error:

Installation Error!
Please reinstall VirtualDJ from the official installer.
If you have multiple user accounts on this computer, make sure you install from the account you are using, not from Administrator.
VirtualDJ Error

So, as the error message says, you need to install VirtualDJ while logged in as the user that you're going to run it under. I tried that, but VirtualDJ still failed with the same error.

The "VirtualDJ 7 - Getting Started.pdf" manual makes no mention of this quirk/requirement.

I tried the following without a positive result:

Solution

  1. Log in as an Administrator
  2. Temporarily elevate the User account you want to run VirtualDJ under to an Administrator
  3. Log in as the elevated user account you want to run VirtualDJ under
    1. Install VirtualDJ
    2. Run VirtualDJ at least once
    3. Log out of Windows
  4. Log in as an Administrator
  5. Change the Standard user account that you temporarily elevated to install VirtualDJ back to a Standard User.

Now when you log in as a Standard user, VirtualDJ will run without giving you an “Installation Error.”

Reference:

 


[ Top ] [ Home ] [ Contact ]

 

BEST Plus

by CAL (Center for Applied Linguistics)

OS Windows XP Professional

Issue / Error Message

When you run BEST Plus while logged in as a limited user, the following message is displayed:

Data Access Not Successful!
BEST Plus was unable to successfully update its program variables. This is usually due to inadequate user rights (permissions) on the computer, especially with Windows XP. You must be signed in with Administrator rights in order to use BEST Plus.

Fix, Part 1

Fix, Part 2

Use Regedit, while logged in as a member of the Administrators group, to modify the permissions for HKEY_CLASSES_ROOT\pztfile

 


[ Top ] [ Home ] [ Contact ]

 

Mavis Beacon Teaches Typing

OS Windows XP Professional

Summary

When a user is logged in as a member of the Users group, an error is displayed when starting Mavis Beacon Teaches Typing v15.

Could not create file for system settings.  C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\MAVUSER\system.msy

The directory C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\MAVUSER\ requires "Modify" and "Write" rights.

These are instruction on how to get Mavis Beacon Teaches Typing v15 to run on computers running Microsoft Windows 2000, and XP and the user is logged in with an account that is a member of the group "Users." e.g. Student

Instructions

  1. Login as a member of the Administrators group.
  2. Install Mavis Beacon Teaches Typing v15 (MBTT).
  3. Start MBTT at least once so that the "MAVUSER" directory is created.
  4. Run Windows Explorer ( Windows Key + e ).
  5. Right click on the MAVUSER directory located in C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\
    Note: The "Application Data" directory is hidden, so in the address bar, type \Application Data (the backslash is required) then press the enter key. Now you'll be able to open the Broderbund\Mavis Beacon directory.
  6. Select "Properties" from the popup/context menu.
  7. Click on the "Security" tab.
  8. Click on the group name "Users."
  9. In the "Permission for Users" section, under the "Allow" column, click "Modify."
  10. Click the OK button.

 

Optional Changes

When MBTT is run, the menu that is displayed shows several options.  Run, Install/Uninstall, Register, etc.  It's best that the user isn't able to use these other options. 

  1. Right click on the shortcut in the Start Menu for Mavis Beacon Teaches Typing.
  2. Click on properties.
  3. In the "Target:" field, replace run.exe with mavis15.exe.
  4. Click on the OK button.

Further, delete all the other shortcuts that were installed with Mavis so that users don’t use them.  e.g. Register, Readme, & Internet.

 

 


[ Top ] [ Home ] [ Contact ]

 

ImgBurn: You need Administrative privileges to use SPTI

OS Windows XP Professional

From ImgBurn Log:

   I 13:41:50 ImgBurn Version 2.4.1.0 started!
   I 13:41:50 Microsoft Windows XP Professional (5.1, Build  2600 : Service Pack 3)
   I 13:41:50 Total Physical Memory: 1,004,076 KB  -   Available: 386,980 KB
   I 13:41:50 Initialising SPTI...
   I 13:41:50 Searching for SCSI / ATAPI devices...
   E 13:41:52 CreateFile Failed! - Device: '\\.\CdRom0' (R:)
   E 13:41:52 Reason: Access is denied.
   W 13:41:52 Errors were encountered when trying to access a  drive.
   W 13:41:52 This drive will not be visible in the program.
   E 13:41:52 You need Administrative privileges to use SPTI.
   W 13:41:52 No devices detected!

______________________________________________________________________

Problem:

You receive the error, 'You need Administrative privileges to use SPTI' when you start the ImgBurn as a Limitied user.

Fix:

By default on Windows XP, SPTI is available only to Administrators.

Here is a quick workaround for those people wanting to stick with SPTI:

  1. Log in as an Administrator
  2. Open a command prompt.
    1. Click 'Start' -> 'Run'
    2. Type "cmd" and click OK
  3. Type "secpol.msc" and press [enter]
  4. Expand "Local Policies"
  5. Click "Security Options"
  6. Change "Devices: Restrict CD-ROM access to locally logged-on user only" from "Disabled" to "Enabled"
  7. Close the "Local Security Settings" window
  8. Reboot the computer
  9. Log in as a Limited user
  10. Run ImgBurn

______________________________________________________________________

ImgBurn Log: After doing the fix, rebooting, and logging in as a Limited User...

   I 13:48:31 ImgBurn Version 2.4.1.0 started!
   I 13:48:31 Microsoft Windows XP Professional (5.1, Build  2600 : Service Pack 3)
   I 13:48:31 Total Physical Memory: 1,004,076 KB  -   Available: 393,284 KB
   I 13:48:31 Initialising SPTI...
   I 13:48:31 Searching for SCSI / ATAPI devices...
   I 13:48:31 Found 1 DVD±RW!
________________________________________________________________________________________

You can use the following reg key instead of manually configuring secpol.msc

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Winlogon]
   "allocatecdroms"="1"

______________________________________________________________________

Reference:

 

 


[ Top ] [ Home ] [ Contact ]

 

Allow a Limited User to Burn CD's & DVD's

OS Windows XP Professional

Windows XP Professional's default configuration prevents Limited users from burning to optical media. To change this, follow the steps below:

  1. Log in as an Administrator
  2. Open a command prompt.
    1. Click 'Start' -> 'Run'
    2. Type "cmd" and click OK
  3. Type "secpol.msc" and press [enter]
  4. Expand "Local Policies"
  5. Click "Security Options"
  6. Double-click on "Devices: Allowed to Format and eject removable media"
  7. Set this option to "Administrators and Interactive Users"
  8. Close the "Local Security Settings" window
  9. Reboot the computer
  10. Log in as a Limited user

 


[ Top ] [ Home ] [ Contact ]

 

NDCMedisoft Advanced v9

OS Windows XP Professional

Allow modify rights for the group "Users" to:

 

 


[ Top ] [ Home ] [ Contact ]

 

Issues with setting Internet Explorer's Internet Security to High

OS Windows XP Professional SP3
Role: Logged is as a Limited User
Browser Internet Explorer v8

Internet Explorer v8  (Internet Properties = control inetcpl.cpl)

Downloading with Mozilla Firefox v3.6

Downloads of .exe files using Firefox v3.6 fails when IE's Internet Security is set to High.
When you initiate the download, the file shows up in the Firefox Download window as "Cancelled." If you "Retry," the download will start, but as soon as the download completes, the file disappears or has a size of 0 bytes.

Usually when Firefox is downloading a file, it creates a temporary file with a .part extension, then when the download is complete, Firefox renames the .part file to the proper filename.
With IE's Internet Security set to High, the .part file is not created.

RunAs from the Context Menu

When you attempt to run a program that requires elevated rights or try to RunAs, you get the following message:

Error

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

e.g. http://gtopala.com/download/siw.exe

Workaround for Downloading with Firefox

Method 1: Temporarily change the file extension

  1. Set Firefox to prompt for a location to save the file:
  1. Download the file, but when prompted for the filename, change the extension to .zip
  2. After the file is downloaded, rename the file back to its original name by changing the extension from .zip to .exe or .msi

Method 2: Set a custom level for security in the Internet zone.

  1. Go to "Control Panel -> Internet Options -> Security (tab) -> Internet."
  2. Set security to "High",
  3. Click on "Custom level..."
  4. Change, Miscellaneous > "Launching applications and unsafe files" from "Disable" to "Prompt (recommended)."
  5. Change, Miscellaneous > "Launching programs and files in an IFRAME" from "Disable" to "Prompt (recommended)."

Reference:

 


[ Top ] [ Home ] [ Contact ]

 

All items Copyright ©1996 - 2014 Mr. N. Chin. All Rights reserved Conscious Vibes developed and maintained by Mr. Chin Reproduction without explicit permission is prohibited. See: Terms of use