Fellow security blogger, Kurt Wismer, says that there are limited advantages to limited users. He is right in all his arguments:
- A program running in your account, even if it is a limited user account, still has access to all of your files. It can search in them for e-mail addresses, wipe them or do other nefarious things with them.
- It will stop only malware which is written with the assumption that they will be run with an Administrator account – very true, however this is currently a very large percentage of the malware. In this context running as limited user is a
security by obscuritysolution, and there is nothing wrong that. Remember: having security as obscurity as an additional layer of defense is not a bad thing, but having it as the only layer is. Think of it: you don’t put a note on your door with what kind of burglar alarm are you using just because security by obscurity is bad thing!
But misses one huge point in my humble opinion:
Running as limited user makes it highly probable that you can contain whatever malware problem you have. What do I mean by that? Imagine the following typical scenario:
- A malware not recognized by your security product is executed (and make no mistake, it is possible to develop malware which for a period of time is not recognized by any security product)
- As soon as it executes, it kills your on-access scanner, stops the services associated with the security products and blacklists the update IPs of the security product.
- Additionally it may install rootkits and other kernel level components
If you were an Administrator (or Power User, which can very easily elevate her/his privileges), after these steps you would have near zero chance to disinfect your system and be sure that you indeed eliminated all the malware from it without doing an offline scan (eg. putting your HDD in an other computer) and scanning it with several AV products. Even then it is best to wipe and reinstall (which of course must be followed by patching, creating and using a limited account and other safe computer usage practices!).
Now consider the same scenario again, but this time from the point of view of a limited user:
- The malware can’t kill the processes associated with your security product – it has not enough privileges.
- The malware can’t stop the services associated with your security product – it has not enough privileges.
- The malware can’t blacklist the DNS entries associated the update service of your security product – it has not enough privileges.
- It can’t install BHO’s, rootkits, traffic sniffers, etc. – you guessed it, not enough
- If you have a firewall which can control outbound connections, you might be able to prevent it from running. I say might because a software firewall must consider many things, like dll injection, to make a reliable judgment call of allowing or denying the communication.
Running as limited user does not protect you from all and every malware, but it can make sure that your system is in a recoverable state when your security software issues an update and starts recognizing the particular piece of malware. Also, if you are running as limited user, when doing a cleanup you don’t even have to bother looking in places like the windows directory or for drivers. The limited user accounts can also be used to separate programs (this is not entirely true until Visa, because of the shatter attack)>, but it is a very good starting point. Finally, when talking in the context of a corporate environment, only limited users can be effectively controlled by the IT department, higher privileged users have many ways of circumventing any host based control system.
PS. Some AV products try to do some magic to prevent their process termination (and I don’t mean to pick on Kaspersky Labs, they have a very good product, others like Symantec or Zone Labs are also using this approach). This is bad in my humble opinion because any protection can be circumvented by a program running with high privileges (thus resulting in a cat-and-mouse game – for example the Advanced Process Termination from Diamond.cs is able to terminate all these products in their current versions). An other reason for me not liking this approach is that it can lead to system instability.
PS 2. If you would like to run as limited user, check out my blog posting which details various methods of doing that and still being able to elevate your privileges when necessary.