Painless User Group Experience
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Painless User Group Experience

  1. #1

    Painless User Group Experience

    Painless User Group Experience
    (Pretty Version)
    By Soda_Popinsky

    The technically adept have a problem on Windows. We want full control of the OS, but we want the security of the User Group. "Run as..." sucks, it doesn't work with .msi files, and admin control panel items don't work unless you login as an administrator. I intend to solve the horrid experience with this article, it has been a blessing for me thus far. Screenshot of the end result is attached.

    The major security issue with the Windows operating system is the "out of box experience" that encourages everyone to run as an administrator. The major benefit to Linux is the ease of switching back and forth between priviledged and lesser priviledged accounts with "su" and other applications that prompt for admin rights. This article will focus on a few fixes to allow us to easily install software and configure the system without fully switching between accounts.

    First, as an administrator, visit the Control Panel and create a new "limited" account. Name it something sexy, because you'll be using it from now on. Login to this account.

    Imitating Linux "su"
    The command line method of running software under another account is with the "Runas" command. We can imitate the Linux "su" command with a small batch file and a quick launch icon. Create a file named rootshell.bat in your "My Documents" folder, and fill it with this text:

    runas /user:AdminName cmd
    Change "AdminName" to the name of your administrative account. Once saved, drag the batch file into your quick launch panel and click on it. You'll be prompted for the admin password, and you now have a root shell. You can now drag & drop .msi install packages into this window and install them (.msi files don't have a "Run as..." context menu). You can change the icon if you like by right clicking it and changing it's properties.

    Easy Administrative Control Panel
    The other big problem is getting an administrative control panel without logging out and logging in to a administrative account. Lets solve that with another batch file, but first we need to make an adjustment to the way explorer handles new windows. Follow through with this quick adjustment in the admin account you are using (From MSKB)

    To open each folder in a separate part of memory

    Open Folder Options in Control Panel.
    Click Start, and then click Control Panel.
    Click Appearance and Themes, and then click Folder Options.
    On the View tab, select the Launch folder windows in a separate process check box.
    Once done, create another batch file named rootcontrol.bat in your "My Documents" folder, and fill it with this text:

    runas /user:AdminName control
    Again, change "AdminName" to the name of your administrative account. Then drag the file to your quick launch panel and change the icon to something prettier if you wish. Click on the icon in your quick launch, and enter your admin password. You now have an administrative Control Panel open.

    These two quick launch icons will give you any control you need during your time spent in a lesser priveledged account. It is extremely hard for malicious software to do damage with an account in the Windows "User" group.
    ---

  2. #2
    So how the hell do any of you get along with just "Run as..." and fast user switching? Isn't it the most annoying experience on the planet? There have to be other ways people have learned to simplify things... I was hoping there would be some comments

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    114
    I gotta be honest... it has always been a pain in the a$$ to run on regular instead of admin, not just having to run as...type username&pass, but specially with Ctrl Panel items.
    Until now, the only way to get around it for me is to either stay of the net and do what i need on AdminUser or just login restricted and keep running as....

    Good simple work!
    Congrats

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    If I need to browse a filesystem as an admin, I'll runas Internet Explorer as admin and use the unc path to get where I need. (since you can't runas the windows explorer) You just have to make sure you have a patched and clean internet explorer. Also, I have IE set to about:blank because I often use it only for browsing a filesystem as another user and don't want the homepage to load.

    I have a shortcut to cmd.exe in my "quicklaunch" bar. I'll runas the shortcut to cmd and any command you run in that will be run with the new privledges. Note: You can leave this window open for more than one command. So, you'll only have to runas once...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Hey Phish -

    Using IE to view the filesystem as admin?

    This is the part of the tutorial you need, do it with your administrative account:

    To open each folder in a separate part of memory

    Open Folder Options in Control Panel.
    Click Start, and then click Control Panel.
    Click Appearance and Themes, and then click Folder Options.
    On the View tab, select the Launch folder windows in a separate process check box.
    Then when you:
    runas /user:administrator explorer
    Guess what happens? Explorer as admin, in a user account.That's how you get an administrative control panel from another account as well. You can make a quick launch out of it for convenience

  6. #6
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by Soda_Popinsky
    So how the hell do any of you get along with just "Run as..." and fast user switching? Isn't it the most annoying experience on the planet? There have to be other ways people have learned to simplify things... I was hoping there would be some comments
    Very, very good. Thank you for posting this. (I'd green ya, but apparently I've done that recently.)

    Between runas and Run As..., the only time I log into admin anymore is to install programs.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Between runas and Run As..., the only time I log into admin anymore is to install programs.
    I've found more often than not, you can just runas the install executable. Whatever processes it spawns will also be run under the escelated privledges.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    You'd think that MS would be smart enough to let you "Run As..." the control panel, but you can't with most items. For instance, network connections. If I'm running as a user and I go mobile, I gotta mess with the wireless, so this helps a lot.

  9. #9
    Senior Member
    Join Date
    Sep 2005
    Posts
    221
    Note : what do you do if you need to use kill.exe on something you ran with Admin privs ?
    Definitions: Hacker vs. Cracker
    Gentoo Linux user, which probably says a lot about me..
    AGA member 14460 || KGS : Trevoke and games archived

  10. #10
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by phishphreek80
    I've found more often than not, you can just runas the install executable. Whatever processes it spawns will also be run under the escelated privledges.
    While yes, the program will install, it seems that sometimes (not everytime, I assume it's installer dependent) the shortcuts for the program for my user will not be put in the Start Menu. Rather than go through the hastle of copying all the shortcuts to my Start Menu, I just log in as Admin to install.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides