Computer Question - Online security and Win XP???

[kudzu]

Hopefully, one of you computer gurus will answer two very basic questions about online security when running Win XP Pro SP2 with all updates? The questions are specifically not about security software apps or suites. In fact, I am going to start another thread on that subject - let's discuss that separately.

 

When I initially setup both my laptop and the desktop that my wife and I share, I had created separate user accounts and, not knowing better, gave them both admin priviledges. The author of a seemingly excellent book that I am reading on Win XP points out the error of my ways, from a security standpoint, of leaving admin priviledges unnecessarily exposed all the time. Right or wrong, his reasoning made sense to me. So, I changed both existing accounts to limited accounts and created an admin account to use only in those specific instances in which admin priviledges are required. Anticipating houseguests who just need to hop on line briefly to check their webmail or whatever, I also turned on the guest account. Everything was peachy and I was so proud of my atypical surge of prudence!

 

Later, I realized that my internet security software suite was not loading properly and running in any but the admin account. Googling revealed that this issue has been indentified for some time and exhaustively discusssed online, but no definitive fix found. I have submitted the issue to the software vendor's tech support people but, based on the experience or many others, am not hopeful. Some of the "solutions" visited on other users by the tech support folks are worse than the problem! I have been THERE on another issue with the same software and support staff.

 

My questions are certainly simple and maybe ignorant. Is the security exposure posited by the book's author significant? If so, would the exposure be eliminated, or at least largely so, by just logging out of the user accounts after each online session? The computer would still be running, the OS loaded and, maybe, a browser and email client open in the logged off user account. What about it?

 

OK, now I'm off to start that thread about security software...

 

Regards,

Ernie

[Ken H.]

There are just so many things that require admin access to run correctly that I think you're going to be fighting a uphill battle to limit it. Yes there are ways, and in a corporate environment with an experienced IT staff to work them out that's an option, but for home personally I say leave the user IDs with admin rights, use strong passwords on all accounts, including Guest, and deal with the treats other ways. Good security software, a hardware firewall, etc.

[Francois_Dumas]

I agree with Ken. About 80% of all customer problems we get to answer have to do with people NOT having Admin rights on their OWN PC ! I can't for the love of me understand why especially freedom loving Americans put up with this patronizing by MS!!

 

I guess it is well-meant, but gone horribly wrong. Be Admin, turn off UAC, and be done with it.. unless you put your PC unattended in the middle of the mall with your banking software on it, why bother???

[Aluminum_Butt]

I think Ken pretty well hit the nail on the head. Running with less than admin rights is likely to cause you more headaches than running with them.

 

Some additional do's and don'ts:

 

* Do put a password on every account, and especially those with admin access. I see a lot of home PC's with no password.

* Do rename the administrator account to something else. You can do this in the User Management screen - just click to highlight and hit F2.

* Do use strong passwords...at least 8 characters, and include a number and/or special character.

* Do NOT enable the Guest account. Leave it disabled, then create another account to use for guests.

* Once you've renamed the administrator account, do create an account called administrator, remove all of its group memberships, then disable it.

[kudzu]

Your comments, picked up and amplified by the others, make sense to me. Thanks!

 

You mentoned a hardware firewall. I have heard them mentioned and advertised, but have only the vaguest idea what you are talking about. On my little two-PC home network, with one machine cabled directly to the router and the other connected wirelessly, do I need more than the security on my router?

 

I promise, I won't pester you any more!

[Francois_Dumas]

Your router most likely includes a built-in firewall..... I use a Linksys Broadband wireless router and have made sure to 'lock it' using the associated software that comes with it.

 

I am assuming you have something similar, but may not have set it up yourself?

[kudzu]

.. unless you put your PC unattended in the middle of the mall with your banking software on it, why bother???

If the bad guys troubled to penetrate my bank accounts, it would serve them right - they would be sadly disapppointed!

[Francois_Dumas]

.. unless you put your PC unattended in the middle of the mall with your banking software on it, why bother???

If the bad guys troubled to penetrate my bank accounts, it would serve them right - they would be sadly disapppointed!

 

[kudzu]

My router is an older Linksys WRT54GS, version 2.0 actually. I have updated to the latest firmware compatible with that version router, implemented WPA security, changed the SSID, disabled SSID broadcast, changed to a strong passsword... In short, done what I know to do to button it down as securely as possible. After all, I don't want hackers to get to all the national security secrets on my computers!

[kudzu]

I think Ken pretty well hit the nail on the head. Running with less than admin rights is likely to cause you more headaches than running with them.

 

Some additional do's and don'ts:

 

* Do put a password on every account, and especially those with admin access. I see a lot of home PC's with no password.

* Do rename the administrator account to something else. You can do this in the User Management screen - just click to highlight and hit F2.

* Do use strong passwords...at least 8 characters, and include a number and/or special character.

* Do NOT enable the Guest account. Leave it disabled, then create another account to use for guests.

* Once you've renamed the administrator account, do create an account called administrator, remove all of its group memberships, then disable it.

Good stuff!

 

I am really just a little kid. Please tell me why not to use the guest account, that has very limited rights, but to create another account for guests that, it seems to me, would have greater rights. Not that I doubt you, just want to understand!

 

Also, what about your strategy on the admin account? Are you creating a dummy as a distraction, or what?

 

Thanks much!

[Francois_Dumas]

My router is an older Linksys WRT54GS, version 2.0 actually. I have updated to the latest firmware compatible with that version router, implemented WPA security, changed the SSID, disabled SSID broadcast, changed to a strong passsword... In short, done what I know to do to button it down as securely as possible. After all, I don't want hackers to get to all the national security secrets on my computers!

 

Looks okay.

 

To be sure you've blocked all evil, use ShieldsUp! services for a free check and report:

https://www.grc.com/x/ne.dll?bh0bkyd2

 

(Don't let all the daunting texts deter you..... )

[DavidEBSmith]

Please tell me why not to use the guest account, that has very limited rights, but to create another account for guests that, it seems to me, would have greater rights.

 

Hackers will use known resources as attack vectors. They'll try the default accounts of "guest" or "administrator" and if those are there, that puts them one step closer to getting in. If those accounts aren't there, they have to guess user name AND password and it's harder.

[Ken H.]

Please tell me why not to use the guest account, that has very limited rights, but to create another account for guests that, it seems to me, would have greater rights.

You can set up another account with the same rights as Guest, but the fact that it isn't called "Guest" will make it less obvious of a target.

[DavidEBSmith]

Yes, to be sure, I renamed my administrator account "l33tH4x0r" and gave it the password "Hello_Kitty" so they would be hard to guess.

[Ken H.]

Yes, to be sure, I renamed my administrator account "l33tH4x0r" and gave it the password "Hello_Kitty" so they would be hard to guess.

Where hard to guess.