I'm Back! Upcoming Posts...

re: I'm Back! Upcoming Posts...

knox — Sat, 04 Feb 2006 14:22:53 GMT

Glad to have you back. I make it a point to run as a limited user myself, and require limited users at the domains I manage. Thanks to your efforts, I know some of the little tricks that an admin needs to know, like runas, shift-clicking on control panels, opening the power settings up, etc. Thank you!

re: I'm Back! Upcoming Posts...

Philipp Kohn — Sat, 04 Feb 2006 19:27:18 GMT

Hi Aaron, great to hear from you. I´m looking forward to read more about LUA in Windows Vista and the new Tools. => cool Regards Philipp Kohn http://blog.kohnonline.de

re: I'm Back! Upcoming Posts...

Toby Broom — Thu, 23 Feb 2006 04:00:12 GMT

Hi Aaron,

In Vista you "Admin" but UAP prompt you for elevation.

In XP you run as a "User" and you use Run as etc to elevate.

is the Admin User in Vista equilivent to a Normal User in XP?

re: I'm Back! Upcoming Posts...

Aaron Margosis — Thu, 23 Feb 2006 04:59:02 GMT

Toby Broom - it's not quite equivalent. It's a little tiny bit like User + MakeMeAdmin, but not really. Good info about Vista/UAC at these links:

http://blogs.msdn.com/uac/archive/2006/02/22/537129.aspx

http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx

re: I'm Back! Upcoming Posts...

Toby Broom — Wed, 08 Mar 2006 02:20:22 GMT

Hi Aaron, is there any use to the User account in Vista? if your running as user with the option to eleviate then is there any diffrence?

If I set a password for admin account on vista to say stop my kid's eleviating with ease, how does this work with the network access cf winXP?

re: I'm Back! Upcoming Posts...

Aaron Margosis — Wed, 08 Mar 2006 05:05:36 GMT

Toby Broom - Check out the links I posted last time. There are basically three types of accounts in Vista:

* the built-in Administrator account, which always runs with full admin privileges;

* the "protected admin" account (I think that's still what it's called), which runs everything with normal User privileges except as needed - and prompts you with a secure UI before it allows a program to run with elevated permissions - this is kind of like MakeMeAdmin but much better UX and far more secure;

* the "standard user" account, which always runs with normal privileges. When something needs to run with elevated privileges, it prompts you with a secure UI to enter credentials for an admin account (built-in admin or a "protected admin"). You can't elevate unless you have the password (or other credentials) for an admin account.

I'm not sure what you mean regarding "the network access of WinXP"...

re: I'm Back! Upcoming Posts...

Mike Drechsler — Thu, 09 Mar 2006 09:54:06 GMT

>I'm not sure what you mean regarding "the network access of WinXP"...

I believe he meant that in WinXP if the account does not have a password then it will not have remote access permission. If you need to have a password on these admin accounts in order to use the new elevation features of Vista then does that also mean that they will be vulnerable to remote attacks?

re: I'm Back! Upcoming Posts...

Aaron Margosis — Thu, 09 Mar 2006 10:07:00 GMT

Mike Drechsler - As with Windows XP, you don't need to have a password for these accounts - and as with XP, the default policy is that local accounts with blank password can be used only for console logon - no remote access. This is an excellent option if you can trust everyone who has physical access to the computer. Elevation of a "protected admin" account doesn't require a password - you can be prompted for simple consent via a secure UI. If you have a password, vulnerability to remote attacks will be mitigated by the on-by-default firewall (as with XP SP2).

re: I'm Back! Upcoming Posts...

Chelle — Sat, 08 Apr 2006 17:42:01 GMT

Call me ignorant, but I seem to not have Local users and Groups under my system tools. I have done several advanced file searches and the like.. to come up with nothing. Can someone please help me with some info. on how to find? I went in under Administrator in windows safe mode..it still was not there. I took the computer back to an earlier ref. date in the system restore and still nothing. I have not added any crazy software either. I could really use some advice!

re: I'm Back! Upcoming Posts...

Mike — Wed, 10 May 2006 15:16:31 GMT

I need to run IIS as a non-admin on a server...preferably Power User. Do you know if this is possible? It would be a great help if you could lead me in the right direction.

re: I'm Back! Upcoming Posts...

Aaron Margosis — Wed, 10 May 2006 16:46:19 GMT

Mike: inetinfo.exe runs as LocalSystem, but web apps run as Network Service by default, which is *far* less privileged than "Power Users". You can also easily configure multiple app pools running under different low-privileged service accounts to run web apps in.

And please note that Power Users is *not* non-admin -- Power Users is "admin-lite", can easily elevate to Admin/System, and is considered deprecated.

re: I'm Back! Upcoming Posts...

Aaron Margosis — Wed, 10 May 2006 16:50:25 GMT

Chelle - sorry for not replying sooner. If you're not on a domain controller, right-click on My Computer, choose Manage - it should be under Computer Management \ System Tools. Another way to get there is to run lusrmgr.msc from the Run dialog or a command prompt.

Microsoft Standard User Analyzer

Don Kiely's Technical Blatherings — Sat, 27 May 2006 05:01:25 GMT

I see that Microsoft has released its Standard User Analyzer that &ldquo;helps developers and IT professionals...

re: I'm Back! Upcoming Posts...

Andrew — Fri, 02 Jun 2006 14:40:58 GMT

Hi Aaron,

This is a great blog and a great cause. Unfortunately with XP it may be a lost cause as it seems most of the major consumer antivirus applications do not update under limited users (I have had no problems with any other applications I use). I can not get people (I can't even be bothered myself) logging into an administrator account, getting the updates, then logging out again every single day. The best I can do is set local policy to run Internet facing applications as normal users.

With Vista, not only will antivirus have to work in normal user mode, but I am not sure I will even be running antivirus on the actual client PC (gateways, proxies, etc instead). We will see.

Andrew

re: I'm Back! Upcoming Posts...

Andrew — Fri, 02 Jun 2006 15:36:08 GMT

Maybe a better alternative to sacrificing LUA for antivirus updates is to just update and full system scan monthly, while keeping the firewall that monitors inbound and outbound connections going. That way any threats will still find it hard to get their information out (especially as it will be harder to kill the firewall process) even if they do manage to get on the system, and I can really lock down the system. Hmm these are tough decisions for me. What do other people think?

re: I'm Back! Upcoming Posts...

Aaron Margosis — Fri, 02 Jun 2006 16:46:00 GMT

Andrew, I was just going to reply to your comment, but I turned it into a blog post:
http://blogs.msdn.com/aaron_margosis/archive/2006/06/02/614226.aspx

re: I'm Back! Upcoming Posts...

Nitin Arora — Mon, 17 Mar 2008 21:10:31 GMT

Hi Aaron,

When I logon as Power User on my system, Default Web Site does not appear in the IIS Manager.

I want to use VS 2005 in a non admin account which is a Power User to develop ASP.net we b projects. But Visual Studio is also throwing access denied error.

Please suggest what to do to avoid this error.

Thanks

Nitin Arora

[Aaron Margosis] Is this on XP or Vista?

"Power Users" is not non-admin. Power Users are Admins who have not made themselves admins yet.