Jump to content

coach me a little on Windows7-admin privileges?


jeffw_00

Recommended Posts

Hi - I just transitioned my XP machines to Win7 in the last few months (yes, I'm trailing edge).

 

I have Windows7 Home Premium on my machines. Unlike my others, I let my local mom/pop shop that built the machine do the Windows install, but I think they did it as I wanted - just one account with admin privlieges.

 

Here's what I'm wondering - On that machine, my wife had a problem with her "FileCabinet CS" program accessing a scanner, which their tech support solved by having her log into the "hidden admin" account and re-install the FC program. The tech said

 

"what happened is somehow the regular user account didn't have full privileges at the time FC was installed (either by setup or corruption or subsequent program, or something), so FC wrote to the computer rather than the user or vice versa"

 

The "regular user account" is marked "admin", and was used to set up everything in the system. I haven't touched the privileges on it since I got the computer.

 

So when is an admin account not an admin account? And how do you tell the difference? What is the 'hidden" admin account? Should I use that to install all SW? and is there a good webpage on this to get educated?

 

Thanks!

/j

 

[Please, no promos for Win8. I have my reasons for using Win7 for now- thanks! :-)]

Edited by jeffw_00
  • Like 1
Link to comment
Share on other sites

Guest LilBambi

Double clicking on an executable and clicking through the UAC prompt to allow it is one way to install something.

 

Sometimes you have to right click on the executable to install it as Administrator.

 

Always try it with the privileges of the user first.

 

And then there is this:

 

Access the real Administrator account in Windows 7 - TechRepublic

 

As you know, the User Account Control (UAC) system is the heart and soul of the security system in Microsoft Windows 7. It is designed to protect your system from inadvertent or malicious incidents that could compromise stability or security while you are logged on using an account with administrative privileges, where you have full access to the system. Of course, you can perform administrative operations simply by working through the UAC prompt. Or, if you totally dislike the UAC system, you can also easily disable it. For example, you can select the Never Notify setting on the User Account Control Setting window.

 

However, there certainly are times when it would just be nice to log on to your Windows 7system with a good old-fashioned, full-fledged Administrator account. When you do, you'll never encounter a UAC prompt.

 

In this edition of the Windows Desktop Report, I'll explain how you can activate and use the real Administrator account in Windows 7.

 

If you activate the real Administrator account, it is strongly recommended to change your account to a Standard User and providing the administrator password when installing things. There will still be times when you should login directly to the real Administrator account to install certain things.

Edited by LilBambi
Link to comment
Share on other sites

So what actually is the difference between the built-in Administrator account and an account you create with Admin privileges? I've used the Admin-privileged account I created to install all software on mother's win 7 system and had no issues at all. That being said, I do realize that some software will be more finicky than others about permissions.

Edited by ebrke
Link to comment
Share on other sites

Guest LilBambi

Actually you have three ... your Admin account, choosing to run as Administrator, and the real Administrator account.

 

And basically from what I have seen there are no differences ... right up till there are. ;)

 

There are some programs like tools to cleanup bad stuff that should be run as Administrator, and others that can be run with your admin UAC account.

 

And then if you need to dig deeper, you may need to enable the hidden real Administrator account.

Edited by LilBambi
Link to comment
Share on other sites

Hello,

 

Under Microsoft Windows 7 (and perhaps Microsoft Windows Vista), the accounts named Administrator and Guest (which have Administrator and Guest privileges, respectively) are created when the operating system is installed, but are disabled by the operating system. As a guess, the thinking behind this was probably to provide them for when compatibility was needed for any kind of legacy software or use, but to leave them turned off by default in order to reduce the initial attack surface for Windows (in particular, the number of accounts and processes that are available in when the computer starts up—the less things available, the less opportunity an attacker has to target them).

 

Now, the user account you log in with probably has Administrator privileges, but unlike Microsoft Windows XP, newer versions of Windows (Vista, 7, 8, etc.) don't just give carte blanche to accounts with Administrator privileges, and part of the reasoning behind that is because an attacker might trick the Administrator into running a program which affects the confidentiality, integrity or availability of the computer (malware such as trojan horses and and worms; a script to create new accounts, disable security policies, etc.; commands to de ete or alter data, and so forth). This is part of a concept that called the principle of least privilege, which basically states that an object such as program or user, should be given the fewest permissions needed in order to get the job done. That way, if they are compromised, the attacker won't have Administrator (root, superuser, et al) privileges and start stealing confidential and proprietary business plans, siphoning off funds from your bank account, using the compromised system as an attack platform for others, and all the other things an attacker likes to do. The actual mechanism used by Windows to accomplish this is something called a "split token," where the operating system automatically strips certain privileges from a process's token that would otherwise allow it to make those system-wide changes.

 

In this case, there is an additional line of, well, I don't want to call it a security boundary (because it really isn't one per se) but an extra "safety check" or "head's up" to let the user know when running a program which is going to exceed those privileges they normally require and make changes that can affect how the computer's operating systems, programs or data behave (or, in other words, affect the computer's confidentiality, integrity or availability). Under Windows, this system is called User Account Control (UAC) and it was a subject of some controversy when it was introduced in Windows Vista many years ago, with two settings, "on" or "off." Under Windows 7 (and newer) UAC has become more granular with some additional layers between just being "on" or "off."

 

So, with that in mind, I suspect what may have happened is that the installer for FileCabinet CS (a program which I had not heard of until today) was written in such a fashion that it crosses the security boundary of Windows' principle of least privilege, possibly in a way that the operating system cannot figure out how to handle and ask you about via a UAC prompt, or what those of us in the information security community refer to as 'trying to do something that's not kosher." At least that's a somewhat-educated guess on my part, based on one of the clues you offered: The software vendor's technical support department was readily aware of the issue and had a work-around in place for you to try.

 

Here are some additional resources on UAC you might find of interest:

I hope this helps shed a little more light on the subject. It's been a while since I've looked at this in detail (when Windows Vista came out in 2007), so I'm a little rusty on the particulars. If I've made any mistakes, hopefully someone will correct them.

 

Regards,

 

Aryeh Goretsky

  • Like 3
Link to comment
Share on other sites

While using the account with admin privileges I created, I've had UAC ask me to confirm that I want to allow a program to install or make changes to my system. I had not quite realized the extent to which MS had taken the least privilege concept, which is all good to me. Same reason I don't let my mother know the admin password for her system. :whistling: Thanks, Aryeh.

Edited by ebrke
  • Like 1
Link to comment
Share on other sites

Thanks everyone, and especially Aryeh Goretsky. Aryeh - that was very clear and educational and much appreciated.

 

For what it's worth - as it turned out, after reviewing what she did with tech support and doing some experiments, we traced the problem to something consistent and related to these discussions, but not quite what we originally thought it was. My wife had installed FC to disk location //machinename\disk\Program Files...etc. rather than to disk:\Program Files.... There was a historical but not really valid (or necessary) reason for doing this. It appears that if she had originally installed it to disk:\Program Files... there would not have been a problem. We theorize that being installed that way, it attempted to access the scanner as a network resource rather than a local resource, and was prevented from doing so.

 

Anyway - all better, and I've learned a lot. Thanks!!

/j

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...