Running as non-admin is not as hard as I imagine


As a security tester, we need to ensure that our product works under minimal privilege.  Yes, test machines are set up to test with minimal privilege, but my day-to-day email machine is set up with admin privilege.  Although it is a threat to run under admin, it was more threatening to inflict myself with the hassles of running as non-admin.  As an extremely paranoid person, I have so many novice questions: Do I need to reboot all the time if I need admin privilege?  Will my apps continue to function properly?  Will I get blue screen for no reasons?

One fine day, I decided to switch from admin to power user.  Granted that power user is almost an admin, it should be a good start to run my box as non-admin.  After several days, I did not find any differences with Office applications and other well-known ones, such as IE. 

Until I need to unblock an application on my SP2 firewall do I have a problem.  The problem can easily be circumvented by using “runas /user:mymachine\administrator control firewall.cpl” and enter my password.  After the command, I run firewall.cpl as admin, and unblock my application.  Finally, close the firewall app.

Voila, I am happy again with running my box as non-admin.

Comments (6)

  1. Master Bates says:

    Yeah but the default new user that is rammed down our throat to create on a fresh XP install belongs to the ADMINISTRATOR group anyway.

    Not to mention any new XP machine installed is pulverised by the LSASS bug within 10 minuites so its futile. Never run a new Windows XP machine without a NAT period or your ass is owned.

    That includes OEM machines bought of the shelf which would account for oh i would think a LARGE proportion of windows licenses out there no?

  2. css says:

    http://weblogs.asp.net/aaron_margosis/ is a good source of running as non-admin info. Use the makemeadmin script, http://weblogs.asp.net/aaron_margosis/archive/2004/07/24/193721.aspx

  3. Dan says:

    That’s all well and good as long as you know how to run a control panel via a command line. How would a mere mortal do it?

  4. Lloyd Cotten says:

    Shift/right-click –> Run As..

  5. aw says:

    Control panel apps can be run as an admin without using the command line. Hold the shift key down while right-clicking on a control panel applet, and you’ll see a "run as" option appear. Select that and you can then input admin credentials to run that applet with elevated privileges.

  6. This works as long as you use applications which are aware of the difference between HKLM and HKCU… Unfortunately there are many applications which aren’t…