Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Limited User Accounts

Started by Doug , Feb 18 2008 01:28 PM

  • This topic is locked This topic is locked
No replies to this topic

#1 Doug

Doug

    Retired Administrator -Tech Team

  • Tech Team
  • 10,057 posts

Posted 18 February 2008 - 01:28 PM

In Windows XP when the computer is first turned on it logs in with an "account" through which it accesses and displays the Desktop. This is where you control your computer, starting and stopping programs, creating, editing or deleting documents, working with pictures, listening to music, browsing the World Wide Web (that's where the WWW in http:// www..... comes from) and all the other things you can do with a computer.

If there is only one user account and no password, XP will login directly to the Desktop without you having to do anything. If you have assigned a password then XP will require you to enter the password to login. If there is more than one user account then you must click on the account you want to login with and then enter the password if one is assigned.

The accounts most Windows XP users are familiar with are:
  • Administrator
  • Limited User
  • Guest
There are a few others that you should be aware of but we will not do more than mention them here:
  • HelpAssistant: Used to remotely access & work on your computer
  • Support_38: Used to remotely access & work on computers run as Servers
    HelpAssistant and Support_38 are created only for a brief period of time when you give permission for a remote Tech to access and work on your computer. (for instance, when you call Microsoft or Dell or HP) These user accounts will be removed at the end of the permitted service call performed by the remote Tech.
  • Asp.net: Created when you install .Net Framework and after update of .net Framework 1.1
    Sometimes owner/users are "surprised" by the sudden appearance of a new account named Asp.net. This account ordinarily appears after downloading Microsoft updates that include .Net Framework 1.1. The .Net Framework files are a set of tools provided by Microsoft to allow for easy and advanced creation of Websites developed by the owner of the computer. Asp.net Account is SAFE. It is a Limited User Account. I does not get accessed unless the owner intentionally selects to use it in the development of web page content. It can be safely removed.
    For information about Removing Asp.net: http://www.mvps.org/...wsXP/aspdot.php
Accounts with Administrator privileges have access to everything:
  • Operating system
  • Add or Remove hardware
  • Add or Remove software
  • Modify the registry
  • Add, remove or change other Accounts
  • Add, remove or change all files on the hard drive
>>This type of privileged Account should be password-protected<<, and is used to make changes to the computer, like installing new software, changing system configurations, trouble-shooting and repair, and updating system and security utilities.

Limited User Accounts are restricted in their ability to install new software, and to make changes in the operating system and registry. Limited User Accounts can only gain access to files saved in that same account and some files intentionally designated as shared with others. Limited User Accounts can (and should) be password protected so that other Limited Users cannot see the documents and files created and saved in the account. However, Administrator Accounts may have access to information from all accounts on a computer, including Limited User Accounts.

Guest accounts have a lower level of privilege and are generally used by individuals who drop by and need to temporarily use a computer to create/print a document, look up something on the internet, or check their email. But the Guest account cannot directly make changes to the computer or files belonging to others. If the owner is concerned about people abusing their machine, the Guest account can be turned off in Control Panel / User Accounts.

Whenever an application is opened (for instance, by clicking on a Desktop icon or an internet link), it gains the same level of privilege as the owner/user account through which it was opened, (Administrator, Limited User, Guest).

Unhappily, virus and spyware scripts can behave just like deliberately installed applications like Word, MediaPlayer, and Outlook email client. Viruses and spyware gain the same level of access and privilege to the computer as the active account possesses. Thus, if the user encounters a malware risk while operating in a Limited User Account, exposure is Limited.

By comparison, if the user encounters malware while logged into the computer with an Administrator Account, the malware has access to the operating system, registry, control configurations, and can more easily cause greater damage.

Because spyware and virus risk is now a fact of life for computer users, it is more appropriate (highly recommended) to conduct most all routine computer activities including internet browsing and email, while logged in on a password protected, Limited User Account. The owner is wise to routinely use a password-protected Limited User Account login, and will still be able to use most all of the computer's installed application software for their ordinary computer purposes, while retaining a level of extra security. The owner can assign their preferred level of privilege to any/all accounts by using the options in Control Panel / User Accounts, but must do so while logged into an Administrator Account. If you don't know what privilege your account has, you can take a look in Control Panel / User Accounts.

You can logon to the Administrator account in Windows XP Home by booting to Safe Mode. With XP Pro, you can logon to the Administrator account by pressing the Ctrl-Alt-Delete keyboard combination twice while on the Welcome Screen. Change the Account name to Administrator and enter the password you assigned (to protect it from abuse) and press the Enter key or click on OK.

Food for thought: XP provides three ways to logon (or login).
  • Automatic logon to desktop (which has already been covered).
  • Logon screen where you click on the account to login with (and enter password if one assigned)
  • Press Ctrl+Alt+Del to login
To force XP to use the Logon Screen, do the following:
  • Click Start then Run.
  • In the Open box, type control userpasswords2 and click OK.
  • In the dialog box that appears, check the Users must enter a user name and password to use this computer check box, and then click OK.
To force XP to require the user to press Ctrl+Alt+Del to logon:
  • First you need to switch to the Classic Logon and Logoff screens as follows:
    • Click Start then Control Panel.
    • Double-click User Accounts.
    • Click Change the way users log on or off.
    • Remove the check from the Use the Welcome screen check box.
    • NOTE: If you disable the Welcome Logon screen, you also disable the Fast User Switching option.
  • Now make this registry change to force the use of Ctrl+Alt+Del:
    • Click Start then Run, type regedit and click OK.
    • Select the Winlogon subkey at the following registry location:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Click Edit, click New, and then click DWORD value.
    • Change the value name to DisableCAD and press ENTER.
    • Keep the data value set to 0 which is displayed as 0x00000000(0).
Note: Any time you change the registry, it's a good idea to make a full backup first, in case you make a mistake. ERUNT is an excellent program to use to do this. During the Install process, allow it to add an entry to your Startup folder. That way you will get a complete registry backup each time you boot. Takes only a few seconds to run and has no visible impact on boot time performance.

To learn more about configuring User Accounts read the Microsoft Knowledge Base article:

http://support.microsoft.com/kb/279783

Repeating for emphasis: It is highly important and strongly recommended that the owner/user password protect any and all user accounts that have Administrative privilege, in order to best protect your machine.

................................................................................
This article is a collaborative effort of Ztruker and Doug
The help you receive here is free.
If you wish, you may Donate to help keep us online.

    Advertisements

Register to Remove

Related Topics

Back to Security - Best Practices and Prevention · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Discussion
  3. Security - Best Practices and Prevention
  4. Privacy Policy
  5. Terms of Use ·