geek microsoft security windows

running windows as a non-admin

a green door with a bigass lock on itWhen you read that even Macs can now expect to get infected with virii, and that 10 to 20 minutes of unprotected hexing on the internet is all it takes to get infected with all sorts of digital nasties, you know that you should take your personal computing security seriously.

So I came across an article in a dutch/german IT magazine C’T about how you shouldn’t run your Windows box with an administrator account for daily use. The reason is quite simple. Even when you’re a geek and protect your box with a decent firewall, anti-virus software and keep your OS software up to date, you can still get infected by something that uses an exploit that has not yet been discovered or patched.
Or maybe you’re simply having an off day and you realise that the Kellie that sent you that email with an attachment isn’t the Kellie you know after you double clicked it, and your harddrive going on like a rattlesnake now while absolutely nothing seems to be happening on screen…

So it’s a good idea in case shit does hit your fan, and the virus can’t properly infect your system as you’re not running as an administator, but a simple mere user, who does not have sufficient rights to alter certain parts of the registry and those so very precious system files. Naahnaah, eat that mister virus!

The idea has been living for a while, but Aaron Margosis from Microsoft has fleshed things out in his blog posts, and has some very usefull and interesting information posted about it if you’d feel like giving it a spin.

big sign with the text 'do not be alarmed - all is secure' Problem is it ain’t that easy. After creating a brand new admin account and stripping your daily user account from it’s admin super powers you might run into a few kinks here and there. You probaly realise that you’ll have to use the fresh admin account to install new software etc. and XP’s fast user switching makes that pretty easy, but that’s not all. Now and then you’ll have some software that requires more system privileges, or sometimes software is simply badly written, and requires more privileges than it should.

The RunAs command could be used in that case, but something more flexible and interesting is the MakeMeAdmin scripts (3 scripts) which found it’s entry on Margosis’ blog, and in this follow up post. The C’T mag also offered a version, which combines all scripts into a single one, which is nice. The latest version available online contains German comments unfortunately, but it’s not really necessary to understand what the comments are about to get it to work.
You can downloaded the zipfile on this page, using the link at the bottom.

To explain what it does in short, it adds your current user account to the administrator group, launches an application and de-admins your account again. You’re only a member of the admin group for a split second, but the application does have admin rights for as long as it runs, and uses your current users settings etc.

To have it run no your setup, there’s 2 lines of code you need change. First you need to change the _Admin_ variable value to the name of a useraccount with admnistrator access. That newly created admin account is what you put here.

set _Admin_="%COMPUTERNAME%\root"

Second you need to change the German name of the admin group to the ones that’s used on your system, since this is language dependant on Windows XP & 2000.

set _Group_=Administrators

Then just put a shortcut to it somewhere in your quicklaunch bar, your desktop, your Send To items, or all of the above, so you’re ready to flings stuff at it that doesn’t work under your limited user account.

Sweet as pie, and actually necessary if you want to run something that does low level OS operations like CD ripping or CD burning as I found out.

I’m planning to keep this up for a while until I either hit a brick wall, euhm… or not, and post about some of the software issues I might encounter.
We’ll see!

geek microsoft programming

IE as a platform for html apps

I came across HTA (HTML Applications) a while ago and I have to say it’s kinda neat.
In a way it’s not a big deal, but I didn’t know you could do this, and it really empowers you to write neat little apps fast by using JScript or VBScript and HTML, which is basic knowledge for a web developer right?

You can already write small apps in plain HTML pages, that’s right, but now and then you run into the problem that you need to do something your browser won’t let you because of security restrictions, and it’s damned right not to let you! For instance you’re trying to access an XML file on your hard drive. No biggy, but you won’t allow anyone to access your file system now will you?

I thought so, but in this case you want it, cause you’re writing the damn app yourself, and you trust yourself for the full 100%… well, mostly anyway. So here comes the “trick”. You rename your .html page (cause .htm is for FrontPage lusers) to .hta ét voilà, you’re basically finished. Now you can double click the HTA file, and see your page run as a full fledged Windows application, using good old fashion HTML for the interface and JavaScript as your programming language by choice. You could also use VBScript, but seriously.. why would you do that? Well, almost full fledged, but you can get pretty close by using the HTA tag defined in the pages head section.

How it works is that your newly created HTA page is running inside a seperate instance of Internet Explorer, with all those typical security restrictions turned off as your running it as a trusted application now. So you’re free to create any available ActiveX objects to do all sort of stuff like accessing the file system (FileSystemObject), parse XML files (MSXML2), access remote web pages (XMLHTTP), run stuff in shell commands (WShShell), you name it.

Another cool thing with these HTA pages is that it even supports command line parameters. So you can write one and launch it from a command shell, with a few command line options, to do some funky shiznit for you.

“Ok”, you say, “This is neat, but can’t I just write a simple .JS or .VBS script if I want to use command line stuff anyway?” Well yes you could, but there’s one advantage to the HTA approach, and that’s the fact that you can include other scripts using the HTML script tag, so you can finally create some handy libraries to do the mundane stuff for you.

There’s no way to do that in a plain .js or .vbs script, which sucks IMO, since after you’ve written a few of those, you realise you keep needing the same kind of functionality over and over again, which would be ideal to put in a library… which you can’t include… so you copy paste… blegh…

But anyway, if you feel like slapping together a quick app maybe give this HTA thing a shot. You might dig it.

geek microsoft rant software windows

windows xp automatic annoyer

Sometimes I feel there should be a way to punish your OS. Smack it and make it feel pain so it knows it has just done a bad thing and shouldn’t ever do it again.

Like when it constantly keeps nagging about the fact you still have to reboot your PC after installing a number of OS updates on Windows XP. I mean, sure it should ask at least before rebooting, but when I choose the “Later” button, I also expect it to stop nagging. But no.

annoying popup
But not on XP. Every 15 minutes or so, it’s there again, asking to reboot now, or later. It’s like one of those annoying kids in the back of your car going “Are we there yet” every 5 sodding minutes. The nagging popup even comes back when you kill the process involved! Aaaaaaaaaaaargh!

Which reminds me of ZoneAlarm, which also has one of those neat reboot popup messages. That one doesn’t even have a “Cancel” or “Later” button, only a bloody OK button, and there’s no way to get it off your screen besides dragging it to the lower right corner and try to ignore it.


geek microsoft opensource security software windows

not that secure after all

It’s been an interesting week for IT security. Next to the, almost usual, patches Microsoft advises it’s users to install asap, a nasty domain name spoofing problem emerged in the open source browser Firefox.

Even software like F-Secure that should be protecting your systemsfrom getting infected has been proven to have some serious issues of it’s own this week, which is at the least quite interesting, and also quite dangerous for anyone using the product right now.

This clearly shows that every piece of software has it’s vulnerabilities, and the claim that Firefox, Apple, Linux or whatever is safer to use than those evil Microsoft products is at the moment still true, but not because it’s code is so much safer, but simply because it’s still under the radar of virus writers and phishers.

The future will prove if the Open Source community will be able to patch security holes quicker than their commercial competitors (there’s a patch for the Firefox vulnerability online already), or if their code is really so much more secure and harder to exploit.

I’m guessing Firefox will be the first main target for virus writers and blackhat hackers in the coming year, as it’s gaining more and more popularity among the less tech savvy as we speak, and thus also becoming more interesting and visible on the evil hax0rz radarscreens.

So to keep your computer safe it definitely a good idea to keep yourself out of sight by using the not-so-typical tools, which are in most cases just as good, or even better than their commonly used MS counterparts.

Dudley lock by wmacphail

geek microsoft opensource


Interesting read on how Microsoft’s FUD campaign against Open Source Software is failing, and this is what I would like to see more with software used by governments.