More musings on the enhanced IE security in Win2K3

One other cool thing included in the management recommendations for the Internet Explorer Enhanced Security Configuration (res://shdoclc.dll/IESechelp.htm#manage, on a Win2K3 machine), is a set of recommendations for browser security for servers. If all server admins followed these, that would certainly be an improvement. Unfortunately, many folks probably won't ever look at the docs for the Enhanced Security Configuration, which is why I'm reproducing these tips here:

Browser Security — Best Practices

Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, you should restrict browsing on your server.

To reduce the risk to your server of potential attacks from malicious Web-based content:

  • Do not use servers for browsing general Web content.
    Use client computers to download drivers, service packs, and so on.
  • Do not view sites that you cannot confirm are secure.
  • Use a limited user account instead of an administrator account for general Web browsing.
  • Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.

Good advice. Now let's hope people follow it.

Quiz time! How many of you are running as Administrator (or an account with administrative rights) right now?

I'll start by fessing up that I am (at least on my day-to-day machine), which I should not be. There are two big problems with this practice.

The first problem, which affects mainly the person running as admin (as well as potentially any machine on their network) is that if malicious code gets executed while you're running as admin, you're basically owned by that code, it can do whatever it wants.

The second problem, for those of us who are developing code to be used by others, is that the habit of running as admin often means that code that we develop breaks when the user of that code isn't running as admin. This of course means that the user of the code may resort to running as admin just to get your code to work. Thus you've extended your bad habit to someone else. I can say at least that all of the code examples that I write for my books are now written and tested 100% under a non-admin account, so that my readers will never have to run as admin just to get the samples to work.

I'm working on weaning myself from running as admin, and I certainly hope if you're not already, that you will all work on this too.

So how about it? How many of you are running as admin? Let's see a (virtual) show of hands...

4 Comments

  • i always run an admin user, mainly just because i'm lazy, and relying on having a virus scanner and an ounce or two of common sense.

  • I'm running as admin. The little annoyances that I run into, when using a less privledged account just aren't worth it to me.





    I'm careful when I develop, and I use non-admin accounts when I'm testing to catch any problems, and that works well for me. I haven't had to do enough re-work to make running day-to-day as a non-admin worth it.

  • I tried not running as an admin on my last install, but I quickly found it to be far too annoying, particularly on programs that install for 'this user only' w/o asking, so when I'd Run As, they'd only be set up for the Administrator and not me. Maybe now that everything's set up, I'll try the ol' non-admin thing again to see how it goes...

  • After reading several articles about the dangers of running as admin, I too have been using a non-admin account for my day to day work.





    I've created a set of shell scripts that create a command shell for admin access. I've also created a new toolbar and added all my admin tools to it. When I need to do something as an admin, I simply drag the icon to the admin shell, then press enter. Voila, instant admin access.





    I can develop and debug just fine as a non-admin. For some programs that insist on writing to restricted registry keys or file locations, I simply give my account the proper permissions. RegMon and FileMon from sysinternals.com are great tools for tracking these things down.





    Also, even for general browsing, I've set my default Internet zone to High, and Trusted zone to Medium. I have the IE PowerToys Add To Trusted Zone add-in, so I can allow scripting etc. on a site by site basis.





    Sure, it can be a pain sometime, but I think the peace of mind I have far outweighs any inconvenience I may have.





    Michael


Comments have been disabled for this content.