Thinkpads Forum

Hi guys,

I finally got my new 14,1" T60. Thanks for all your advice and tips during my search for a new laptop. I absolutely love my T60, there is absolutely nothing that I dont like so far. I wish the thinklight was a little brighter but besides that, everything is better than I expected it to be

So overall, happy happy, joy joy here in austria !

But a few new questions occured during setting up my T60

I like the idea of a hidden recovery partition and hesitate to do a clean install of WinXP (at least for now), but i would love to have at least 1 or 2 extra partitions to keep my stuff more organised. Do you know a secure and FREE way to repartition a HDD without threatening your data?

I tried to get used to the idea of working with a "limited user" instead of doing all my stuff as admin for security reasons, but I´m tired of switching between the 2 accounts a few times a day allready Some programs seem to have problems if not run in admin-mode or at least run from the user that installed them. If I generate a user with administrator-rights, install all the programs and revoke admin-rights from that user after install, will i still face those issues (i should be owner after the installing the program) ?

I´m using Kaspersky Internet Security 6.0 (including software firewall) and am working usually behind a router with a hardware firewall, would I be save enough to work as an administrator? Mail client is Outlook 2003, browser Opera 9.xx

Do you know a good method to generate and remember secure passwords ? What do you guys think of tools like PWSafe that generate and store passwords in a encrypted database on your computer ?

Again, thanks for your advice in the past and I´m looking forward to your replies on this issues

Regards

Peter

p.s.: please excuse my mediocre english *hides*

Regarding "Limited User", I too find it a little too limiting. But rather than use Administrator all the time I set up a Power User account. The Power User account was readily available in Windows 2000, but in XP it is hidden for some reason - although it is still there. To change a Limited User account to a Power User account, Go to: Start > Control Panel > Administrative Tools > Computer Management > System Tools > Local Users and Groups > Users. Double-click on the user account you wish to change, click on Member Of tab, click Add..., type Power Users in box, click Check Names, click OK and OK.

Note also if you right click on a program name under All Programs (or elsewhere), there is a menu choice of Run as.... Choose that, use the drop down menu to pick your Administrator account, then type in your password. You are now running that program as Administrator. For this to work, I believe the Secondary Logon service must be Started and set to Automatic. Go to Start > Control Panel > Administrative Tools > Services - to check and set.

I know that many do not feel the need to do as I do above. To that I say: To each his own.

I'm currently running my t60 with just user privileges. However, I had to do a lot to achieve my current state of nirvana.

A good place to refer to is here.

http://blogs.msdn.com/aaron_margosis/ar ... tents.aspx

Following are thinkpad specific instructions

1. Create user you use regularly
2. add user to administrator group
3. login as that user and finish css and fingerprint setup
4. remove user from administrator group and logout (and relogin).

Having done this, you can use the ideas provided in the url below to make your life easier. Specifically, the "temporary admin idea". Before you create your user, the other good idea is to change default owner settings as specified in

http://blogs.msdn.com/aaron_margosis/ar ... 93721.aspx

(Look for "Objects created while running with elevated privilege")

There are a lot of pros and cons. You should read thru the documents carefully. I wouldn't recommend this to the technically challenged. Ironically, it is the technically challenged that would benefit all that much more in running in non-privileged mode.


Rajeev

Thanks for your help guys!

Rajeev thanks for the links, espescially the "Objects created while running with elevated privilege" section was very interesting. If I understood it right, I will keep full controll over an application even in non admin mode if I set ownership to be given to the installing account instead of the admin-group.

But does that mean that the aplication will be run with admin-rights everytime, even if I´m logged in as a "User"? If so, does a malware application have the possibility to gain admin-rights through that application and infect my whole system?

I really like the idea of keeping control of some applications that produce errors when installed by an admin and run by a "User". Most programms run wihtout any problem in a "User" environement, so this option would just be used for those applications which cause problems if run from a "User" account.

As you can see, I can count myself to the "technically challenged" group. But I´m willing to learn so give me a chance

Thanks

Peter

If you set the ownership to be that of "installing account". The files/objects that you create as admin will contined to be owned by you. Hence you will be able to change them even when you are not an admin.

For instance lets say you install an application as admin and it creates an ini file. You would be able to edit this ini file even though you are not admin (since you own it).

If you set the ownership to be that of adminstrator, the line is a bit blurry. All objects created are owned by administrator group, but if I'm not mistaken, they will be based on the current user profile.

For example, registry entries created will apply to that of the installing account. i.e, it would create the object in the your registry directory, but would set the owner of that object to be adminstrator.

Does that make sense ?

If this gets too hairy for you, a more secure way of dealing with this is to simply keep two accounts. One being "root" and the other "user". When you need to run something as root, you can use runas (in conjunction with iexplore) as indicated in the links I sent earlier.

In otherwords all installations are done by root. The problem is with some applications require registry changes to be made to the actual user of the application rather then to just root. Typically I lose respect for those applications.

There are other applications that simply don't work correctly either which way.

For example, World of Warcraft, because of on-demand updates, requires the user to own the directory it is installed in. I actually forced a ownership change for this case.

Another example is some versions of eclipse (the java ide) which relies on the configuation directory to be present in the install folder instead of the user folder. I think the latest version of eclipse is ok for most part.

There really is no "one size fits all" approach. Go with whats most convenient and relatively safe.

Rajeev










Rajeev

I apologize, I didn't really answer your question.


No, even if you own the object, when u execute it, it will be executed in non-privileged mode. However, as I said, in this non-privileged mode, you can still write to installed files since you own them and hence its still insecure. Malware, would not have admin rights directly, however, it could indirectly affect the system if its capable of overwriting executables.

Well, given that you understand the meaning of the word privilege and malware (unlike my mother for instance) I wouldn't say you are technically challenged )

Rajeev

Hi,
KNOPPIX is one FREE way to repartition a HDD without threatening data?

pbu, I partitioned my HDD with another linuxdistri live-cd using gparted. I thought about that way earlier but wanted to check if there is a compareable windows-prog to do the job

rajeev, thanks for your help, I allready thought that there will be no "one size fits all" way to solve my issues, we are talking about windows
I will create a new Admin-account and a User account and just deactivate/lock the standart "Administrator" account.
Afterwards I will do all the installing with my admin account and grant ownership to the admin group. I will use a "cmd-window with elevated rights" to run the applications that require admin-rights to work properly when loged on as User. I just don´t see me entering the adminpassword several times a day using the runas command, the cmd window should solve this issue.

Did u try to give "Write Access" to the WoW-dir? I believe WoW just needs the ability to write to its homedir to run its updates. It shouldn´t be necessary to handout Ownership since WoW shouldn´t delete any files or directories in it´s folder.

I will just give it a try and wait for the problems to show up. I´m pretty confident that I will be able to deal with them, espescially the blog you posted was very very helpfull. In addition to the infos posted in the blog, there is a possibility of contacting Aaron himself IF hell breaks loose

Thanks guys for your help!

Regards

Peter

You may be right that write access would work for WOW. I guess the reason I gave owner ship was at the time I wasn't sure if patches did delete. Even in that case, I could give all access to just wow.

I can't remember if I installed wow as the restricted user (providing a user owned directory as locationj) or if I installed wow as admin and then changed owner.

Rajeev