Conscious Vibes Logo CVibes.net Home | Links ( Motorcycles, Computers )

Principle of Least Privilege
( How to Get Programs to Run While Logged in as a Member of the Users Group )

All of the information, instructions, and recommendations on this Web site are offered on a strictly "as is" basis. Remember "Murphy's Law." Please take the proper precautions before attempting any of the tips or modifications listed here.

Contents


What is the Priciple of Least Privilege?
How to Create a Custom Default User Profile in Windows XP
How to Create a Custom Default User Profile in Windows Vista
BEST Plus
Mavis Beacon Teaches Typing v15
ImgBurn: You need Administrative privileges to use SPTI
NDCMedisoft Advanced v9
Security & Privacy Tips
Links to: Principle of Least Privilege
Computer Tips Index

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

What is the Priciple of Least Privilege?

In information security & computer science the principle of least privilege, or just least privilege, requires that a user, a program, or a process/service should only have access to the information and resources that are necessary to do its job.

If a system is compromised, by malware or an unauthorized user, that user or malware will most likely have the same rights as the currently logged in user. If the current user is an administrator or root user, then the malware/unauthorized user will have full reign to do what ever they wanted to the system.  If the current user was not an administrator or root user, e.g. a Limited User, then the malware/unauthorized user should be restricted to what they can access and to how much damage they can inflict on the system.

Part of implementing least privilege is to not allow users to log in as members of the Administrators group or as a root user.

It's good practice to install and configure the required applications, then create a Custom Default User Profile, before allowing any users to log in for the first time.

References

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

How to Create a Custom Default User Profile in Windows XP Professional

[OS: Windows XP]

Summary

A custom default user profile is helpful if several people use the same computer but each user wants a separate profile and access to shared resources.

When multiple users log on locally to the same computer, Windows XP uses the built-in default user profile as a template to assign a profile to each new user.

You can replace this built-in profile with a custom default user profile so that each new user receives a custom version of the profile.

Create a custom default user profile

1. Log on to the computer as the administrator, and then create a local user account. Add that new local user account to the administrators group.
2. Log off as the administrator, and then log on to the computer using the local user account that you just created.

Caution: You will cause permission issues if you create the custom user profile when you are logged on as the administrator.
3. Customize the profile: Install and configure applications, install printers and map network drives.
4. Log off as the local user, and then log back on as the administrator.
5. Replace the current default user profile with the customized default user profile. To do so, follow these steps:
a. In Control Panel, double-click System.
b. In the System Properties window, click the Advanced tab.
c. Under User Profiles, click Settings.
d. In the User Profiles dialog box, click the user profile that you just created, and then click Copy To.
e. In the Copy To dialog box, under Copy profile to, click Browse, click the C:\Documents and Settings directory, and then click OK. Type \Default User after C:\Documents and Settings.
f. Under Permitted to use, click Change, type Everyone, and then click OK.
This is an important step because it will reset the access rights for the new Default User profile.
 
Copy Profile to

Windows XP will use the Default User profile as a template from which to create a new user profile for any new user who logs on to the computer.

This change is permanent, so it is a good idea to make a backup copy of the Default User directory that is in C:\Documents and Settings\ before starting.

Note: If you get an error about files being "in use" or "locked," just reboot into Safe Mode and try to copy the profile again.

References

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

How to Create a Custom Default User Profile in Windows Vista

[OS: Windows Vista]

Summary

A custom default user profile is useful if several people use the same computer but each user wants both a separate profile and access to shared resources.

When multiple users log on locally to the same computer, Windows uses the built-in default user profile as a template to assign a profile to each new user.

You can replace this built-in profile with a custom default user profile so that each new user receives a custom version of the profile.

Create a custom default user profile

1. Log on to the computer as the administrator, and then create a local user account. Add that new local user account to the administrators group.
2. Log off as the administrator, and then log on to the computer using the local user account that you just created.

Caution: You will cause permission issues if you create the custom user profile when you are logged on as the administrator.
3. Customize the profile: Install and configure applications, install printers, map network drives, etc.
4. Log off as the local user, and then log back on as the administrator.
5. Replace the current default user profile with the customized default user profile. To do so, follow these steps:
a. Press <Windows Key> + <Break> to open the System window or use Control Panel > System and Maintenance > System.
b.

In the System window, open Advanced System Settings from the Tasks list and click Continue on the UAC permission prompt.
c. Under the User Profiles section, click the Settings button
d. In the User Profiles dialog box, click the user profile that you just created, and then click the Copy To... button.
e.

In the Copy To window, click Browse and select the C:\Users\Default directory or just type C:\Users\Default into the Copy Profile To field.

f. Under Permitted to use, click Change, type Everyone, and then click OK.
Note: This is an important step because it will reset the access rights for the new Default User profile.
 
6. User RegEdit to remove references to the source user profile from the Default user profile:
a. Open RegEdit
b.

Highlight the HKEY_USERS key
c. Select Load Hive from the Files menu
d. Select the C:\Users\Default\ntuser.dat file and click Open 
e.

You will be asked for a Key Name.  Use DEFAULT_USER
f. Highlight the HKEY_USERS\DEFAULT_USER key
g. Search for any values that contain the path information for the source profile's user folder (e.g. C:\Users\Master) and delete them. 
Note: Be certain you only delete these entries from the HKEY_USERS\DEFAULT_USER hive that you loaded into the registry.
h.
After removing all the necessary entries, Highlight HKEY_USERS\DEFAULT_USER again
i. Select Unload Hive from the Files menu and click Yes to confirm
j. Close RegEdit and delete the ntuser.dat.log file from the C:\Users\Default directory
k. Reboot the computer

Windows will use the Default User profile as a template from which to create a new user profile for any user who logs on to the computer for the first time.

This change is permanent, so it is a good idea to make a backup copy of the C:\Users\Default directory before starting.

Note: If you get an error about files being "in use" or "locked," just reboot into Safe Mode and try to copy the profile again.

References

 

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

BEST Plus

by CAL (Center for Applied Linguistics)

[OS: Windows XP Professional SP2]

Issue / Error Message

When you run BEST Plus while logged in as a limited user, the following message is displayed:

Data Access Not Successful!
BEST Plus was unable to successfully update its program variables. This is usually due to inadequate user rights (permissions) on the computer, especially with Windows XP. You must be signed in with Administrator rights in order to use BEST Plus.

Fix

Use Regedit, while logged in as a member of the Administrators group, to modify the permissions for HKEY_CLASSES_ROOT\pztfile

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

Mavis Beacon Teaches Typing

Summary

When a user is logged in as a member of the Users group, an error is displayed when starting Mavis Beacon Teaches Typing v15.

Could not create file for system settings.  C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\MAVUSER\system.msy

The directory C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\MAVUSER\ requires "Modify" and "Write" rights.

These are instruction on how to get Mavis Beacon Teaches Typing v15 to run on computers running Microsoft Windows 2000, and XP and the user is logged in with an account that is a member of the group "Users." e.g. Student

Instructions

  1. Login as a member of the Administrators group.
  2. Install Mavis Beacon Teaches Typing v15 (MBTT).
  3. Start MBTT at least once so that the "MAVUSER" directory is created.
  4. Run Windows Explorer ( Windows Key + e ).
  5. Right click on the MAVUSER directory located in C:\Documents and Settings\All Users\Application Data\Broderbund\Mavis Beacon\
    Note: The "Application Data" directory is hidden, so in the address bar, type \Application Data (the backslash is required) then press the enter key. Now you'll be able to open the Broderbund\Mavis Beacon directory.
  6. Select "Properties" from the popup/context menu.
  7. Click on the "Security" tab.
  8. Click on the group name "Users."
  9. In the "Permission for Users" section, under the "Allow" column, click "Modify."
  10. Click the OK button.

 

Optional Changes

When MBTT is run, the menu that is displayed shows several options.  Run, Install/Uninstall, Register, etc.  It's best that the user isn't able to use these other options. 

  1. Right click on the shortcut in the Start Menu for Mavis Beacon Teaches Typing.
  2. Click on properties.
  3. In the "Target:" field, replace run.exe with mavis15.exe.
  4. Click on the OK button.

Further, delete all the other shortcuts that were installed with Mavis so that users don’t use them.  e.g. Register, Readme, & Internet.

 

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

ImgBurn: You need Administrative privileges to use SPTI

Room 05-404

From ImgBurn Log:

   I 13:41:50 ImgBurn Version 2.4.1.0 started!
   I 13:41:50 Microsoft Windows XP Professional (5.1, Build  2600 : Service Pack 3)
   I 13:41:50 Total Physical Memory: 1,004,076 KB  -   Available: 386,980 KB
   I 13:41:50 Initialising SPTI...
   I 13:41:50 Searching for SCSI / ATAPI devices...
   E 13:41:52 CreateFile Failed! - Device: '\\.\CdRom0' (R:)
   E 13:41:52 Reason: Access is denied.
   W 13:41:52 Errors were encountered when trying to access a  drive.
   W 13:41:52 This drive will not be visible in the program.
   E 13:41:52 You need Administrative privileges to use SPTI.
   W 13:41:52 No devices detected!

______________________________________________________________________

Problem:
You receive a the error, 'You need Administrative privileges to use SPTI' when you start the ImgBurn as a Limitied user.

Answer:
By default on Windows XP, SPTI is available only to Administrators.

Here is a quick workaround for those people wanting to stick with SPTI:

  1. Log in as an Administrator
  2. Open a command prompt.
    1. Click 'Start' -> 'Run'
    2. Type "cmd" and click OK
  3. Type "secpol.msc" and press [enter]
  4. Expand "Local Policies"
  5. Click "Security Options"
  6. Change "Devices: Restrict CD-ROM access to locally logged-on user only" from "Disabled" to "Enabled"
  7. Close the "Local Security Settings" window
  8. Reboot the computer
  9. Log in as a Limited user
  10. Run ImgBurn

______________________________________________________________________

ImgBurn Log: After rebooting and logging in as a Limited User...

   I 13:48:31 ImgBurn Version 2.4.1.0 started!
   I 13:48:31 Microsoft Windows XP Professional (5.1, Build  2600 : Service Pack 3)
   I 13:48:31 Total Physical Memory: 1,004,076 KB  -   Available: 393,284 KB
   I 13:48:31 Initialising SPTI...
   I 13:48:31 Searching for SCSI / ATAPI devices...
   I 13:48:31 Found 1 DVD±RW!
________________________________________________________________________________________

You can use the following reg key instead of manually configuring secpol.msc

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Winlogon]
   "allocatecdroms"="1"

______________________________________________________________________

Reference:

 

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

NDCMedisoft Advanced v9

Allow modify rights for group Users to:

 

 

[ Top ] [ Home ] [ Links ] [ Contact ]

 

All items Copyright ©1996 - 2008 Chin. All Rights reserved
Conscious Vibes developed by Chin

Terms of use