Windows XP has a Guest account that you can activate.

You have to login as Administrator, then go to control panel -> User account -> There you should see "Guest" account, select it and "turn on"

Once they leave you can turn it back off.

How strange are these cousins? :-)

One of the 10 Immutable Laws of Security [technet.microsoft.com] states that "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore"

All they'd need would be five minutes alone at your Windows PC - and this linux-based boot CD <delinked> - and there's a good chance they could reset your Administrator password and have total control of your PC - locking you out into the bargain!

Alternatively they could bring a USB drive with them and simply clone your hard drive onto their drive - then they can take a copy of all your data away to peruse at their leisure.

Am I paranoid? Maybe...

[edited by: bill at 2:28 am (utc) on Nov. 2, 2009]
[edit reason] Removed link to CD [/edit]

what about if they only had guest access ? couldnt they still do stuff with a USB drive or inserting a CD ?

if you are accessing the tubes ( eg to post here ) with any flavour of 'doze as "admin" ( or it's equivalents on older flavours )..you are already likely running yet another zombie in the thrilling movie that is the panoply of people who shouldnt be allowed to connect.

chances are your east European relatives might actually clean up your machine for you if they did use it ..they probably at least know not to run as admin ..

ever watched your modem or your router flicker when you weren't touching anything ..?

ever wondered what is going on when data up is doing numbers that ought to make more sense if it was data down ...?

ever searched for old threads here on security ?

I could continue ..but admins and mods would know where I was going and cut me off at the pass ..even though most of them would agree with me ..people who don't know how to use computors after 4 years of being a member here shouldn't be allowed by law to connect to the net with them.

what about if they only had guest access ? couldnt they still do stuff with a USB drive or inserting a CD ?

here since 2005 ..you are either taking the yellow stuff ..which I doubt ..or you are a malware coders ***dream ..

How bout answering the question instead of trying to show off you're geek muscles ?

I only have one login for both my computers. (computer & laptop) And its Admin only. I dont feel like creating other users & dont feel a need to.

because you already know the answer ..but dont want to take the trouble to implement it ..

people running doze as admin are the cause of most of the spam on the net and most of the malware ..and apparently you think it's "geek" to know how to do something properly ..in which case stick to PS and WII and Xbox ..it says that this forum is for professional webmasters ..that means those who take a professional attitude ..and who dont run as admin because they dont feel the need to think what their machine might be doing every time they connect.

BTW it's your ..not you're

they probably at least know not to run as admin

So what are you saying, we should never go online under an "admin" account?

unless one really does know how to secure a machine ( in which case one wouldn't be posting the OP's question ..nor your own ) the answer is yes..

there is no overwhelming need for 999999 out of a 1000000 computer users to do so ..

if you are online as admin in windows then any malicious code you come across is going to run with full rights ...no single AV app will stop 100% of all malicious code ..

so running as admin online is IMO and that of anyone who understands the security subject just stupid bravado , ignorance or laziness ..and what can hit your machine can then be infecting or attempting to infect others all the time your machine is connected ..or spamming ..or both ..

that is as irresponsible as driving on bald tires on a crowded wet freeway ..you are not just risking yourself.

Im sure Microsoft would object to your theories.. That only very few should be running as Admin.

I've got a hardware router, full norton 360 , what else do I need ? bazooka ?

already the fact that you are running norton says it all.

My knowledge ( not theories ) comes from amongst other things personal contact with the head of microsoft's security team here in Europe ..a number of times ..they don't run as admin their own machines on the net ..nor did they ever use norton ..

anyway you'll go your own way ( your box is probably already a zombie ) ..I've posted what I've posted for others..you are already an expert in your own living room ..you can take your own advice ..or that of those who really do know what they are talking about;)

Microsoft also has a free program available called Windows SteadyState [microsoft.com]. You can use it to lock down or limit what can be done on a PC. I've seen this used in bars and internet cafes where the machine is out in the open. Any changes can be safely wiped from the machine.

Make a guest login for them without any passwords , keep password admin login for your self.

Guests don't have install options. You can restrict the special folder or drive access also if you want for them.

Thats what i am doing , but i am using XP but it will be more or less same in Vista too.

what about if they only had guest access ? couldnt they still do stuff with a USB drive or inserting a CD ?

If someone malicious has "unrestricted physical access" to your system then there's a very good chance they can gain complete control via booting from a USB drive or CD. Guest access or admin access - or indeed not having any valid logon credentials at all - won't make that much difference.

Im sure Microsoft would object to your theories.. That only very few should be running as Admin.

Microsoft have been (quietly) pointing out for years that day-to-day use of a system as Admin is a bad idea. In 2006 they published a white paper on how to secure your XP system by applying the principle of least privilege [microsoft.com]. In the Introduction to that guide they say:

A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message

Sounds pretty clear-cut to me - and it's the official MSFT line :-)

Microsoft also has a free program available called Windows SteadyState. You can use it to lock down or limit what can be done on a PC. I've seen this used in bars and internet cafes where the machine is out in the open. Any changes can be safely wiped from the machine.

Bill, does this SteadyState also alert like a firewall if certain suspicious programs are trying to request outward ? I checked the site out but it makes it sound like SteadyState is only for shared computers. My PC is mostly not-shared.

And does everybody think Norton 360 is crap ? Its like every tech support forum recommends something different. Maybe their all just trying to sound smarter than the next guy..

Maybe their all just trying to sound smarter than the next guy

.. No ..that is what you are trying to do.;)

btw its "they're" not "their" ..practising accurate grammar is important if one is trying to attract search string enquiries via the search engines ;) ..presuming one actually is a "webmaster" and actually has a website ?

You have had the same advice multiple times now ..in one form or another ..

..don't run as admin ..

run as (a)user ..

set other accounts as (another)user ..

the "admin" account you keep for yourself when you really have need to use it ( linux works like that ;))..it protects one from what may be ones own ignorance or foolishness..;)

FWIW ..I have xp ( nlited to what I want it to be ) ..vista ( vlited to what I want it to be ) ..and 7 ( which can be vlited as it's so close ;) to what I want it to be ..( now 10 machines in total ) and I'm posting this via linux mint 7 "gloria" .. ( because that is one of the the safest ways to everyday surf ..even when you do know how to lock down doze :) .plus ( and critical to why I use it ) its the distro that I install for friends and so if they phone it's easy to mirror them whilst I explain in whatever language we are working in ...without me needing to reboot a machine..

there are many other /admins/mods/members or readers here who know to do the same or similar ...( and some of us originally from what one could consider to be the "other side of the net" watch and learn from some fora and their regular posters here ..and have a great deal of respect for them )..many more read certain fora here every day than post ..there are many experts here in many fields ..you want to know who knows what ? search ..don't ask people to post again and again because you cant be bothered to learn how a search engine works ..this isn't the first time since your join date that some of us have had this conversation ..

re .."outward" ..by the time you have to worry about what might be going on via outward traffic ( such as your credit card numbers etc ) you may already have "time bombs" or "logic bombs" ( some versions of which can be downloaded incrementally loaded over more than one occasion and eventually recompiled via commands into sleeping cross shell mutating exes )that will shut your system down whenever the code writer decided that s**t was going to happen to you ( or whatever else was the desired behaviour )..some are long term ..and "do stuff" while they are counting down ..

rather than asking who agrees with you ..find out ..search the old threads concerning security here ( this is after all one of the largest concentrations of experts that exists on the net on various subjects ..many of us are members of other specialist fora ..and not always under the same nicks as used here ..and some of the posters here are in themselves major players upon the world IT stage in their own areas ..that is what makes this place interesting ;)..many "walk the walk" as opposed to merely "talking the talk" ..and which IMO is why Brett lets it continue ..why the admins and the mods put in the time and why some of us stay ..( we never know what we might learn or discover from a newbie poster ..or from analysing a thread ) ..or threads ..across many fora here ..

this ..inspite of the often times ennui of threads begun by such as yourself ..thinking there is an "easy way" ..

BTW#2 ..what is so hard about setting up passworded admin and separate user accounts ..?

I only know of a few non "WGA" versions of doze installs that dont allow setting of other than admin accounts ..( and they are full of near invisible "phone homes" to the "crack teams" that "released" them ) hopefully that isn't the problem here ..:)

there is an expression in English ..which is my first language ..

"sometimes it is better to just put down the shovel and stop digging the hole deeper" ..

it takes you less than 5 minutes to set up an admin account ..then make yourself a user ..make others into other users ..and keep your admin login to yourself ..for when you need it ..takes just another 15 minutes to set up dual boot linux ..with multiple accounts ..and then you could get on with enjoying the company of your visitors ..rather than worrying about them taking advantage of your lack of security knowledge

which made you post here in the first place ..but you didn't get the easy answer that you wanted ..

BTW#3 whatever any other "tech support forum" says ( this isn't a tech support forum ..it is a community) ..the reason that you wont get many votes for norton "anything" is that it is crap on domestic machines ( desktops ) ..( but reasonable on servers )....the server versions are not in the same price league ..

No one is going to encourage you to use something which actually increases the spam and malware that the rest of us get our servers hit with every minute ..norton's domestic products are like having a photo of a pitbull stuck to your gate ..only you are fooled ..the bad guys already know it is crap ..and that really there is no protection on your place ..it does block ads though ( out of the box )..it just doesn't tell you that ..and it throws false positives everytime it looks at more than 50 lines of js :)

alright, so I made a Guest account and was still easily able to install and uninstall Yahoo Toolbar on it. Which leads me to believe hacker software would be just as easy to install.

How much better do you guys think the security has gotten with Windows 7 ? I haven't even looked into that yet.

Hop on down to your local computer store and rent a laptop for your guests to use.

Bill, does this SteadyState also alert like a firewall if certain suspicious programs are trying to request outward ?

Not to my knowledge. Essentially it works to freeze all of your settings. It's like taking a snapshot of your system. After you let all of these people use your system you simply revert to the original state. All of the changes they have made are removed. There are also some features of SteadyState that let you limit access to the rest of the system.

I checked the site out but it makes it sound like SteadyState is only for shared computers. My PC is mostly not-shared.

Yes, but it will be shared when your guests visit. You would want to remove or disable SteadyState after your guests left.

And does everybody think Norton 360 is crap ?

I'm not a fan either. As mentioned above, their corporate level software is not bad, but the consumer level packages seem to cause more trouble than they're worth.

Take a look at Microsoft Security Essentials [webmasterworld.com] if you want something powerful but unobtrusive.

alright, so I made a Guest account

I don't know that I'd suggest activating the Guest account. The Guest account in XP [support.microsoft.com] is used for other things on your PC. It might be smarter to make a new user account and then limit access from that.

How much better do you guys think the security has gotten with Windows 7 ?

MUCH better. If you could use Windows 7 you'd have an easier task of locking down a non-Admin account. You could apply parental controls to the account which let you control the times the PC can be used and sites that can be visited, etc.

Great discussion.... I've got to confess that I continue to run XP as the administrator rather than as a user, and I do know better.

I'm not having guests over, but I am connected to the web. Part of the reason I continue to live dangerously is that I understand there's a huge PITA factor when running as a user.

I assume that running as a user would affect any software upgrades and system status changes, where I'd have to log in as an admin to do any system-wide maintenance. I can imagine it might even affect system backup procedures I currently have in place (I clone my entire system to rotating external drives every few days, eg, and I disable write caching when I do that... then re-enable it after).

What about things like Windows patches and updates, new anti-virus definitions, etc? Can someone succinctly describe the day-to-day extra hassle that would be involved in not running as an admin. I'm the only person on the machine.

I assume that guests might still look in my medicine cabinet, whatever I do.

Nice reply, Bill. thanks.

Robert, not to be offensive to some of them.. but I think their just being overly paranoid.

If you're running as Admin, and have a hardware firewall / router...are up to date with all you're Windows updates.. up to date with you're anti-virus updates and are scanning every night. You should be good.

At the start of the thread:

what can I do to feel safe that they dont install anything weird or cause security issues on my PC's

yet later on:

I think their just being overly paranoid.

YMMV, but I think there's a fair chance that some people on here do know their stuff when it comes to security.

Regular Windows updates, up-to-date antivirus, and an appropriate firewall are three great ways to defend yourself against remote attackers. None of them are very useful in defending your system against an attacker who is sitting at the keyboard.

Q: What's the point of discussing alarms and door locks if you're handing a burglar your house keys and alarm code?

[edited by: encyclo at 6:34 pm (utc) on Oct. 27, 2009]
[edit reason] fixed typo [/edit]

I didn't address it but webdoctor's first post in this thread brings up a very valid point. If someone has physical access to your Windows machine then your Admin account password can be obtained almost trivially. The cracking tools are freely available and easy to use. Setting up these different security level user accounts won't inhibit them at all.

That's why I suggested SteadyState. It's made for PC's that will be out in the open like this, where potential attackers will have physical access to the hardware.

I have a large family. They visit often. They are not allowed to use my computer. I will, however, hook up their computer to my broadband...if they bring one.

The fox might be very well behaved and appear harmless, but one should never trust a fox loose in the hen house.

'Nuff said!

That's why I suggested SteadyState. It's made for PC's that will be out in the open like this, where potential attackers will have physical access to the hardware.

Yea, but im sure one of these security experts here could disable that as well if they had physical access to it... ?

If you have this little trust then for these people that are staying in your home then I would suggest not allowing them into your home at all.

How can you stop them from turning on your hot water and leaving it running all day while you aren't home?

How can you stop them from turning on all your lights?

How can you stop them from cranking your thermostat?

How can you stop them from peeing in your ice cube tray?

The fact is you either trust them or you don't. Your options are to un-invite them OR lock your computer up in your room and if they NEED to use a computer take them to an Internet cafe.

If it were me I would install Mint 7, then install Sun's VirtualBox, then install windows in that, then just leave the virtual machine running and they can use that and you can reset it's state each night.

The advantage of this last solution is you get to use Mint 7 which is very nice.

:))

Put a lock on the room that the PC is in. Switch the laptop off and lock it in a cupboard.

I will, however, hook up their computer to my broadband...if they bring one.

So you don't trust them to user you computer but your IP address is OK?

Hope they don't snare you in the next pedophilia sting because you allowed your IP to be used, or hacker sting, or RIAA sting, etc.

If you don't trust them, a motel is the best solution.

My wife is the only one allowed to use my computers.

Anyone else, hey, it's your fingers that will need to be re-attached, not my problem.

All I can say is this: Welcome to the future, where you can trust no one anymore. With politicians debating over "three strikes" and you loose your internet (and thus your income), you won't be able to grant anybody access to your computer or your internet connection anymore - not your kids, not your wife, not your cousins, not a customer that comes to your homeoffice.

Because it will be like this:
1st strike: Kids download a music video or song. You cut them off from the internet.
2nd strike: A customer comes to your homeoffice asks you if he can check his emails, plugs in his laptop in your internet connection and his emule client starts downloading in the background.

Then you are one strike away from loosing your income, you will buy a safe to lock away your laptop and put your router in a steel locker.

What, still using WLAN? Are you deliberately trying to ruin yourself?

All this precautions of course don't matter if you have kids at home, because that means: face it you are already ruined.

I remember, my parents used to lock away our computer games (those 3.5'' hard disks) when they were not at home. They locked them in a closet. We were three boys and used to move the entire closet from the wall, unscrew the back and get in from behind. That is, until our lock picking skills were good enough.