In the past, I have pointed out the wonders of both suDown and SudoWin. Both cool ideas and great for users not willing to go with Vista just yet. But there are some problems:
- suDown was cool, but in the most recent release, it has stopped working entirely, just check out the forums. I tried an older version to no avail as something from Windows updates has made it no longer functional. Besides, the lack of documentation was very frustrating in my opinion.
- sudowin is much better documented, but I could not get anything to work as described and I lost interest once I learned that Sudowin.Plugins.Authorization.Xml did not even exist, as it claims in the documentation. I triple checked every hidden file in that directory, I sure as heck never found it.
Now let’s unleash something that will actually lock down XP (none of this RunAs crap), but actually works on any release of XP, even Home.
Enter WinSUDO. Like those similair options above, we are provided with a UAC-like option, but without the annoyance. The author of suDown, puts it best why sudo on Windows is better than RunAs.
“In case you install software through sudo, you remain the
owner of the installed files and registry keys and the icons will be placed where you expect them to be so later
you will be able to configure and use the software even under your low privileged account. sudo also caches your password for a short time so you won’t need to authenticate yourself again and again as with runas to launch multiple programs with high privileges. And you don’t have to give out your root password to anyone because everyone can use his or her own password.”
So you can see why this is a desirable position for you to be running your PC in. You simply cannot screw up anything when you are running as a limited user! With all of the fanfare out of the way, there are some downsides to using any sudo program for Windows.
- You need to create and then password protect, a new or existing Limited User account. That will become your “daily-user”.
- It can be only slightly less annoying to use than the UAC. The difference is however, instead of running as an admin, in a “bubble” environment with limited privileges, you are not running as administrator at all, until you sudo-admin one program and the executed program only.
- You will want to run Windows updates and system restore from your existing administrator user. Not that this is a big deal, just logout, then back in again. Don’t misunderstand, you can run the app this way, but the updates will all fail.
- Everytime you want to run a game or install something as sudo, it means right clicking and then typing your password into a command line box. Be aware, when typing in a password into a command line box, you will see nothing appearing with each key press – this is normal. Just type it in, hit enter.
Let’s get started, shall we?
- From your existing administrator account, download, unzip and run the install program.
- On XP Home or Pro, open the command line and type the following:
net localgroup sudoers "The limited user's name" /add
- Logout of the administrator user, login to the limited user, then go locate the nastiest spyware you can fine anyplace, install it. It cannot install, not without the user running the installer as sudo. Anyone that knows anything about the limited user accounts realizes that while you still would want to run a decent firewall and an antivirus, you will not have any problem with spyware from this point on. This frees the user to concentrate on other threats like phishing and network intrusion.
So is all of this worth it?
Depends, who is using the PC? For IT pros, this may be largely overkill. But when you step back and look at the ridiculous software that is out there for protecting you from malware, having this on the family PC suddenly makes a LOT of sense.
Is this really practical?
Again, who is using the computer? For repair clients or others who tend to be click-happy, it can save you a lot of wasted time in cleaning up their mess. Right clicking and selecting sudo too much work – give me a break. The minor inconvenience in comparison to having a PC that honestly is safer than it has ever been makes this “inconvenience” something to be overlooked with ease.
Here is where it gets really cool!
You are able to run admin-only applications with the limited user’s password. So there is no passing around the admin password. Why does this matter? Are you worried about system settings being changed? Don’t, because that has to be done as an administrator. Also, applications installed under traditional administrator can not be removed with sudo. Not even by browsing to the programs folder itself. Remember, it is still a limited user account.
Matt, this is cool, but what about for us IT Pros?
Ah, this is the really cool part. Come Monday, I will show you how to continue running as admins, only to select specific programs that are set with limited user execution! After all, why run your browser as admin, just because you are logged in as such? Think of it as IE7 protected mode on crack. Come Monday, I will show you how to run games and applications without admin privileges, but doing so under your existing admin account on XP. Stay tuned…