Win: Reduce Security Risks of running as Administrator

Similar Messages

• Security Risks in running App server as oracle (installer user)

  I am being asked to modify the OraAS installation file permissions so that user "nobody" can start the HTTP_Server and the Web_Cache Server. The fear is that the server could be compromised and then access could be had through the user oracle privileges to files and directories.
  Is anyone doing this kind of post-installation modification?

  In the environment I have ...
  Firewall => OraAS (WebCache+ HTTP_Server+ BI + Forms + OC4J)
  => Firewall => Database
  I install everything as oracle on both the servers (OraAS + Database). WebCache is set to port 80 as the default (which to me is an invitation to monkey around - but I could be wrong on that)
  So what kind of threat is there and is there a script to test it out?

• Is Bitdefender safe? If not, what security risks do I run?

  Is Bitdefender safe? If not, what security risks do I run?

  Mac users often ask whether they should install "anti-virus" (AV) software. The usual answer is "no." That answer is right, but it may give the wrong impression that there is no threat from what are loosely called "viruses." There is a threat, and you need to educate yourself about it.
  1. This is a comment on what you should—and should not—do to protect yourself from malicious software ("malware") that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions.
  It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to take control of it remotely. That threat is in a different category, and there's no easy way to defend against it. AV software is not intended to, and does not, defend against such attacks.
  The comment is long because the issue is complex. The key points are in sections 5, 6, and 10.
  OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as execute disable, sandboxing, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.
  2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."
  The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
  The following caveats apply to XProtect:
  ☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.
  ☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
  As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.
  3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't been checked for security by Apple unless it comes from the App Store, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)
  Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:
  ☞ It can easily be disabled or overridden by the user.
  ☞ A malware attacker could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.
  ☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.
  Apple has taken far too long to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. Those lapses don't involve App Store products, however.
  For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.
  4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background when you update the OS. It checks for, and removes, malware that may have evaded the other protections via a Java exploit (see below.) MRT also runs when you install or update the Apple-supplied Java runtime (but not the Oracle runtime.) Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise there's no user interface to MRT.
  5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, not machine behavior, and no technological fix alone is going to solve it. Trusting software to protect you will only make you more vulnerable.
  The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and Internet criminals. If you're better informed than they think you are, you'll win. That means, in practice, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.
  Software from an untrustworthy source
  ☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software. A genuine alert that Flash is outdated and blocked is shown on this support page. Follow the instructions on the support page in that case. Otherwise, assume that the alert is fake and someone is trying to scam you into installing malware. If you see such alerts on more than one website, ask for instructions.
  ☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.
  ☞ Rogue websites such as Softonic, Soft32, and CNET Download distribute free applications that have been packaged in a superfluous "installer."
  ☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.
  Software that is plainly illegal or does something illegal
  ☞ High-priced commercial software such as Photoshop is "cracked" or "free."
  ☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission. All "YouTube downloaders" are in this category, though not all are necessarily malicious.
  Conditional or unsolicited offers from strangers
  ☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
  ☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.
  ☞ You win a prize in a contest you never entered.
  ☞ Someone on a message board such as this one is eager to help you, but only if you download an application of his choosing.
  ☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.
  ☞ Anything online that you would expect to pay for is "free."
  Unexpected events
  ☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.
  ☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any file that isn't what you expected it to be.
  ☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.
  ☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.
  I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack. Any of the above scenarios should, at the very least, make you uncomfortable.
  6. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
  Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
  Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it—not JavaScript—in your browsers.
  Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a padlock icon in the address bar when visiting a secure site.
  Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.
  7. Never install any commercial AV or "Internet security" products for the Mac, as they are all worse than useless. If you need to be able to detect Windows malware in your files, use one of the free security apps in the Mac App Store—nothing else.
  Why shouldn't you use commercial AV products?
  ☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. This technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.
  ☞ Its design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, commercial AV software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
  ☞ By modifying the operating system, the software may also create weaknesses that could be exploited by malware attackers.
  ☞ Most importantly, a false sense of security is dangerous.
  8. An AV product from the App Store, such as "ClamXav," has the same drawback as the commercial suites of being always out of date, but it does not inject low-level code into the operating system. That doesn't mean it's entirely harmless. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
  An AV app is not needed, and cannot be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.
  Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:
  London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe
  You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in every email attachment until proven otherwise. Nevertheless, ClamXav or a similar product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who says you must run some kind of AV application. It's free and it won't handicap the system.
  The ClamXav developer won't try to "upsell" you to a paid version of the product. Other developers may do that. Don't be upsold. For one thing, you should not pay to protect Windows users from the consequences of their choice of computing platform. For another, a paid upgrade from a free app will probably have all the disadvantages mentioned in section 7.
  9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.
  10. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe from exploitation, no matter what you do. Navigating the Internet is like walking the streets of a big city. It can be as safe or as dangerous as you choose to make it. The greatest harm done by security software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices.

• I currently use CS Photoshop 5.1 on Mac. I have just upgraded to Yosemite 10.1.0. In order to run CS Photoshop 5.1 I need to downgrade to Java 6. Is this safe, or will I become exposed to security risks?

  I currently use CS Photoshop 5.1 on Mac. I have just upgraded to Yosemite 10.1.0. In order to run CS Photoshop 5.1 I need to downgrade to Java 6. Is this safe, or will I become exposed to security risks?

  Photoshop does not use any external java it has it own "ScriptingSupport" plug-in, Some thitd Party plug-in and perhaps Adobe installer may use an external Java. I don't use a Mac, The latest Java I have on Windows is version 8 there are security issues in prior versions.

• Hallo, - I have a PC running Win 7 Professional. After running Kaspersky Internet Security 2015 the  Creative Cloud isn't working any more. I tryed to delete the cloud and reinstall (system error 1) it but no change. I also can't download Flash - even not

  Hallo, - I have a PC running Win 7 Professional. After running Kaspersky Internet Security 2015 the  Creative Cloud isn't working any more.
  I tryed to delete the cloud and reinstall (system error 1) it but no change. I also can't download Flash - even not shutting down Kaspersky. Help Please!!

  Hallo, - I have a PC running Win 7 Professional. After running Kaspersky Internet Security 2015 the  Creative Cloud isn't working any more.
  I tryed to delete the cloud and reinstall (system error 1) it but no change. I also can't download Flash - even not shutting down Kaspersky. Help Please!!

• Windows 8.1 Security Risk / Not able to log off a user

  Hello Community,
  First and foremost good morning, I hope everyone is having a good morning.  I'm in dire need of a solution.  The company I work for has four (4) standalone computers with Windows 8.1
  which are located in a break room for, you guessed it, breaks!  They are not on the domain but are on a workgroup.  A former user from the company has one of these machines completely locked up.  Here's what I mean:
  When a user sits down at one of these computers they click on the account Breakroom1, Breakroom2, etc....up to 4 which lets them login.  However, somehow a user has logged in with
  an outlook account and there is absolutely no way for me to log this person out.  I can't right click anywhere and get a logoff button.  I can't right click on the red circle and get an option to log this person out.  The only options I get
  are restart, sleep, and shutdown.  I've browsed through setup to see if there were any options to kick this person off.  I'm completely stumped.  I believe this to be a security risk because no one has been able to do anything about this. 
  I'm trying veryhard not to reimage this machine.
  If anyone has any ideas I will gladly try them out and I thank everyone in advance for their time.
  Respectfully,

  Hi Ricky ,
  “somehow a user has logged in with an outlook account and there is absolutely no way for me to log this person out.”
  Do you mean someone connect the Microsoft account with the local account and then the machine is  locked now. You can`t get into the machine unless you know the Microsoft account`s password, right?
  To solve this problem ,I am afraid you have to contact the Microsoft account`s owner firstly to unlock the account. To avoid this tiresome issue in the future, I recommend you take the following steps:
  1.Log on the computer as an administrator
  2.Run the gpedit.msc and look for the following group policy and set “Users can`t add or log on with Microsoft accounts”,
  Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts
  3.Run gpupdate /force
  4.I recommend you take this solution to the others` pcs in the Breakrooms .
  Best regards  

• Are there any security risks in two-way trusts?

  Hello!
  Can anybody enumerate security risks two-way trusts have? Security holes?
  I mean two-way trusts between two domains from different forests Windows 2003\2008.
  Thank you for any info.

  Hi,
  There are two potential threats to interforest trust relationships in Windows Server 2003 :
  1: Attack on trusting forest by malicious user in a trusted forest :
  A malicious user with administrative credentials who is located in a trusted forest could monitor network authentication requests from the trusting forest to obtain the security ID (SID) information of a user who has full access to resources in the trusting
  forest, such as a Domain or Enterprise Administrator. SID filtering is set on all trusts by default to help prevent malicious users from succeeding with this form of attack
  2: Attack on shared resources in a trusting forest by malicious users in another organization’s forest :
  Creating an external or forest trust between two forests essentially provides a pathway for authentications to travel from the trusted forest to the trusting forest. While this action by itself does not necessarily create a threat to either forest, because
  it allows all secured communications to occur over the pathway, it creates a larger surface of attack for any malicious user located in a trusted forest. Selective authentication can be set on interforest trusts to help minimize this attack surface area.
  For more info , Please refer :
  http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
  Though the forest mentioned is on win 2003, this article applies to Win 2008,2008R2 forest environment as well.
  Please revert in case of any queries
  pankaj(MCT)

• Can not open multiple excel 2003 and excel 2007 files in excel 2010 - message says they may be a security risk and wants to do a scan

  We use about 20 excel files to build a consolidated financial statement for our company.  Some of the files were built when  the computers were running 2003 and some when we had 2007.  We are being upgraded to Windows 7 with Office 2010.  In
  2007, we would simply highlight all the files in a folder, right click, and open.  Once they had all refreshed for new data, we would close them all.  Now with Excel 2010, we've highlighted all the files, but when we right click, we get a message
  that says some files may present an internet security risk.  Then it ask if we want to open anyway.  If we say yes, we get a box that asks us to scan the files.  We've done a scan, but at the end it still doesn't open the files.  If we
  say no, it does nothing.  Either way, we're not getting the files open except to open them 1 by 1.  We're not sure how to get rid of this...any suggestions?

  In Excel 2010 setting those documents as trusted documents, or adding the folder containing as a trusted location may do the trick for you. There's a full description of what it does here
  http://blogs.technet.com/b/office2010/archive/2009/09/28/trusted-documents.aspx but if you go into File, Options, Trust Center, Trust Center Settings..., and then Trusted Locations, you'll see the list of currently configured file paths that are considered
  trusted on your machine.
  At the bottom of that window you can check the option to allow trusted locations on the network (so you can trust the files that I assume are stored on a network location) and then add the location of those files to the list.
  Note, this setting is done per machine profile, so if it does the trick for you then each person needing these files would need to do this. Also, keep in mind that by doing this you're removing some of the protections added into Excel, so you should only
  go adding locations you know you can trust (not just the root of a network path where anyone and everyone might go saving spreadsheets they've downloaded form the internet).

• How do I make a script "Run as administrator" on its own?

  Hello,
  Win 8.1, VB scripts or PowerShell
  Having discovered I previously failed to fully study UAC, I now understand why scripts transferred to a new Win 8.1 machine quit working.  They have to be 'Run As Administrator' on the new machine; then they work as before.  While I'm still
  a little hazy on UAC, but continuing to study, it seems I'm left with a choice.  Please correct my perception of this choice if it's wrong:
  1) I can change my UAC settings (which I actually prefer not to do - I'm a safety guy...)
  2) I must always run my scripts by right clicking to the context menu and clicking "Run As Administrator"
  3) I learn if there is a way for my script to "Run As Administrator" on its own
  Assuming my choices above are correct, I would like to focus on choice 3.
  I've done some amount of research, but I'm not sure any of the solutions I saw actually accomplish choice 3.  Most of those posts indicate that the individual still had to enter a password or perform some other interaction after the script ran, so I'm
  not sure why the solutions posted were an answer to what was basically the same as my question here.
  Can a script be setup to Run As Administrator without requiring any further user interaction?  I'm wondering if this is actually a self-defeating question, because if a script can be setup as such, then wouldn't it bypass the very purpose
  UAC was put in place, for protection?  Am I thinking incorrectly?
  If it is possible to write the script so it really runs without further interaction, please point me where I might need to study more.
  Thanks.
  Best Regards,
  Alan

  Hi jrv,
  So, I think we've unofficially become friends since you answered my question in .vbs because you know that's where I've been.  I really am trying to transition to .ps1, but thanks for the thought. :-)  I actually did write a test .ps1 using get-vm
  (which is very cool thank you) but wasn't able to execute it other than running a batch file from the context menu selection 'Run As Administrator'.  The following is the operative line I used in the batch file (it doesn't seem like the -Verb runas
  worked as I expected it to):
  powershell -executionpolicy remotesigned -file C:\batchFiles\ps\vmstatus.ps1 -Verb runas
  I am getting a book on Powershell to study.
  But, regarding your line above, I think I applied your guidance correctly.  I created a shortcut with the following line in the target box (I'm assuming this is what you were directing me to do. I also assumed I was supposed to add powershell.exe
  at the beginning of the line you posted above):
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  start-process cscript C:\batchFiles\vmStatus.vbs -Verb RunAs
  Windows seem to add the full path for powershell.exe automatically.  It runs without requiring the context menu selection "Run As Administrator", but it
  still brings up the UAC message box for permission to continue, which is what I was trying to address in my initial post when I was speaking to the possible self-defeating nature of my question to allow
  a script to bypass UAC.
  I'm asking to confirm: having the UAC popup is in fact normal behavior that can't be side stepped unless other steps are taken.  So I guess I need to continue research to understand
  what must be done to allow simple double-clicking of a shortcut to get a seamless execution without actually changing UAC.
  Regarding STscripter's solution, I experienced the same UAC message box, so this post is also in response to that answer.
  Thanks again for your help.
  Best Regards,
  Alan

• "Run as Administrator" not Elevating/Asking for Password properly

  I've got a weird issue on a Windows 7 x64 Professional that was installed and distributed (17 times) by someone else. All request to run with Elevated Rights are completely ignored.
  When I try to run Programm Elevated with Rightclick->"Run as Administrator" they are instead started as the User I am currently logged in as. I have to manually relog (logout, login) as Administrator in order to do stuff I normally would do with
  "Run as Admin".
  There is no UAC question, no Dialog to input the Admins Password/Select the user, no automatic elevation - it just executes as the current user, even if that is a Standart User.
  If any process would normally ask for elevated rights (anything marked with the Admin Right Shield thingy in Windows Explorer) it instead runs as normal user and (of course) runs into lack of rights down the road, sooner or later.
  Haven't checked how Programms with a Manifest that requires Elevation behave yet, but I guess it is the same.
  Parts that might be relevant:
  The UAC is disabeled (set to not ask anything/lowest setting)
  Two accounts: Admin Type account named "sheriff" (instead of default name) and Standart User Type account "User". The Guest account is disabeled.
  While UAC is off, unless I am very mistaken "Run as Administrator" should still work while logged in as a limited Standart User type. After all it has been around a lot longer then the UAC.
  Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

  Was a while since I posted here and I think I understand the problem a lot better now. Couldn't actually solve my problem (this would require setting the UAC back online wich is explicitly not wanted), but it still might be helpfull for others:
  Elevating as Adminsitrator (under Vista and later) needs two Components:
  runas - a Commandline Command that has been around since XP and whose sole purpose is to start Programms under other rights then the current user.
  In order for it to work the "Secundary Login" Windows Service must be running during Login of the current user. Enabling it or disabling it after a login will have no effect.
  And it will fail silently (not telling you it failed).
  UAC - normally you need it to surpress the Admin aspect. In my case it was not neded for that from a Security Standpoint. What I have here was a suiteable set of Credentials for Windows XP style Security: limited normal User, Administrator with non-standart
  name and password.
  What I would have needed from the UAC (and get on all the other Computers where it is online but we still have limited users) was it's ability to detect wich User to elevate too. The UAC is needed to "Find the Admin". And it cannot do that if set to "not inform".
  Under XP the "Run as"-Explorer Option was designed to let you select the user. Always.
  Under Vista, 7 and 8 it's renamed "Run as Adminsitrator" and the UAC autodetects wich user to Elevate towards. If the UAC is not running the menu Explorer Context Menu Option, the Runas Modifier for .NET Process and Manifests have no idea wich Usercontext they
  should run under. And never even try to elevate.
  The only way to elevate on such Computers is to relog as Administrator or use Runas on Command Line with explicit naming of the User you want to use.
  Let's talk about MVVM: http://social.msdn.microsoft.com/Forums/en-US/wpf/thread/b1a8bf14-4acd-4d77-9df8-bdb95b02dbe2 Please mark post as helpfull and answers respectively.

• What are the security risks for opening port 80 on workstations?

  Hello all,
  in our environment, there is an application which open port 80 on workstations when installed, but it is not allowed on preimeter FW
  could you please advise what are the security risks for leaving port 80 opened on the workstations? or it is considered secure unless it is not allowed on the preimeter FW?
  thanks alot & regards

  Hi R.Naguib.
  The 80 port is open by default through the firewall on Windows system, it is used by a http protocol by a browser.
  As for the network or hardware Firewall settings, I suggest to turn to the network administrator for details.
  Regards
  Wade Liu
  TechNet Community Support

• Why does 'run as Administrator' fix my Silver Efex problem?

  I have had a problem with the Nik Software Silver Efex Pro (SEP) plugin running extremely slowly, but only at certain times. It's been pretty good for the past few months, but it suddenly took a nose-dive a few days ago. It takes ages to load the presets and to process the image in Photoshop once I have made my selections in SEP. I just thought that as SEP is a direct plugin to CS6 Photoshop then perhaps it's something to do with the way Photoshop itself runs. I switched the running of Photoshop to 'Run as administrator' (just right click the program in the start menu and go to compatability tab) and SEP now runs extremely fast. No problems at all. I also think (but have no way of measuring it) that Photoshop is running faster in general. Does anyone know why running as Admin should make such a difference? Are there any problems in running in Admin mode?
  I run Norton Internet Security, and thought that as I'm now OK in Admin mode it might be a virus-checker problem, and running in Admin mode was getting around the problem. I do have both versions of Photoshop (32 and 64 bit) incuded to 'allow' access in Norton.
  Here is my system config. My PC runs very well in all other respects.
  System Information
  Time of this report: 6/27/2012, 17:44:57
  Operating System: Windows 7 Home Premium 64-bit (6.1, Build 7601) Service Pack 1 (7601.win7sp1_gdr.120503-2030)
  System Manufacturer: Acer
  System Model: Aspire M5811
  BIOS: Default System BIOS
  Processor: Intel(R) Core(TM) i5 CPU         650  @ 3.20GHz (4 CPUs), ~3.2GHz
  Memory: 12288MB RAM
  Available OS Memory: 12216MB RAM
  Page File: 5813MB used, 18614MB available
  Windows Dir: C:\Windows
  DirectX Version: DirectX 11
  DX Setup Parameters: Not found
  User DPI Setting: 120 DPI (125 percent)
  System DPI Setting: 96 DPI (100 percent)
  DWM DPI Scaling: Disabled
  Display Devices
  Card name: ATI Radeon HD 5570
  Manufacturer: Advanced Micro Devices, Inc.
  Chip type: ATI display adapter (0x68D9)
  DAC type: Internal DAC(400MHz)
  Device Key: Enum\PCI\VEN_1002&DEV_68D9&SUBSYS_E142174B&REV_00
  Display Memory: 2761 MB
  Dedicated Memory: 1006 MB
  Shared Memory: 1755 MB
  Current Mode: 1920 x 1080 (32 bit) (60Hz)
  Monitor Name: SyncMaster P2450H(Digital)
  Monitor Model: SyncMaster
  Monitor Id: SAM05CC
  Native Mode: 1920 x 1080(p) (60.000Hz)
  Output Type: DVI
  Driver Name: aticfx64.dll,aticfx64.dll,aticfx64.dll,aticfx32,aticfx32,aticfx32,atiumd64.dll,atidxx64.d ll,atidxx64.dll,atiumdag,atidxx32,atidxx32,atiumdva,atiumd6a.cap,atitmm64.dll
  Driver File Version: 8.17.0010.1114 (English)
  Driver Version: 8.930.0.0
  DDI Version: 11
  Driver Model: WDDM 1.1
  Driver Attributes: Final Retail
  Driver Date/Size: 12/6/2011 04:16:00, 933888 bytes
  WHQL Logo'd: Yes
  WHQL Date Stamp:
  Device Identifier: {D7B71EE2-2B99-11CF-A170-48C1BEC2C535}
  Vendor ID: 0x1002

  I'm not saying Norton is your problem, but I haven't heard good things about Norton software in a long time, unfortunately.
  I always recommend Avast! antivirus to people.  The free version is very good in itself, and they offer a more comprehensive Internet Security version as well.
  I don't know how technically-oriented you are, but if you do understand how things work fairly well and have taken measures and adopted good practices to avoid running malware, there is the possibility of just shutting off UAC (MIcrosoft User Account Control) if its operation continually gets in the way of your completing your work.  Typically, most people just get in the habit of confirming whatever prompts come up anyway, which defeats most of the protection UAC can afford.
  -Noel

• Standard users forced default "run as administrator" for acrobat.exe X pro

  The software has been reinstalled and patched CS6 all componets of CS6 run fine under a standard user account with the exception of Acrobat Pro.  Acrobat Pro runs fine when an administrator is logged in BUT when a standard user logs into the computer all application shortcuts and even direct execution of the exe insists on "running as administrator", seeing as though they are not an administrator they can not run Acrobat Pro X.  Any assistance would be grealtly appreciate.

  I'm not saying Norton is your problem, but I haven't heard good things about Norton software in a long time, unfortunately.
  I always recommend Avast! antivirus to people.  The free version is very good in itself, and they offer a more comprehensive Internet Security version as well.
  I don't know how technically-oriented you are, but if you do understand how things work fairly well and have taken measures and adopted good practices to avoid running malware, there is the possibility of just shutting off UAC (MIcrosoft User Account Control) if its operation continually gets in the way of your completing your work.  Typically, most people just get in the habit of confirming whatever prompts come up anyway, which defeats most of the protection UAC can afford.
  -Noel

• "run as" administrator limitations

  Hi...  For years I have been an administrator on my PC runnings Windows XP Pro and now on a new machine running Windows 7 Enterprise.  I build code in LabVIEW and have worked for years (on the XP Pro machine) in versions ranging from 6.1 through 7.1 and now up through 8.5...  I don't currently own 8.6, 2009 or 2010.  My company, for computer security reasons, is moving toward a model where I will no longer be able to simply "log on" as an admin.  I will instead log on as what I am assuming is what would be akin to a Power User.  But I would also have an admin account, just not one that will allow me to log on to my machine.  Instead, if I need to perform an admin function, like installing some software, I would right click on say some software installer's .exe file, and choose "run as administrator".  So far so good...  But what impact does that have on my ability to build LabVIEW executables, including those where I also create an installer for that executable using the Application Builder???  Can I do that with only this "run as administrator" capability???  If so, how would I do that???  And are there any other things I am missing about working with LabVIEW that I won't be able to do with the admin capability like I've described above???
  Any feedback would be much appreciate... 
  thanks... bob...

  As long as you can run LabVIEW, you should have no problem building an executable.  Just be sure to build it into a folder where you have write permission.  
  What you may have trouble with is installing any EXE+Installer you build with LabVIEW. That's generally where you need elevation.  But you could always give the installer to your IT dept and tell them where to install it.  If you are a power user, you may still be able to install new programs anyway.  
  HTH,
  Jason

• Why the need to "run as administrator"?

  Our of curiousity, why do I need to run Premiere Elements 8 using the "Run as administrator" in Windows 7?
  It is a bit annoying to have to type in a password just to run Premiere Elements 8 since I never use the administrator account to anything.

  I dont run Win7, but I do run Vista-64, and I can attest to the fact that the Windows Security framework is a dark hole that is difficult for most to navigate thru and completely understand.
  One can assume that with Win7, it's still a grey area that needs an official decoder ring for even the simple tasks.
  I always install PE from the Admin Login and just give the rights to any User Account on the system.
  With this approach I've never run into the situation where it must be Run as an Administrator.
  If I'm not mistaken, PE may even require an Install from the Admin Login (I can't verify cause it's been so long that I've done the Install, that I don't remember).
  The bottom line is if a particular Windows Object, PE in this case, is Owned by a particular Group or User, depending on it's Permissions and/or Access Rights will determine who can Run, Execute, or Modify that Object.
  And unless your a Security maven, this could get real ugly, real fast (and you can screw up your System in a heartbeat if you don't know what your doing in this area).
  Now you see why I install and Run it under the Admin Login and call it a day...