+设为首页 +添加到收藏夹
lars bergstrom 【推荐阅读:tomcat5下设置EL(express】
【扩展信息:LOG4J 的初始化】visual studio core teammicrosoft corporationdecember 2003
summary: members of the local administrators group have privileges to perform any action on a machine. this causes both a risk to the user performing actions in that environment and to the software that they develop. this article explains how to productively develop software while logged on with non-administrative privileges. (14 printed pages)
applies to: microsoft® windows® xp and the microsoft windows server 2003 family disk drives with ntfs file system microsoft visual studio® .net contentsintroduction
group membership and permissions for the login account performing administrative tasks developing software conclusion introductionsecurity is important. no one argues with this and everyone spends a lot of time thinking about security issues, security bugs, and malicious users. however, very few people are willing make the effort to eradicate the largest single reason that e-mail viruses and cracks in general are so dangerous: everyone logs in as a user who is a member of the local administrators group, and most services run as administrators. the principle of "least privilege" states that running with the minimal set of rights needed to perform an action minimizes the damage done when something bad happens, whether it is a corrupt attachment in an e-mail received from outlook, or a service that has a security risk. by running programs without administrative privileges whenever possible, you ensure a more secure environment.
currently available software often requires elevated privileges in order to run correctly. to end this situation, developers must take the first step and stop running as administrators. then, if we all consistently log in, develop, and test applications as non-administrative users, the software we produce is more likely to be executable without artificial requirements of elevated privileges. until developers fix the software they are writing and shipping, users will never be able to run in a secure environment, too!
group membership and permissions for the login accounttasks such as global registration, installation of new software applications, and reconfiguring devices require administrative privileges. unless a full-time administrator manages your machine, you will need to keep one administrative account to do these tasks.
from now on, it is assumed that this user account is named ´administrator´ and is on the local machine, as opposed to a domain account. however, the user could equally well be named ´root´ as long as it is a member of the local machine´s administrators group. it is also assumed that you are working in a windows domain, and your primary login is an account in that domain of the form domain\username; however, this is not a requirement and both accounts could be on the local machine.
changing your account statusafter confirming that you still have access to an administrative account, go to the user manager, remove your user account from the administrators group, and then add it to the users group and any other less-privileged groups that are appropriate. to add your user account to the users group, you must first load the microsoft management console (mmc) and the user management snap-in.
note in most network setups, the domain´s domain users group is already a member of the local users group, so your domain account will already be in the local users group. using the microsoft management console right-click my computer and choose manage.—or—
on the start menu, choose run, and then type lusrmgr.msc.you are now ready to add your account to the users group.
adding your account to less-privileged groups... 下一页