Tragworks
Creative Independent Services

View Post

Don't run as Administrator!

Posted by jntragesser on 2/7/2009 10:11:50 PM

Windows Security Groups - If you've never heard of these, I'll give you a quick run-down on a few of these groups. Windows has built in security groups with defined sets of rights within. Users are accounts that can be dropped into these groups inheriting the rights of the group of which they are a member. (I know your eyes are starting to glaze over, but hear me out, there's a pay-off in the end here.) Here's a run down of three common groups within Windows:

  • Administrators - The most powerful group on the computer, can do anything, any where on the computer
  • Power Users - Fairly powerful group, members can do most of the things that the Administrators can, but they can't change important files within the operating system and can't install many types of software
  • Users - The lowest group, only allowed to run most installed programs and basic file operations, but cannot install any software. User's can browse the internet, create files, operate installed programs, but they can't change the environment, not a bit. Not even the computer time setting.

The Payoff! - If you've endured this article so far, you're now in for the treat. Here's how to keep your computer free of nafarious programs that secretly install on your computer. You see, the only way most of these nasty spyware programs and viruses can install themselves on your computer is by having full Administrative rights on your machine! Where do they get those rights? From the logged in user of course. That's right, if you're logged in as a member of the Administrator Group (And if you're on a default installation of Windows, you're in the administrators group) and you run into one of these nafarious programs in an email, or a rogue web page, they will secretly steal your rights to install whatever they want on YOUR computer.

So, you need to have two accounts, one as "Administrator" to perform tasks such as installing software and such, and one as "User" that you use everyday for running programs and browsing the internet. If you HAVE to use the Administrator account, log out and log in to the Administrator account, install your software or whatever you're trying to accomplish and immediately log back out and go back to your "User" account.

When you're logged in as member of "User" group, you can't install software, and guess what?: neither can spyware or viruses. If you blunder onto a malicious web page, the program will run and all of a sudden you'll receive a "Windows Error" notification that something failed to operate or install, "insufficient privileges" or the like. That's a *GOOD* thing; that's spyware stopped dead in its tracks because it couldn't install on your system because the "User" account you're using doesn't even have the rights to install software

Look, this is not a new concept. Old mainframe UNIX systems have followed this axiom for years. They don't have "Administrator" accounts, they have something called "Root" which is the same thing. And the number one rule in UNIX is you don't run your programs in "Root". If you have to use "Root", use it, get it done, and get the heck back out. This is the same principal. Listen, over 90% of computers sitting in repair shops are there because of viruses or spyware. And guess what? They all contracted their problems when the user was logged in as "Administrator". Listen, I'm a computer professional and this is my career. But I always use a "User" account for my day to day work. I'm writing this article in my "User" account. If you follow this practical advice, you will rarely run into any unintentional installs of spyware or viruses.

Tragworks - Creative Independent Services
Copyright Tragworks
2009