Don't logon with administrator rights

in #windows7 years ago

When anyone gets a new computer the first thing that happens when they turn it on, is the logged on user is given administrator permissions.

admin privs.jpg

This can be a disaster.

Administrator rights are only needed on a computer to sometimes install new software, or change a system wide setting. For normal day to day use administrator rights are not needed.

So what's the issue?

If, or when, you get a piece of malware on your computer. If the logged on user has administrator rights, there is no end to the destruction that malware can do to your computer.

  • You may not be able to logon
  • You may not be able to restore data from backup
  • You may not be able to use selected admin tools

A rebuild at some cost if you don't know what you are doing may be the only option.

fbi-is-on-the-hunt-for-123-cyber-criminals-513038-2.jpg

What can you do?

When you get your new computer or on your existing computer setup a standard user you logon with everyday, and an administrator account you can use occasionally as needed.

In this blog we will use two accounts:

David - will be a standard user with no administrator rights
A_David - will have full administrative rights

  • Open the Windows start menu and type compmgmt.msc

  • From the new window, expand the 'Local users and groups' node

Users.JPG

  • Select Users, right click and select 'new user' create an account with basic name such as David, If this is your existing computer skip this step.

new user.JPG

  • Create another account as before this time name it A_David for example.

  • From the computer management window double click the A_David account

admin d.JPG

  • Ensure under 'member of' for the A_David account administrators is selected (as on the right below) and select OK, and under the regular David account (or your existing user) ensure only users is listed.

david and admin.jpg

Day to Day

Now when you logon with the standard account (not the A_ account) you will have standard user rights, so if your computer does become compromised you have a level of protection in what the malware can actually do.

It should be noted following this article malware can still do bad things, this is to limit what it does not stop it.

When you need to install an application or provide administrator username just enter the A_David username and password.

UAC.JPG

You should be cautious doing this, not completing the steps as directed could lead to you locking yourself out of your computer.

Sort:  

@formynextjourney, not running with administrator rights is always the best practice. We do that in corporate environments but it is difficult to do the same on your own personal computer due to its inconvenience. I work in the cybersecurity industry but I also don't follow this good practice on my personal computer. Perhaps I should seriously consider doing it :)

Upvoted and started to follow you! Looking forward to more good content!

Yeah look its not ideal, but for most users (IT professionals excluded) how often do you require admin rights day to day? Apps like chrome etc install in your profile anyway no admin rights needed.

I work for a software company and we make software to help with this challenge so users don't need second accounts, just not practical in the consumer market.

Yup, I agree. It is always a constant struggle between convenience and security. Finding the balance is an art more than science.