[xplorer˛] — Security 101: user accounts
home » blog » 18 November 2007
play flash demo

"The meek shall inherit the earth" — it's in the Bible

Every now and then I get a call from a male friend or relative asking me to rescue them from a plague of popups [sic] that have infested their computer, before the missus notices <g>. Others, being more savvy, have accepted a monthly windows reformatting ritual as an inescapable fate of computer users. These people are not idiots; they won't do daft things like opening dodgy email attachments from disgraced Nigerian generals, but still somehow the nasties slip into their computers. Why?

Even if you have your system setup to receive automatic updates for windows components, and despite your anti-viruses, firewalls and other front-line defenses, there are many 0-day vulnerabilities that can hit you. There is a simple solution: create a normal (limited) user account and logon with reduced rights for your day-to-day computer use! This puts you in a sandbox so that even if something infiltrates the perimeter, it won't be able to do much harm.

In all windows before Vista, the default mode for new user accounts is "Administrator", a super-user account with full-access privileges to write in folders and computer registry. Most people use their administrator accounts all the time, needlessly. Users with limited accounts on the other hand can only save files in their personal document and registry areas. If a nasty enters the computer and you happen to be an administrator, it can disguise itself and fool your antivirus; if you are a wise normal user on the other hand, it won't even be able to save itself in your hard disk — not in any important area anyway. Next reboot and it's gone, no more ransomware!

Running as a normal user has its problems too. You can't install programs, can't even change the time, surely an own goal? Ok, there is a slight inconvenience but how often do you install programs? Even for these cases there is a solution: use RunAs to launch the installer executable. The demo video explains how this is done, right click on the program icon and pick "Run as..." from the context menu. This will allow you to temporarily login with your administrator account and complete the installation. Afterwards you return to your normal safe security mode.

Microsoft realized that administrator accounts are #1 problem for the proliferation of malware and in a knee-jerk reaction introduced the lame user access control in vista. This means now that even administrators cannot be administrators unless they supply their password every five minutes or so. How annoying is that? Anyway the solution there is to again right click on anything you want to run as a real god-like administrator and pick "Run as administrator" command from the context menu.

Here's a demo video with instructions how to setup a limited user account from Control Panel
Cousins and other randy friends take note! :)

ps. If you get funny error messages when you try to use RunAs as described, you most probably have the "simple file sharing" mode in your folder options, where even system administrators do not have access to other users files. The workaround is to put the installer executable in the shared documents folder (you'll find it in My Computer) and launch it from there.

Post a comment on this topic

AddThis Social Bookmark Button



What would you like to do next?

Reclaim control of your files!
  • browse
  • preview
  • manage
  • locate
  • organize
Download xplorer2 free trial
"This powerhouse file manager beats the pants off Microsoft's built-in utility..."

© 2002—2007 Nikos Bozinis, all rights reserved