I’m running my copy of Windows XP as a limited user.
Why?
I switched my main account from an Administrator member to a “Limited” account for many reasons, including:
- I’m not that short on self esteem that I need to call myself an “administrator” even on my own personal computer.
- I want to enhance security on my machine
Let’s focus on the second reason cited.
By default, Windows installations run the primary user account as part of the Administrators group. This is very convenient for the user, as he/she has the power to do anything on the machine, such as install software, change system settings/configurations and, unfortunately, also unintentionally install viruses, spyware and other malware.
Yes, that’s right. Running as an Admin opens up very wide security holes on your system. The very ease by which you install that browser toolbar, instant messaging client, or office suite, makes it likewise easy for malware to install themselves and other evil pieces of software on your system unbeknownst to you.
In contrast, most Unix-based systems and variants/derivatives thereof, such as Linux distros and MacOS (which is essentially FreeBSD) rarely run in Administrator mode. You are asked to input the Administrator (or root, as in some cases) password whenever you are to make system changes–and part of this is installing/removing software.
So basically, Microsoft sacrificed safety for convenience. Add to this the fact that it’s the dominant operating system in the world, and that there are a handful of tech-endowed teenagers with spare time in their hands (for creating viruses and worms) or lured by money (to create spyware), then each Windows system running on the default settings and connected to the Internet-at-large is vulnerable.
It’s not 100% fool proof, but at least you lessen your chances of screwing up.
So how did I do it? And how do I maintain my sanity with all the things I couldn’t do as a Limited user?
I basically downgraded my usual (main) profile to a Limited user under Control Panel–User Accounts. For this to work, you may have to login as Administrator or you must setup an alternative account with Admin privileges (to login as Administrator, pres Ctrl-Alt-Delete twice when at the login screen, then input the necessary Administrator username and password at the prompt).
I restarted my system (or logged off and on again), and voila! I’m now a Limited User.
Now to access functions and features commonly only available to users with Admin rights, I have to execute programs as a different user. And this can sometimes be a pain in the neck. I have the option of right-clicking on an executable, shortcut, or (compatible) document and selecting “Run as …” and then input the required Administrator (or Admin-level account) credentials. There’s also the command-line equivalent runas.exe for the CMD afficionadoes out there.
But this sometimes won’t work. And when all else fails, there’s always fast user switching.
PC Magazine has a fairly comprehensive writeup on this topic.
6 comments
FYI: I used to be a limited user in my own PC in the office but recently we installed an ERP system that requires admin rights, this concludes that some 3rd party software by default use admin group user in their application.
If you’re a developer and will be needing either an Oracle RDBMS or a WebSphere appserver, there’s no escaping being an admin user 😉
That’s wise thing to do even to your own home pc. but isn’t that long before to be implemented? I dont know? on the other side… did you have any news about Microsoft Spakle?
I just hope Vista will have the facility for something like su and sudo.
Vista (a.k.a. Longhorn) is supposed to have that functionality, Richard.
Microsoft sure did a half-baked job integrating permissions into the NT family. It’s bad enough that the shell has little support for “sudo”-like functions, but as previously mentioned many software packages need Administrative privileges. Fast User Switching also poses threats when enabled, thus making the “user sandboxing” approach a royal pain under Windows. UNIX has permissions down pat, having been designed from the get-go to use them (it’s fun and annoying to see that you can’t run a screensaver as root when X is active, as the screensaver daemon with rot privileges is a potential attack vector). I do run as an Administrator on my personal XP SP2 machine, but took care to define specific policies using the Microsoft Management Console (MMC), as well as create a special account for guest users. So far, regular security auditing, taking care not to touch e-mail from Nigeria, and installing an expensive security suite with script-suppression capabilties has kept me out of harms’ way. Performing conscientious administration on a whole network of Windows boxes is a nightmare, though…