Improving your security with non-administrative accounts
By Pcunix
Warning: Unless you are among the very first of those who will read this article, there will likely be unhappy comments from grievously wounded people who will assert that I am an idiot. Some may be kind enough to phrase it in a more polite manner, but the thought will be there just the same.
How can I foretell the future? Is prescience a special favor granted to idiots, you may ask? No, my foreknowledge comes only from prior experience: when I say something even mildly unpleasant about Microsoft, no matter how true it may be, displeased comments will be left.
It's simply a matter of association. If I say that Microsoft operating systems are inferior in some way, that certainly must imply that anyone who chooses to use a Microsoft powered system must also be damaged. The implication is that I must think such people are lesser beings, not worthy of respect or consideration.
All the little digging and thinly veiled insults are only to help the Microsoft fundies work themselves up into proper high dudgeon before leaving a comment. If I only wrote a boring bit about Microsoft privilege escalation, they might look somewhat unjustified when they attack me. All this little sniping is just my gift to them.
If it works for you
In fact, I think that soon enough nobody is going to give a rat's patootie about operating systems at all. I also think that if your computing needs are satisfied by the pale imitations of an operating system that Microsoft packages and shrink wraps for you, and your little brain gets all crampy when it contemplates learning anything new, you and Microsoft make a happy couple and should not consider dating others.
In fact, what this article assumes is that you will stay with the Beast of Redmond and remain a thrall of the Evil Empire. I'm simply going to suggest some practices that can improve your safety without bothering your brain too much. I'm not going to tell you to throw your computer in the trash and hasten down to an Apple store. I'd like to tell you to do that, but you won't, so instead I'm going to try to help you with the poor excuse for an operating system that you have.
But before I do that, I do have to explain one thing.
Apple does this better
I could have said "Apple does just about everything better", which would certainly be true, but as I am bending over backward to avoid insulting the poor creatures who think Microsoft actually sells anything worth buying, I won't. Well, I won't say it inside heading tags, anyway.
The area I'm about to explore here is account privileges - that is, what you are allowed to do while logged in to your computer. Both Microsoft and Apple default to giving you too much power, but Apple does give you a little less. That's not why I say Apple does it better, though.
The reason Apple does it better is simply because OS X (that's Apple's operating system) is built from a Unix base and Unix systems ALWAYS understood that there are administrative users and "ordinary" users. Microsoft started off with systems that had no such concept, so when they finally (and it took a while) smartened up and realized that they needed it, they had to bolt it on as an afterthought.
That's it. It isn't because Apple programmers are smarter or care about your safety more, it's just that Apple worked from a base that made account privilege separation easier. Microsoft programmers have had to struggle against crappy old code that assumed just the opposite.
So, with all that in mind, and if those of you who are just itching to leave a nasty comment can hold off just a few minutes longer, I'll get to the actual point now.
Administrative users
If you are running Windows on a home computer, it's a safe bet that you are running as an administrative user. The same is true if you are using a Mac, though you do have a little bit less power. If you are running Mac, don't get too complacent, because this advice applies to you also.
The screenshot at right shows the XP user control panel and what you'd see if you are not an "administrator". The photo below that shows what you'd typically see if you are an "Administrator" and the yellow arrow points at that "Limited" account.
These are from XP. You'll see similar things in Vista, Win 7 and Win 8.
An administrative user can change things. A limited user is limited in what they can change.
More safety
You are "safer" if you login as a Limited user.
That's definitely true, but I don't want to lead you down a path of false security. It's true that some bad programs will be unable to hurt you if you encounter them as a Limited user.
It's also true that others still can. That's why the title I used has "improve" in it. Using a limited account improves your security, it does not guarantee it.
There are those who will tell you that it is pointless. They rightfully note that in most cases, all that this accomplishes is to briefly annoy you. If you have access to an administrative account, you'll simply switch to that account or use its privilege to do what the computer said you could not do. At best, they say, it delays badness by a few seconds.
That can be true. I'll counter that with the observation that you are at least now consciously aware that you are about to do something that could involve risk. You might think about it just a bit longer before charging ahead.
There is that matter of inconvenience, too. I run my Mac as a non-administrative user, but there is almost no inconvenience in doing so. Doing the same thing on XP will encounter more annoyance. Doing it on Windows 7 is a little better, but still comes with difficulty. Again, this is a matter of underlying design, not brilliance. I feel sorry for Microsoft system programmers because they have to deal with the ugly swamp that is the foundation of Windows. Apple system guys are on easy street, comparatively speaking.
The Limited User
Here is what happens when a "limited" user tries to change the system date on XP.
You can see that XP objects to this attempt. A limited user does not have permission to change the system date. Only administrative users have that privilege.
There are many other privileges not given to these "limited" users. Limited users usually can't even install new programs, poor things.
Did you notice that I said "usually"? That's because it's not XP that is typically preventing those installations. More typically it is lazy or ignorant programmers who assume that you will have administrative privileges when you install their programs. Their programs could be installed by anyone, but are written in a way that requires administrative powers.
Run as
Microsoft added a neat little ability that can take some of the ignominy out of being a limited user. This is the "Run as" ability, which is accessed by right-clicking on the thing you want to run and choosing "Run as" (if that doesn't work, try holding down Shift before you right-click).
Doing that will let us reset the date (assuming we know an administrator password, of course). It might even let you install some programs, but you may get all the way through the installation and still find it won't work. There are other things that "Run as" can't do; you can sometimes find work arounds on the Internet, but basically it's an imperfect solution, especially on XP.
Just for fun, here's what happens when I, running as a non-administrative user on my Mac, try to install Turbo Tax updates.
I get asked for the name and password of an administrative account. If I had been logged in as an administrator, it still would have asked me for my password, but as this user I have to supply both. Win 7/8 have similar features, but unfortunately they don't always work as they should. Again, that's sometimes just because of the foundation and lazy/ignorant third party programmers.
If you want to get the gory technical details, Google for UAC (User Access Control) and LUAC) Least-Privilege User Accounts - same thing, it's just that Microsoft changed the acronym along the way. Probably "Least-privilege" sounded too controlling.
I deliberately didn't mention "Power Users" - that was an earlier way that Microsoft tried to satisfy the needs of users without giving full administrative control. Some readers might remember that.
Should you do this?
Ahh, there's the question, isn't it? It's going to be annoying, there will be trouble, it sure doesn't sound like fun, does it?
And as the naysayers will insist, it won't gain you much if you just willy-nilly give permission as an automatic reflex anyway. Nor does it guarantee protection from every bad thing you might stumble upon.
I still think you should. Admittedly, I haven't had much luck convincing others to do this - people tend to value convenience much more than security.
How about this? Maybe I can convince you to try it - just a test drive? Create a non-administrative account and try doing your daily work with that instead of what you use now. If you have enough RAM in your machine (RAM is cheap), you can use "Switch User" (Windows or "Fast User Switching" (Mac) to get to that other account if you run into some obstruction.
Try it out for a week and see how many times you get ticked off. It might not happen at all and I think you'll feel just a teeny bit safer.
Time for comments
Apple and Linux haters, here's your chance. Tear me apart, disparage me, tell me what a brain dead fool I am. I hope that you actually read what I had to say so you don't look silly lambasting me over some detail I actually did mention above, but I realize that reading comprehension is a vanishing skill, so I won't insist upon that.
Have fun!
Comments
No comments yet.
