Wednesday, April 19, 2006

Keeping Your Computer Friendly -- Step 3: Don't Logon As An Administrator

Unfortunately, in Windows XP, when you create a new user that user has administrative privileges by default. As mentioned previously, users with administrative privileges have full control of the computer.

For most of us, there are few instances when you actually need administrative privileges. These include installing some software, adding/modifying user accounts, and other "administrative" types of maintenance.

The rest of the time we can operate just fine with the limited privileges granted to the Users Group.

Why should we care about this? If your computer is compromised by unauthorized access (perhaps by the computer being left unattended, someone hacks into it via a wireless network, or more commonly by inadvertent downloads of viruses or other malware) that person gaining unauthorized access can easily have whatever priviliges the person currently logged-on has -- and that would be bad. An excellent discussion of the dangers can be found in the white paper Applying the Principle of Least Privilege to User Accounts on Windows XP. Read the introduction if nothing else.

Since you already have a good administrator account (from Step 1), change the other accounts to regular users either from the User Accounts module (Start -> User Accounts) or from Users and Groups in Computer Management where you can easily remove users from the Administrators group and add them to the Users group.

And there are ways to gain administrator privileges without having to log off and log back on as an administrator -- inconvenient especially when you're working with other applications. In a future post we'll show how easy it is (using a simple batch file) to get the privileges you need whenever you need them without logging off.

1 comment:

Anonymous said...

This is great advice--please finish all five steps!