Running as Administrator? Read this

NikK

Windows Vista/7/8

Many people only set up one account on their PC's, an admin account. Why bother setting up a standard account as well when it's enough with the admin account, right? Well, make sure you understand how UAC - User Account Control works and that you use it properly:

UAC is based on the principle of least user privilege. When UAC is enabled, all programs that doesn't require admin rights will have their permission level automatically lowered to a standard user account level or less. If a program requires admin rights you'll get an UAC prompt. If you turn UAC off you're basically running as administrator all the time which is not recommended.

Bottom line: have UAC enabled and set it to maximum, and when it prompts, only allow programs you have started or programs you trust (that have triggered an automatic upgrade for example).

If you want to change your admin account to a standard user account, make sure you have another admin account set up first, or you could lock yourself out! 

For Internet Explorer UAC does even more, it enables "Protected Mode"(in IE Internet Options, tab Security) which runs the browser processes with a low level integrity to block them from interacting with higher/normal processes, like a sandbox. For 64-bit Windows there's also EPM - Enhanced Protected Mode (in Internet Options - Advanced)

 

UAC is also required for File and Registry Virtualization to work, another protection mechanism that makes it harder to infect a PC. Programs that tries to write to the Windows or Program Files folder will be redirected to your user profile instead, without the program knowing about it.

 

So if you become annoyed of all the UAC prompts and you want to turn UAC off, you should think again! With UAC enabled you can feel safer running an administrator account, as long as you actually read the UAC prompts and not just click Yes routinely. You can also create shortcuts to bypass the UAC prompt for specific programs. See link below.

 

The description for the maximum setting for UAC called "Always notify" is: "Recommended if you routinely install new software and visit unfamiliar websites". Every time I read something like that I wonder how would I know if I'm visiting an unfamiliar website? Especially when I google a lot?! I better set it to Always notify then.

 

To view or change your UAC setting, do a windows search for: UAC

To create a shortcut to bypass the UAC prompt for a specific program: techrepublic.com article

To see the integrity level of all processes, check out Process Explorer 

The levels are: Untrusted, Low, Medium, High, System

 

Windows XP

XP doesn't have UAC, and XP can be problematic to run if you're not an administrator. So you're more or less forced to run as administrator. Here's an old article from Microsoft why you shouldn't run as Admin: http://msdn.microsoft.com/en-us/library/ms972827.aspx

The article mentions a program called DropMyRights but the download link doesn't work anymore. But the security guru Steve Gibson at GRC has a copy: https://www.grc.com/sn/notes-176.htm

 

Another recommendation for XP users, especially since Windows Update has ended for XP, is the free virtualization software http://sandboxie.com/  

A short description: When a program(for example a browser) is launched in the sandbox, all writes to disk will be routed to a sandbox folder instead of your normal files. The programs in the sandbox however has no clue they're not writing to your real files. When you're done you delete the sandbox and all changes will be discarded including any infections.

Simon

Good advice, Nik!

Ville

Good advice.

 

One more thing to note about UAC is that when the UAC prompt is shown, it tells if the file is signed properly and who is the signer ("Verified publisher"). If the file is not signed, you should be extra careful about allowing the elevation.

 

Ville

(F-Secure R&D)

 

NikK

While that's also a good advice, I've just read the F-Secure Labs report It's Signed, therefore it's Clean, right? 

So keep an eye on the signer as well.

NikK

Updated the original post. I forgot to mention that besides making sure UAC is enabled, you should set it to the maximum level called "Always notify"

 

And if you're thinking of changing your account from administrator to a standard user account, make sure you have another administrator account set up first, or you could lock yourself out: