We will periodically publish an article that contains helpful information for you and your computer. All articles will be explained in the simplest terminology possible. For more information or if you would like to suggest a topic please contact us.
Don’t run as administrator.
Although this is one of the most difficult tasks to achieve, doing so is the most effective way of preventing harm to your computer.
Microsoft Windows has a feature called user rights. In a nutshell, different users can have different rights or permissions. These rights may or may not entitle the user to change certain settings, install software, or perform other actions that may jeopardize the security or stability of the computer.
Rather than assign certain rights to an individual user, it is best practice to assign these rights to a group, and then place the different users in these various groups.
The 3 groups we will be discussing in this article are User, Power User and Administrator.
The User group is the most restricted group on a computer. While a user can perform routine tasks on the computer, such as working with documents, printing pictures and surfing the Internet, they cannot change system settings or install most software packages.
A Power User has a few less restrictions than a User. A power user can install software that does not alter system files, they can change certain system settings such as printers, date, time, power options and other Control Panel resources.
The Administrator group has no restrictions. An administrator can do whatever they want, plain and simple.
Now that you know the different levels of rights between these groups, it will be easier to understand why it is recommended you use accounts that are located in the User group.
By placing a user account in the User group, you have removed almost all ways for the user to cause any harm to your computer. If a guest uses your computer using this account, they cannot install software, change system settings, etc.
Some people tend to install every piece of software they come across, even if they only use it once. Since we do not recommend this, forcing yourself and others to operate with a user account limits this behavior.
Many people say “I don’t need to do this – I don’t install software or change settings.” We get this response all the time when we recommend restricting admin rights. While this may be the case, there is an important reason for our recommendation that most people don’t know about or consider: malicious software.
Malicious software can be anything from a virus to spyware. (For more information read our spyware and malicious software article).
Malicious software can do all sorts of negative things. It can destroy or share your data with a 3rd party. It can allow someone else to take full control of your computer where they are able to see your screen and operate your mouse and keyboard – from across the Internet. It can even render your computer inoperable.
Here is an important point: malicious software usually runs in the security content of the current user. What does that mean? If you are running as an administrator and you execute malicious software (even on accident or without you knowing), that malicious software now has full access to your computer. It will have no restrictions and can easily bury itself deep within the operating system.
If you are running as a user, however, and you execute that same malicious software, chances are it will be ineffective because your account simply is not allowed to change settings, install software, etc.
Please note this scenario is different from the malicious software exploiting a security vulnerability in Microsoft Windows. This, however, is easy to prevent; read more in our Windows Updates article.
If you are planning to demote your account to the User group, remember to create a backup Administrator account before doing so. User accounts cannot make themselves Administrators. You will need to log onto the computer as an Administrator to install software, change settings or temporarily promote your User account to an Administrator.
Some pieces of software will have trouble running properly if your account is a User. Software that is written properly will have no problem running as a normal User, but because there are so many software packages out there, some of them will not run correctly.
There are a few ways to overcome this; you can track down what files or registry settings the program is attempting to use and manually set the permissions. You can also use the Run As feature. Finally, Microsoft has released a software toolkit that will take of much of the work for you.
Even though adjusting to being a User and getting some applications to work can be a chore, it is definitely worth the effort.
Even if you are able to run as a normal User, keep your Windows Updates current and use antivirus software. Doing so means your computer is very unlikely to ever become infected with any type of malicious software and will run exceeding well for a long time to come.