Internet access using administrator account?

artha

Apologies for asking again but looks like the thread I posted on has gone off the radar without a reply.

I read today on a couple of threads that accessing the internet from accounts with administrator rights is insecure.

Could someone please explain why? This came as a bit of a shock to me as in many years of surfing I've never come across this piece of advice in any article on internet security.

I would imagine that many people as a single user on a PC will have a single administrator account and like myself will be blissfully unaware.

closed

admin accounts have more rights to files and registry, so the potential for infection damage is slightly greater with an admin account, wouldn't worry about it too much if you have a good resident antivirus scanner, limited accounts can be a pain.

RobTang

In theory running as an admin for normal usage is agaisnt "Best Practice."

The concept is called least privledge, you should only have enough permissions to do what you need to do and no more.

EG you dont carry your passport around everyday, because you dont need it and it becomes just a liability.

UAC is supposed to be a halfway house where normal admins run as standard users but can be elevated as and when needed.

The thing is while this stuff is great for business and corporate settings it is somwhat overkill for home users, and the advice originates from an over enthusiastic sysadmin.

artha

closed/robtang

Thanks for the reassurance and I'm beginning to understand. I would assume then that this is a backstop level of security that is more of a damage limitation measure should something get past principle security measures.

Thinking back to when I was at work, where we had full internet access, we had to get an IT person to log on as administrator in order to make any software/hardware changes. I thought this was more to do with efficient internal management of a large network as on a couple of occasions individuals downloaded infections that brought the whole network to a grinding halt despite industry level security.

I've tried setting up guest accounts on my laptop and desktop with mixed success. Is there anywhere I can read an article that gives guidance/pitfalls on setting up a second user account for internet access to take advantage of this extra security measure?

John_Gray

You don't really need to read anything - just set up a Limited Access account and log off from your administrator account and log onto the limited account when you want to access the internet.

I suspect you won't do this for long, because it is too much of a pain!

artha

John_Gray wrote: »

You don't really need to read anything - just set up a Limited Access account and log off from your administrator account and log onto the limited account when you want to access the internet.

I suspect you won't do this for long, because it is too much of a pain!

That's what I've been finding. There are a few things happening that I don't understand particularly relating to what's available on my "new" desktop. Some personalised things are there others not and it varies depending on which of my PCs I set up new accounts on. On my laptop for instance Microsoft Security Essentials refuses to start on the guest account. On my Desktop PC Ccleaner is not on the desktop nor in the programs whereas all other programs are there. As I don't understand what's going on here it's probably best to dabble in things that may make security worse. Anyone disagree?

tronator

artha wrote: »

I read today on a couple of threads that accessing the internet from accounts with administrator rights is insecure.

Could someone please explain why? This came as a bit of a shock to me as in many years of surfing I've never come across this piece of advice in any article on internet security.

I would imagine that many people as a single user on a PC will have a single administrator account and like myself will be blissfully unaware.

If you're logged in as Administrator you have the permission to access and change everything on your computer. That means every program you run, runs with the same rights and can access everything without you noticing it.

closed wrote: »

admin accounts have more rights to files and registry, so the potential for infection damage is slightly greater with an admin account, wouldn't worry about it too much if you have a good resident antivirus scanner, limited accounts can be a pain.

It's not "slightly" greater, it's MUCH greater. And don't rely on the virus scanner alone. No anti virus is 100%...

This attitude is the main problem with Windows and which makes it so unsafe compared to other operation systems. And don't tell me that Linux would have the same problems if more people would use it. That's just not true. In Ubuntu you can't even log in as root by default.

I ran a Windows network with about 40 PC's for a couple of years and never had a problem with viruses in the office. There was no "snake oil" desktop firewall installed, just an anti virus and everybody had a limited user account. That's it. Only when people came with their personal laptops and asked me to have a look, because it didn't work properly I came across with infections and so on. The same people who had problems at home, didn't have any at work. And believe me, they did personal stuff on their work PC...;)

John_Gray wrote: »

You don't really need to read anything - just set up a Limited Access account and log off from your administrator account and log onto the limited account when you want to access the internet.

I suspect you won't do this for long, because it is too much of a pain!

What is a pain? To right-click on a software and "run as Administrator" when installing a new software? If there are other problems, then it's the programmer's or Microsoft's fault.

RobTang wrote: »

The thing is while this stuff is great for business and corporate settings it is somwhat overkill for home users, and the advice originates from an over enthusiastic sysadmin.

I don't think that it's overkill for home users. Read this forum about viruses and malware and you understand what I mean.

artha wrote: »

I've tried setting up guest accounts on my laptop and desktop with mixed success. Is there anywhere I can read an article that gives guidance/pitfalls on setting up a second user account for internet access to take advantage of this extra security measure?

Don't use the "guest" account, create a normal "limited user account". If you log in as "guest", all documents and setting are getting deleted when you log out.

artha

tronator wrote: »

If you're logged in as Administrator you have the permission to access and change everything on your computer. That means every program you run, runs with the same rights and can access everything without you noticing it.



It's not "slightly" greater, it's MUCH greater. And don't rely on the virus scanner alone. No anti virus is 100%...

This attitude is the main problem with Windows and which makes it so unsafe compared to other operation systems. And don't tell me that Linux would have the same problems if more people would use it. That's just not true. In Ubuntu you can't even log in as root by default.

I ran a Windows network with about 40 PC's for a couple of years and never had a problem with viruses in the office. There was no "snake oil" desktop firewall installed, just an anti virus and everybody had a limited user account. That's it. Only when people came with their personal laptops and asked me to have a look, because it didn't work properly I came across with infections and so on. The same people who had problems at home, didn't have any at work. And believe me, they did personal stuff on their work PC...;)



What is a pain? To right-click on a software and "run as Administrator" when installing a new software? If there are other problems, then it's the programmer's or Microsoft's fault.



I don't think that it's overkill for home users. Read this forum about viruses and malware and you understand what I mean.



Don't use the "guest" account, create a normal "limited user account". If you log in as "guest", all documents and setting are getting deleted when you log out.

OK I'm prepared to give this a go but to help me and others who are reading and interested perhaps we can take this slowly a step at a time.

First step and first question: what is the difference between a newly created "guest account" and a "normal limited user account"

JustPassingBy

artha wrote: »

closed/robtang

Thanks for the reassurance and I'm beginning to understand. I would assume then that this is a backstop level of security that is more of a damage limitation measure should something get past principle security measures.

You misunderstand. Having an LUA is a principle security measure. AV software etc is often part of a system cleanup procedure because there isn't an LUA in place and is not a substitute for it.

Is post #41 at

https://forums.moneysavingexpert.com/discussion/2516805

any help?

tronator

artha wrote: »

First step and first question: what is the difference between a newly created "guest account" and a "normal limited user account"

I can only speak for WindowsXP, but think it's the same with Vista and Windows 7. Maybe someone else can confirm.

If you use a guest account, all documents and settings will get deleted once you logged out. Also you will have more restrictions on what you're allowed to do. The guest account you normally use if you have a visitor/guest who just needs to browse the Internet and to check emails and so on.

A limited user account can run all installed software by default, but can't install programs (viruses are programs too). He only has full access to his own user folder, no access to all other user folders and read only access to everything else (unless the Administrator restricts it further).

Most software you can install as limited user if you download it first to your Desktop and then (Shift+) right click on it and select "run as Administrator).

That should be enough for lesson one

artha

tronator wrote: »

I can only speak for WindowsXP, but think it's the same with Vista and Windows 7. Maybe someone else can confirm.

If you use a guest account, all documents and settings will get deleted once you logged out. Also you will have more restrictions on what you're allowed to do. The guest account you normally use if you have a visitor/guest who just needs to browse the Internet and to check emails and so on.

A limited user account can run all installed software by default, but can't install programs (viruses are programs too). He only has full access to his own user folder, no access to all other user folders and read only access to everything else (unless the Administrator restricts it further).

Most software you can install as limited user if you download it first to your Desktop and then (Shift+) right click on it and select "run as Administrator).

That should be enough for lesson one

Thanks. I'm using Windows XP Home and XP pro. I'll have a look and post any further questions at a later stage. It depends on how many World Cup games I watch as to when, but thanks again. I'll be back