LinkBack URL
About LinkBacksIs it safe to use an administrator account in Vista all of the time or is there a security risk by doing so?
As in, would it be safer to create an alternate user account which does not have admin privileges?
Is it safe to use an administrator account in Vista all of the time or is there a security risk by doing so?
As in, would it be safer to create an alternate user account which does not have admin privileges?
Yeah, create a limited account and use that for 90% of the time. Much safer.
Robscure (04-12-2010)
Alright, I figured as much, but was kind of hoping that weren't the case so that I didn't have to type a PW everytime UAC pops up.Originally Posted by Singh400
Much safer. Get a virus as an admin and the virus has all the privileges of an admin. Get a virus or rogue application as a limited privilege user and it only has user privileges.
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
Surely UAC is meant to come into play here, ensuring that the virus is run only as a limited user unless it is specifically "run as admin" or given permission to run?
UAC does try to do this, but it isn't perfect. The biggest problem is exactly the same if you aren't an admin, which is you get too used to saying yes or typing your admin password and accidently grant the virus admin rights, also, I think the OS isolates processes better if they are running as different users which gives more protection against an un-privileged process borrowing a privileged one.
I still haven't really found out a definitive reason as to why limited user accounts are better, assuming UAC is operating properly.
The only one I can think of is if other people are using the PC, that an administrator password prevents them from making any changes without the presence of the administrator - if that's not the case, then I'm not sure why it's actually better.
Interesting responses, and they sound similar to what I've been going over in my own head.
I guess for the time being it is a "better safe than sorry" scenario.
no uac and admin account here, no issues with a decent anti virus.
Capitalization is the difference between helping your Uncle Jack
off a horse and helping your uncle jack off a horse.
I run into misconceptions about UAC & virtualization all the time, so I wrote a couple of blog entries on it...
USER Account Control… but I’m an ADMIN!
Virtualization in Vista
UAC doesn't prevent the user from doing anything they have privilege to do, which is why it is not considered a security feature, but an awareness (or compatibility) feature.
It's to allow legacy/poorly written programs to run as standard users that try to write to protected system areas, rather than just throw "access denied" and most likely cause a crash.
UAC is not a replacement for a limited user, it has never been wise to "use" the OS under an "admin" account (and suicidal to re-enable and use the built-in Adminstrator account, which is not even subject to UAC).
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
Thanks for the constructive response.
I'll look into your two links.
I'm under the brief impression that your stance is to use a limited user account and UAC is irrelevant to the security of pc from hackers?
edit, nevermind... I just started reading your blog where it says "I do not, under any circumstances, recommend disabling UAC."
Yep, for security using a limited user account protects the system (and other users) from any malicious activity attempted under that account (intended or not).
If a program being launched requires an administrative account then you would still need to "run as administrator" and provide credentials, UAC does nothing new here.
If a program launched as a limited user tries to write to a file/registry location that is considered protected then virtualization takes care of redirecting it to the user's profile, catering for legacy apps without breaking them (or requiring you to log in as an admin).
An admin account is capable of doing anything on the system, and you can't stop this - even if you try to remove permissions they have the privilege to change any permission they like, so practically any mechanism in place to defened against malicious activity could be disabled/bypassed by an admin or any process launched with admin privileges.
Security, it is commonly said, is a layered approach - there is no way for a single product to protect against all types of malicious behaviour, but as limited users don't have permission to install kernel-mode drivers this is a huge mitigation.
What I find most strange is people that go to the effort of keeping UAC enabled and still use an admin account, but then managing to find a way to launch the shell (Explorer) elevated - as processes inherit security tokens this means any process launched through the shell is auto-elevated without any prompting... just as if UAC was off.
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
