Your browser is obsolete!

The page may not load correctly.

The rules of ”basic hygiene”

Правила гигиены

Other issues in this category (61)
  • add to favourites
    Add to Bookmarks

When permissions must be restricted

Read: 690 Comments: 2 Rating: 6

Until now, we haven’t used convincing statistics to support our claims about the perils of using computers under an administrator account. So let's set things right:

As many as 81% of the critical vulnerabilities described in Microsoft's security bulletins in 2019 can be closed merely by revoking administrator permissions.

Source

To understand why this is so, let's see what user accounts are available in Windows by default and what users are permitted to do under them.

A user account in Windows determines which files and folders are accessible to the user and what changes the user is permitted to make to the system. The account data also includes user settings such as the desktop background and screen saver. User account types can be distinguished by how much control over the system they provide.

  • standard user accounts are meant to be used in everyday work.
  • administrator accounts provide full control over the system and are not recommended to be used routinely. Users should switch to administrator accounts only when necessary.
  • Guest accounts are used to grant temporary access to a machine.

With an administrator account, you can:

  • Install programs and new hardware.
  • Make changes affecting overall system performance.
  • View the contents of all shared files.
  • Create and delete user accounts
  • Change the parameters of other accounts
  • Change the name and type of your current account
  • Change the account icon
  • Set, change, and discard an account password

Source

In other words, if the user is an administrator, they or an application that has been launched under their account can make almost any changes to a system. That's exactly what hackers and malware need!

If administrator permissions are unavailable, a hacker will have a harder time performing their malicious tasks in a system (if they are exploiting a vulnerability). Furthermore, users who mindlessly click on an image or a link will never accidentally install a banking trojan on their computer.

The advantages are quite obvious. What are the drawbacks?

  • System validation is unavailable.
  • Third-party software can’t be updated.
  • The user can't select which Windows updates to install.

To address these issues, the user will have to use the “Run as administrator” option or the runas.exe utility and enter the administrator password over and over again or switch to the administrator account, perform all the necessary actions, and switch back to an ordinary account with lower privileges.

So most problems are associated with the installation of software, including games (it is worth mentioning that Windows has no problems downloading and installing updates, regardless of what user account is being used).

Obviously, users want to perform any action as quickly as possible.

If your whole family uses the same computer, create an individual account for each household member, teach them how they can switch between accounts, and use the Dr.Web Parental Control to limit permissions for each account.

The account parameters in Windows 8.1 and Windows 10 can be changed in the Control Panel and in the Settings app. In Windows 10, the Control Panel can be used to change an account name, password, and account type and to delete an account. However, only the Settings app can create an account.

So most account management options are accessible in the - Settings app(in the Accounts section).

#drweb

In the Accounts section, you can enable and disable Microsoft accounts, create and delete accounts, change passwords and pin codes, specify synchronization parameters, and configure how resources are accessed from your place of work or study.

#drweb

You can switch between user accounts in the Start menu. The current user logs off and another user can log in via the lock-screen dialogue box. You can bypass the lock-screen hassle and instead switch to another user account in the Start menu. In this case, the current user account will be blocked and a password will have to be entered to log in.

#drweb

Source

After that you can specify access permissions for selected folders manually in Windows Explorer or use the Parental Control.

#drweb

Note that you can choose between read-only and full-access modes.

Dr.Web recommends

Malware often gets installed just because users don't pay enough attention to what they are doing or because attackers trick them into doing so. Restricting user permissions may help avoid such infection incidents.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments