When anyone gets a new computer the first thing that happens when they turn it on, is the logged on user is given administrator permissions.
This can be a disaster.
Administrator rights are only needed on a computer to sometimes install new software, or change a system wide setting. For normal day to day use administrator rights are not needed.
So what's the issue?
If, or when, you get a piece of malware on your computer. If the logged on user has administrator rights, there is no end to the destruction that malware can do to your computer.
- You may not be able to logon
- You may not be able to restore data from backup
- You may not be able to use selected admin tools
A rebuild at some cost if you don't know what you are doing may be the only option.
What can you do?
When you get your new computer or on your existing computer setup a standard user you logon with everyday, and an administrator account you can use occasionally as needed.
In this blog we will use two accounts:
David - will be a standard user with no administrator rights
A_David - will have full administrative rights
Open the Windows start menu and type compmgmt.msc
From the new window, expand the 'Local users and groups' node
- Select Users, right click and select 'new user' create an account with basic name such as David, If this is your existing computer skip this step.
Create another account as before this time name it A_David for example.
From the computer management window double click the A_David account
- Ensure under 'member of' for the A_David account administrators is selected (as on the right below) and select OK, and under the regular David account (or your existing user) ensure only users is listed.
Day to Day
Now when you logon with the standard account (not the A_ account) you will have standard user rights, so if your computer does become compromised you have a level of protection in what the malware can actually do.
It should be noted following this article malware can still do bad things, this is to limit what it does not stop it.
When you need to install an application or provide administrator username just enter the A_David username and password.
@formynextjourney, not running with administrator rights is always the best practice. We do that in corporate environments but it is difficult to do the same on your own personal computer due to its inconvenience. I work in the cybersecurity industry but I also don't follow this good practice on my personal computer. Perhaps I should seriously consider doing it :)
Upvoted and started to follow you! Looking forward to more good content!
Yeah look its not ideal, but for most users (IT professionals excluded) how often do you require admin rights day to day? Apps like chrome etc install in your profile anyway no admin rights needed.
I work for a software company and we make software to help with this challenge so users don't need second accounts, just not practical in the consumer market.
Yup, I agree. It is always a constant struggle between convenience and security. Finding the balance is an art more than science.