Desktop SoftwareSecuritySystem Administration

Why You Do NOT Want Administrative Rights on Your Computer

One of the absolutely most effective ways to shield yourself from viruses and spyware is to not log on to your computer as an administrator. As soon as I say this, I usually encounter some resistance, because users think that giving up admin rights equates to giving up power. In a way, you are, but for decades I’ve likened full admin rights on a computer to walking around with a loaded gun that might go off at any minute, and pointing it at people (including yourself). I have seen plenty of damage done by users who thought they needed (or just wanted) administrative rights over machines, and in truth, they did not.

My rationale for  not wanting admin rights is as follows:

  • Administrative rights give you the ability to install programs.
  • Viruses, spyware, and other malware are programs. Therefore,
  • administrative rights give you the ability to install viruses, spyware, and other malware.

People sometimes think I mean they would intentionally attempt to install viruses, spyware or other malware, but that’s not what I’m saying. The problem is that viruses, spyware and their ilk either pose as legitimate software, like a browser plugin (“You need a new video player to watch this movie. Click here to install!”) or an email attachment which you think you want to run (“Click here to view this greeting card!”).

As an average user, you do not require administrative rights to run your own machine. If programs need installing, then this is something you (or your administrator) should do separately, under a special, administrative account. You do not need to be an admin all the time. This is the principle of Least Privilege: you have only the minimum power that you require to do your job. Extra rights means extra responsibility and the potential for extra damage.

Let’s take some non-IT examples. Consider your workplace.

  • Does every employee have a master key, allowing them to get into any and all rooms, offices, closets, safes, on the premises?
  • Does every employee have the ability to write checks from the company checkbook?
  • Does every employee have the ability to sign contracts and enter into new business agreements or hire new employees?

(Note: If you answered “yes” to any of these and you have more than two employees, you can probably stop reading right now, as you have larger problems that I can’t begin to address in this forum.)

Now, I do realize that the three examples could be potentially more of a risk than administrative rights over a desktop PC, but consider the example where a user has admin rights over their PC, and, by one way or another, that PC is compromised by some form of malware. That malware in turn is used as a springboard to launch an attack against the company’s servers. Once compromised, all data on the server is available to the attacker, including emails, client/patient/student/employee/payroll records, financial data, etc.

No, You Don’t Need That Program Installed

We commonly get asked “but what if I need to install XYZ program?” I answer “then you should call us and we’ll do it for you.” At first blush, this may sound a bit excessive, but in reality, it is not. Installing software, while easy, is an avenue for security holes. You should not need to be installing software on any given day. Generally, after the first week or two, everything you need installed on your system should be installed, and you should be good to go without administrative rights. After that, it’s usually some sort of actually needed software package which, once installed, is all set and doesn’t need much care and feeding afterward, so again, I recommend to my clients that we do software installs for them.

Example 1: We regularly get requests to install WinZip, for example. My clients are amazed when I tell them they do not need WinZip anymore. Now, I know that WinZip has a lot of features that Windows “Compressed folders” do not share. I also know that, to date, almost none of my clients are aware of said features and wouldn’t use them if they were. They want to make zip files and open zip files, which Windows has been able to do since 2001. Additionally, WinZip by default installs an agent which sits on your system tray, taking up memory.

Example 2: The next most-requested program? iTunes. Yep, iTunes. My standard response, which I got from David Hoelzer, is “What is the business need for iTunes?” iTunes is another example of stuff you don’t need always running. When you install iTunes, you also get QuickTime, the Apple Mobile Device service, and Apple’s software updater, which all constantly run in the background, chewing up CPU time and memory.

Why Is My System Slow?

When people ask me “why is my system slow,” the answer is almost always because they have unnecessary software installed (malicious or otherwise).

  • You have to have administrative rights to install software.
  • When you install software, it frequently installs an “agent” or “service” which runs all the time, even if you don’t know you’re running it.
  • Agents or services which run on  your system slow your system down.
  • Ergo, your admin rights slowed down your system.

If I still haven’t impressed upon you that this is bad, (intentionally) installing unneeded software programs can also slow down your system. Before you install  anything on your system first ask yourself

  • Do I need this program installed?
  • Do I know all of the ramifications installing it?
  • Is my system slow enough already?

If you’re interested in addressing this issue , please see the follow-up post.

Comments are closed.