Standard security practice for the U.S. federal government and most medium and large enterprises calls for users to run as “Normal User” on the computer at their desk. Also called “Standard User” mode, this prevents employees from becoming an administrator on their work PC. While this helps prevent misconfiguring work computers (and the subsequent helpdesk requests,) this is mainly to prevent malicious software, or malware, from installing on the system and compromising the business’ network or sensitive information.
Whether you realize it or not, this is also how you use your smartphone. Unless you’ve used a jailbreak program on your iPhone or you bypassed security on your Android phone (you rooted it,) you’re running as a standard user. That’s why malware on phones and tablets is relatively rare.
You can apply the same protection to your home PC or laptop. In this blog post, I’ll tell you why and how.
This story begins with my friend Tom (not his real name) and his teenage son. Don’t worry, Tom, it’s really not you. Tom was investigating why the computer he shared with his son was crashing and locking up. In the process, Tom discovered two things. First, there was a Trojan botnet that was usurping his computer to send SPAM email on behalf of cybercriminals.
The second problem requires some delicate wording because it involves an issue in Tom’s family. Diplomatically put, he discovered that his teenage son was appreciating the Glory of God’s Work in the form of the unclothed female human body. Family discussion aside, Tom’s shared computer had been infected with the Trojan through a combination of malicious downloads, an unpatched system and out-of-date antivirus software. In other words, the computer had picked up an Internet social disease.
After talking Tom through cleaning up the PC (it took several passes and a combination of anti-malware tools) and explaining about child-monitoring software, I gave Tom the same advice I’ll give you:
- First, set up a separate administrator account from which you can manage the computer.
- Then, set up non-administrator accounts for members of the family.
Not only does this give each family member a modicum of privacy, but you can also track any changes someone else makes on the computer. Lastly, because you have that other administrator account, you can take the elevated privileges away from the user ID that you use to perform regular tasks. That will help protect your computer from accidental infection.
When you buy a new PC and set it up, you are prompted to enter a username and password. This will be the user account that you use day to day on the PC. Under normal circumstances, this is the only account most people create on a PC. You could then create additional user accounts for other family members or co-workers in a business. Since each user account has its own profile, including desktop files, screen backgrounds and email settings, this may become important later. So, the first account that you create when the system boots up for the first time becomes the default administrator for the system.
Most of the time, you’re just going to be surfing the Web, reading email, using social media, watching or listening to streaming content and using the programs installed on the system. So even though you’re an administrator, you’re not using those capabilities.
What can you do as an administrator?
- You can install new applications, such as the new program you bought at the big-box store or online.
- You can install new device drivers and services, such as the support software for the new printer you bought at the same big-box store.
- You can reformat a disk, such as a USB stick, to erase the contents or to prepare an additional hard drive for use.
- You can change a critical system setting in the Control Panel, although Microsoft has expended a great deal of effort to make sure you don’t need administrator rights to perform common tasks such as connecting to Wi-Fi.
In other words, the tasks that need administrator privilege are rare, few and far between and things you don’t normally do.
In hacker parlance, privilege escalation is the act of becoming an administrator on the victim’s computer. As we explain in the Certified Ethical Hacker class, this is an essential part of an attack on a computer or network because it allows the intruder to add malware. This can take the form of a keyboard-logging program to steal what a user types, such as passwords and online information, or remote-control Trojan programs, which conscript the victim into a botnet, or it can lead to cybercrime with the latest generation of ransomware that encrypts the victim’s hard drive and extorts payment to restore the user’s data.
So what can a hacker do on your computer as an administrator?
- They can install software, such as Trojans, bots, key-loggers and other malware.
- They can install device drivers, such as the support software for other malware (we call that rootkits).
- They can encrypt your hard drive, such as the case of common ransomware such as Cryptolocker.
- They can change key system settings, such as disabling your anti-virus program or keeping you from getting security updates from Microsoft.
That second picture isn’t very pretty, is it?
Before I show you how to create additional accounts, I’ll give you a pair of disclaimers.
- Always make backups before you start to change the system in this way.
- Pick strong passwords, but ones that you will remember.
Thanks to security expert Bruce Schneier, here are two links that will help with the passwords:
You will eventually need the administrator account and you don’t want to get locked out because you lost or forgot or mistyped the password.
The process is slightly different for Windows 7 and 8.
On Windows 7:
Open the Start menu by clicking on the Start button or hit the Windows key on the keyboard.
Type the word user and open the user settings.
Once there, select “Manage another account” and create the new user. I just take my regular username and add “ADMIN” to the end of the name.
You’ll want to make them an administrator and then click “Create Account.”
Click “Create a new password” for that new account and remember my disclaimer above.
Once you’ve done that, you can modify your current account and make them a “Standard User.” If you don’t know your password because the computer automatically boots up and gives you a desktop, this may be a good time to set yourself a strong password.
Follow the same steps to modify your day-to-day account and set it to “Standard User.” Microsoft has a good video at http://windows.microsoft.com/en-us/windows/create-user-account#create-user-account=windows-7 to help you do that. Ironically, you may need to be an administrator to install Microsoft’s Silverlight multimedia player.
On Windows 8 and 8.1:
Open Settings by swiping in from the right edge of the screen and select Change PC Settings.
Under that, choose Accounts, Add an account and Local Account. Give the account a name and a password.
Once you’ve done that, you can modify the account to be an “Administrator.”
Modify your own account to be a “Standard User.” This might also be a good time to make sure you have a strong password. Here’s a link to Microsoft’s video on the process: http://windows.microsoft.com/en-us/windows/create-user-account#create-user-account=windows-8
Please remember the importance of your passwords because you don’t want to lock yourself out of your computer!
For both Windows 7 and 8/8.1, you can now switch to Standard User mode. Hit the Start button or the Windows key and type “Logout.” This will give you the opportunity to log back in as a standard user with the protections it provides.
Now, whenever something needs administrator privilege, you’ll be presented with a box that asks for the username and password of the appropriate account. Just enter the information if you really want to make a significant change to the system. If this is unexpected, click “Cancel.”
Why go to all this effort and what’s the advantage?
Since most malware has to install on a computer to be effective, preventing unwanted software installations is a simple way of accomplishing this. This helps prevent accidental malware infection. Using your computer at work as a standard user may also be a requirement if you’re working with health information, financial data, payment transactions, student files and so on. Preventing malware infections by running as a standard/normal user may also prevent regulatory and legal violations.
If you’re using Windows 8, there’s a new style of program that you’ve seen. These are called Modern or Windows Store Applications. Microsoft used to call these “Metro” apps, but (due to trademark issues) dropped the name. These are the apps that you see on the Start screen such as “News” and Weather.” The good news is that you can download and install these apps without needing to be an administrator. All you have to do is find the app you want in the “Store” and install it. Just like phones, however, it may become easy to overload yourself with Modern Apps, and I generally avoid them for that reason.
So is there a downside to running as a standard/normal user? If you install or update a lot of software, or if you add lots of new devices and their custom management interfaces, you’ll see more User Access Control (UAC) prompts. Because of the way I use my computer, I experience this more than most people. On the other hand, when I get a UAC prompt, I want to know why it happened and if someone’s trying to hack my laptop. It’s easier to click “Cancel” rather than have to clean up afterward.
To demonstrate both the upside and downside of this technique, I’ll end with the story of my visit to a Microsoft Store. I’m the proud owner of a Surface Pro 2, on which I’ve written this blog. I wanted the new keyboard called the “Power Cover” to extend the battery life because I do a lot of writing on airplanes. But until recently, my tablet just didn’t recognize the keyboard. So I went to see if a technician could help me. He immediately opened the device manager on Windows, even though I told him I was running as a standard user. After he fumbled a bit, he realized that he couldn’t change the hardware settings (a good thing!) and asked me why I wasn’t an administrator. I almost started to parody “The Wizard of Oz” and sing “Viruses, Trojans and Worms, Oh My!,” but I simply told him that it was corporate policy. We logged in with my administrator account and the keyboard still didn’t work, but it gave me the opportunity to practice what I preach.