A-to-Z Index

Computing Homepage

Information Technology Help Desk

2015 Summer Hours and Exceptions



Protect Your Computer by Using a Safer, "Least Privilege" Account for Day to Day Use

When Windows is installed, it creates an account name for you to use when you login. Typically, that account is created with "administrative" privileges. Those privileges allow you, and any program you may run, full access to your entire computer. While that may sound good, it represents unnecessary risk. Very few people need full access to their computer for day to day use. Having such access while doing things like browsing the web or reading e-mail means if you, or someone using your computer, accidentally clicks something malicious, it will have full access to your computer, your data, and online accounts used from your computer. It will have access to everything you type including passwords, credit card numbers, and documents. It will also have the capability to turn off your anti-virus software, security updates, firewalls, and other security software. Finally, it can hide itself so you can't see what its doing.

Most people don't need to do the kinds of things on a daily basis that most malicious programs do to perform their damage. So risk can be greatly reduced with relatively little adverse impact if a lower privilege account is used day to day. Doing so follows some of the oldest and most basic security principles in the book - the principles of least privilege and default deny. In this case, using the least privilege necessary for for day to day use and denying privileges by default. This will keep malicious programs that may be run due to operator mistake or product defect from doing extensive damage to the computer.

This practice is particularly recommended for shared or unattended computers and those used by children. Home computers are much less protected than campus computers.

Most computer operators will have little or no problems using this type of account once it is set up. And if problems are experienced, they can always use the riskier account temporarily to accomplish infrequent activities.

MacIntosh computers, a form of unix computer, have been shipping for some time so that the unix root account isn't easily available. However, the default account ( administrator ) does carry more privileges than typically necessary for day to day use. Most other unix and linux systems don't have tiered privilege accounts and encourage the creation and use of non-root accounts during their installation process. Windows computers, the most often targeted and most common, set up a fully privileged account by default leaving them the most vulnerable.


Some minor difficulties may be encountered:

  • Software and hardware installations often require extra privileges (as do most virus installations!). These can easily be handled by logging out of the day to day account and logging back in as the administrator account. Really, how often do you install software and hardware? For most people, the cost of the infrequent inconvenience is well worth the benefit of extra protection in day to day use.
  • Manually installing Windows Updates will need to be performed using an Administrator account but if automatic updates are turned on as recommended by StartSafe , this won't be an issue.
  • A few software packages, not many, won't run under an account with limited privileges. This can usually be handled by using the Windows RUNAS utilitity. You basically tell Windows to run that one troublesome program with administrator privileges while your more risky programs (e.g. web, email, and IM clients) continue to run under the safer account. This can be done by right-clicking a program icon and selecting "run as" or modifying a program icon so it prompts each time it starts.
  • Do not use a Windows Power User account as it provides little or no protection. You may as well be using the administrator account.
  • If Windows control panels, administrative tools, printer installations, or date/time changes need to be accessed, the most straightforward way is to logout of the daily account and login temporarily using the Administrator account. However, a quick way of accomplishing many of those tasks exists. Right-click the Internet Explorer icon and select run-as using the Administrator account. Then, from the Internet Explorer menu, select File->Desktop->Explore and open 'My Computer'.  You can then accomplish many system administrative tasks by using the control panels. You can also use this trick to install necessary ActiveX controls from trusted web sites. Whatever you do, though, don't use such an Internet Explorer instance for day to day web browsing. When you're done performing your system tasks, close out the browser completely and start fresh without using 'run-as'.
  • JMU owned computers should not have their configurations changed without consultation with your local desktop management and support folks.

Two web sites with more information about this common sense, low risk configuration are: