When using Windows, I log on with an ‘Administrator’ account. I know that this isn’t too clever – I’d never logon as ‘root’ on my Linux box all day. And it doesn’t take much searching to find a dozen pages which advise against it as it leaves me more at risk from malware and various other problems.
But I do it because it’s just too much hassle to run as a normal user. Some apps I rely on need Admin access to run, and other limitations make me think that I need to be Administrator.
The biggest risk is with Internet-facing applications. Any malware that I pick up gets to run with my credentials – as Administrator. So as a compromise, I run Internet-facing with limited credentials. If malware slips in, at least it doesn’t get to run as Administrator. I do this with a free Sysinternals tool, psexec.
I’ve altered the shortcuts on my quick-launch bar that launch Outlook and Firefox so that they point at psexec, and use psexec to run the app instead.
"C:\\Program Files\\Sysinternals\\psexec.exe" -l -d "C:\\Program Files\\Microsoft Office\\Office11\\OUTLOOK.EXE" "C:\\Program Files\\Sysinternals\\psexec.exe" -l -d "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
-l gets psexec to run a process as a limited user
-d gets psexec not to wait around after the Internet app is launched
(My shortcuts point at psexec, but I change the icon so that they look like they app included in the shortcut’s target field.)
My Internet access is a little safer, and I feel a little less guilty about running as Administrator.
I’ve been using it ever since, but thought I’d mention it today after reading an article on Mark’s blog on the train today, in which he talks about the changes in this area that Windows Vista brings. It’s an interesting post – and worth a read.