Should I be logged in as Administrator or not?

[Richh]

Hello,

I recently formatted and reinstalled XP pro. I've just noticed that I am
logged in as Administrator.

On my laptop (also XP Pro), I see that I am logged in as a user and that
there is a separate Administrator account.

What are the rights and wrongs of the two set ups?

 

[Richh]

I do know the difference - just asking what is best.

Is there any harm in just running as Administrator if I have decent
firewalls and virus software in place?

 

[Nonny]

Is there any harm in just running as Administrator if I have decent
firewalls and virus software in place?

Most everyone will tell you that the best way is to set up an account
for yourself that doesn't have admin privileges since an admin account
is supposedly more susceptible to security breaches from outside
sources.

Might be tehnically true, but speaking from a practical staindpoint, I
I think it's rubbish.

 

[Patrick Keenan]

I do know the difference - just asking what is best.

Is there any harm in just running as Administrator if I have decent
firewalls and virus software in place?

It is NOT a good plan to use the Administrator account itself for anything
except initial system install and later emergency service.

It is often useful to use an account with administrator-level rights, and
that is a completely different thing.

Could you please be clearer as to which you mean?

HTH
-pk

 

[Jim]

I do know the difference - just asking what is best.

Is there any harm in just running as Administrator if I have decent
firewalls and virus software in place?

Yes there certainly is. The harm comes from using more privileges than are
needed for the task at hand.
It is very easy to slip up and change something that should be left alone.
Jim

 

[Bruce Chambers]

Hello,

I recently formatted and reinstalled XP pro. I've just noticed that I am
logged in as Administrator.

On my laptop (also XP Pro), I see that I am logged in as a user and that
there is a separate Administrator account.

What are the rights and wrongs of the two set ups?

Routinely using a computer with administrative privileges is not
without some risk. You will be much more susceptible to some types of
malware, particularly adware and spyware. While using a computer with
limited privileges isn't the cure-all, silver bullet that some claim it
to be, any experienced IT professional will verify that doing so
definitely reduces that amount of damage and depth of penetration by the
malware. If you get infected/infested while running as an
administrator, the odds are much greater that any malware will be
extremely difficult, if not impossible, to remove with formating the
hard drive and starting anew. The intruding malware will have the same
privileges to all of the files on your hard drive that you do.

A technically competent user who is aware of the risks and knows
how to take proper precautions can usually safely operate with
administrative privileges; I do so myself. But I certainly don't
recommend it for the average computer user.

Further, the built-in Administrator account was never intended to
be used for day-to-day normal use. The standard security practice is to
rename the account, set a strong password on it, and use it only to
create another account for regular use, reserving the Administrator
account as a "back door" in case something corrupts your regular account(s).



--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

 

[+Bob+]

Further, the built-in Administrator account was never intended to
be used for day-to-day normal use. The standard security practice is to
rename the account, set a strong password on it, and use it only to
create another account for regular use, reserving the Administrator
account as a "back door" in case something corrupts your regular account(s).

I'd agree that you should use another account - but running without
admin priv's is a royal PITA on Windows. It borders on "totally
impractical".

 

[Bruce Chambers]

I'd agree that you should use another account - but running without
admin priv's is a royal PITA on Windows. It borders on "totally
impractical".

Not if all of one's installed applications have been properly designed
for WinXP's security paradigm. Use incompatible programs and it can be
something of a nuisance, yes. But, even then, the knowledgeable user
can fix most such issues easily enough.

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP. You've already stated that granting your son elevated
privileges is a very bad idea.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r



--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot