Should I set up a separate user account for myself?

[Herbert Eppel]

I have just taken delivery of a new PC.

On all my other computers (past and present) I have a separate user
account (with full admin rights).

Apart from the (deactivated) guest account, the new PC currently only
has an administrator account, with myself set up as administrator. I
seem to remember that it may be advisable to set up a separate user
account for myself (with administrator rights), but I can't see the
point really. Am I missing something?

 

[Kayman]

I have just taken delivery of a new PC.

On all my other computers (past and present) I have a separate user
account (with full admin rights).

Apart from the (deactivated) guest account, the new PC currently only
has an administrator account, with myself set up as administrator. I
seem to remember that it may be advisable to set up a separate user
account for myself (with administrator rights), but I can't see the
point really. Am I missing something?

For day-to-day work/browsing use the Limited User Account (LUA) and refrain
from using the Administrator Account (AC).

Least privilege
http://www.securityfocus.com/infocus/1848
It is important that administrators follow the rule of least
privilege. This means that users should operate their computer with only
the minimum set of privileges that they need to do their job. Typically
this means operating as a normal user,and only when absolutely necessary
use the Run As or MakeMeAdmin commands to elevate privileges.

Applying the Principle of Least Privilege to User Accounts on Windows XP
http://technet.microsoft.com/en-us/library/bb456992.asp

The Importance of the Limited User Account (LUA).
http://blog.washingtonpost.com/securityfix/2006/05/the_importance_of_the_limited.html

How the right user account can help your computer security.
http://www.microsoft.com/protect/computer/advanced/useraccount.mspx
Aaron Margosis' "Non-Admin" WebLog
http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx

The easiest way to run as non-admin.
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx
http://blogs.msdn.com/aaron_margosis/

Proceed with 'Hardening' your Operating System (OS)

http://www.5starsupport.com/tutorial/hardening-windows.htm
http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

Inspirational reading:
http://home20.inet.tele.dk/b_nice/index.htm

Windows XP Security Guide
Chapter 5: Securing Stand-Alone Windows XP Clients
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch05.mspx

 

[VanguardLH]

in message

I have just taken delivery of a new PC.

On all my other computers (past and present) I have a separate user
account (with full admin rights).

Apart from the (deactivated) guest account, the new PC currently
only has an administrator account, with myself set up as
administrator. I seem to remember that it may be advisable to set up
a separate user account for myself (with administrator rights), but
I can't see the point really. Am I missing something?

Many suggest that you create your own restricted or limited account
and use that 99% of the time for security reasons. Of course, no
level of security protection can obviate a user that bypasses that
security or mismanages their host. Security ultimately depends on the
expertise of the owner of the host. You leave the Administrator
account alone except in emergencies since if it gets corrupted then,
for example when your own profile gets trashed, you no longer have a
usable admin-level account to recover. The problem is that many users
are also power users and require admin privileges way too often so the
limited account interferes with getting their jobs done, but you
should still create your own account that is under the Administrators
group.

If you want the safety of a limited account but still require several
applications to be ran under an admin-account or you repeatedly
perform admin-level actions, you could use RunAs but you'll find that
becomes a nuisance and headache real quick. Some HIPS (host intrusion
protection) software can let you regulate under what level of
permissions a program may executed. For example, and as I recall,
Online Armor which recently added a firewall was first a HIPS program
and you could specify that an executable would "Run Safely" which
meant with less permissions. I can't remember the name but there was
some other program that did this, too, but I think it mostly just
targeted Internet Explorer.

It doesn't require a lot of expertise of the OS to run under an admin
account and do so safely. Just be sure you have a safe recovery
mechanism in place because even admins sometimes shoot themself in
their own foot.

 

[Herbert Eppel]

For day-to-day work/browsing use the Limited User Account (LUA) and refrain
from using the Administrator Account (AC).

Thanks for your reply and for the comprehensive list of links and
information, which I will try and digest!

 

[Herbert Eppel]

in message


mismanages their host. Security ultimately depends on the expertise of
the owner of the host. You leave the Administrator account alone except
in emergencies since if it gets corrupted then, for example when your
own profile gets trashed, you no longer have a usable admin-level
account to recover. The problem is that many users are also power users
and require admin privileges way too often so the limited account
interferes with getting their jobs done, but you should still create
your own account that is under the Administrators group.

Hi

Thank for providing the jigsaw piece that was missing from my memory -
this is exactly the kind of reply I was hoping for, thank you!

I will set up a separate account for myself (with admin rights) right
away

 

[Bruce Chambers]

I have just taken delivery of a new PC.

On all my other computers (past and present) I have a separate user
account (with full admin rights).

Apart from the (deactivated) guest account, the new PC currently only
has an administrator account, with myself set up as administrator. I
seem to remember that it may be advisable to set up a separate user
account for myself (with administrator rights), but I can't see the
point really. Am I missing something?

Routinely using a computer with administrative privileges is not
without some risk. You will be much more susceptible to some types of
malware, particularly adware and spyware. While using a computer with
limited privileges isn't the cure-all, silver bullet that some claim it
to be, any experienced IT professional will verify that doing so
definitely reduces that amount of damage and depth of penetration by the
malware. If you get infected/infested while running as an
administrator, the odds are much greater that any malware will be
extremely difficult, if not impossible, to remove with formating the
hard drive and starting anew. The intruding malware will have the same
privileges to all of the files on your hard drive that you do.

A technically competent user who is aware of the risks and knows
how to take proper precautions can usually safely operate with
administrative privileges; I do so myself. But I certainly don't
recommend it for the average computer user.

Further, the built-in Administrator account was never intended to
be used for day-to-day normal use. The standard security practice is to
rename the account, set a strong password on it, and use it only to
create another account for regular use, reserving the Administrator
account as a "back door" in case something corrupts your regular
account(s).


--

Bruce Chambers

Help us help you:


They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

 

[Herbert Eppel]

Routinely using a computer with administrative privileges is not
without some risk. You will be much more susceptible to some types of
malware, particularly adware and spyware. While using a computer with
limited privileges isn't the cure-all, silver bullet that some claim it
to be, any experienced IT professional will verify that doing so
definitely reduces that amount of damage and depth of penetration by the
malware. If you get infected/infested while running as an
administrator, the odds are much greater that any malware will be
extremely difficult, if not impossible, to remove with formating the
hard drive and starting anew. The intruding malware will have the same
privileges to all of the files on your hard drive that you do.

A technically competent user who is aware of the risks and knows how
to take proper precautions can usually safely operate with
administrative privileges; I do so myself. But I certainly don't
recommend it for the average computer user.

Further, the built-in Administrator account was never intended to be
used for day-to-day normal use. The standard security practice is to
rename the account, set a strong password on it, and use it only to
create another account for regular use, reserving the Administrator
account as a "back door" in case something corrupts your regular
account(s).

Hi Bruce

Thanks for your comprehensive reply.

Yes, I'm aware of the risks, and I keep my computers fairly well
protected against viruses and malware.

I have been using a separate account with admin rights for a number of
years.

Your "back door" explanation ties in with VanguardLH's comments, so I'll
set up a separate account for myself on this new PC but give myself
admin rights as before.