- Admin Powers = Malware Powers
- The Solution: Run as a Non-Admin
- What Kind of User?
- Switching To Be a Mere User
- What's Next?
The Solution: Run as a Non-Admin
Using your computer every day with a least-privilege user account (LUA) limits what you can do on your computer and therefore limits the damage that malware can do. A few of the many things you can't do as a LUA:
- Write to Program Files
- Write to sensitive parts of the registry
- Change system date/time
- Disable network connections
- Install applications (for the most part)
- Disable antivirus or anti-spyware apps
Let's face it: How many times during the day do you have to do any of those things? Most of the day, you don't need to write anything to the Program Files directory unless you're installing or updating an application. You normally never need to modify protected portions of the registry unless you're installing software. Most of the other items are things that you might have to do occasionally to configure a machine but certainly don't need to do every day.
Changing the system date and time is a little weird, though; why shouldn't you be able to do that as a LUA? It's because some authentication schemes, including Kerberos (used in Windows 2000 and later), rely on the domain controller and client machine being closely synchronized in time. Too far off and the authentication can fail or be circumvented. So changing a system's date and time can be one element of an attack on a system, giving an attacker an entrée.