Most Windows users operate as a user with full administrator rights. It’s the default Windows setup option so it’s what most people use whether they are aware of it or not.
Having full administrator rights gives the user the highest level of privilege possible. It means that Windows will allow a user to pretty well do anything they want on their PC. That includes installing any program they choose, even programs that change the way the operating system works.
This is convenient for the user but is the source of many of Windows security problems. Many malware programs including rootkits require administrator privileges to install. If users operated with reduced rights such programs couldn’t as easily infect their PCs.
On other operating systems such as Linux and Mac OS X, users normally run with reduced rights. It’s one of the reasons why such systems have a better security record.
The more recent versions of Windows do in fact allow users to be assigned to different user groups with different privileges. In order of reducing privilege these are: "administrator", "power user" group, "user" group and "guest". However, most folks, me included, find that operating as anything other than an administrator is a pain in the butt. Many programs, for example, won’t install correctly. Others install but don’t function properly.
You can work your way around this by having two user accounts on your PC: one with full administrator rights and the other with reduced rights. You sign on as the reduced rights user for normal PC use and then logout and use the administrator rights user account for program installation, registry editing and other demanding tasks.
It sounds fine but I can assure you that constantly switching users or logging in and out of these accounts is a pain in the butt as well.
Another approach is to always operate as a reduced privilege user and use the special Windows "run as" function from the command window or context menu when you needed to run a program that requires administrator privileges. It’s a slightly more workable solution but not exactly convenient as you need to enter your admin account password every time. It’s also unsuited to non-technical users.
Recently, subscriber Erik Wasberg wrote in to tell me about a third option. It too is for experienced users but it’s more convenient than using Run As.
It involves the use of an Open Source utility called RunAsAdmin Explorer Shim. Let’s call it RES.
RES is a Windows XP program that allows you to sign-in as an administrator but work within a Windows shell with reduced rights.
It works by placing an icon in the system notification area of your tray. Clicking this icon brings up a menu that allows you to run programs with several different level of trust from "administrator" through to "user."
This means that you can do your normal day-to-day work in a restricted rights shell but easily run any program that requires elevated privileges without the need to logoff or enter your admin password. You have the advantage of safety and convenience at the same time.
It’s a neat idea, so neat that you wonder why it wasn’t built into Windows XP.
There’s not a lot of documentation for RES, barely enough to work out how to install the program and use it. There are also two versions available: a stable V1 release and a V2 beta. I installed the latter and it’s working fine though I it took a few setting changes and reboots to get everything working perfectly. It’s definitely not a task for the faint hearted or technically challenged but neither is using "run as."
To un-install RES start up a command window with admin rights and enter the command c:WindowsShimExplorer.exe /r
Logoff as the current user and when you re-login, you’ll have the usual rights for that user account. You can then delete the c:WindowsShimExplorer.exe folder.
Non technical users will have to wait for the arrival of Windows Vista to get a satisfactory solution to the user rights problem. Vista promises to have a much more sophisticated system for managing user privileges than XP. If it delivers, we can all look forward to safer computing. Then again Windows XP was supposed to be the "safest Windows ever." ;>)
Resources:
Running user accounts with reduced privileges
http://cybercoyote.org/security/not-admin.shtml
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
Using the RunAs Command
http://vlaurie.com/computers2/Articles/xprunas.htm
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true
RunAsAdmin Explorer Shim
http://sourceforge.net/project/showfiles.php?group_id=127612
Insider tips, how-tos, best security practices, and more
The Windows Secrets Newsletter brings you essential tricks for running Windows XP, Vista, 7, Internet Explorer, Firefox, Windows Update, and more — weekly, free.
Bonus: get this free download when you subscribe
Interested in Windows 8 but don't know where to start? You have a friendly guide in My Windows 8 Consumer Preview: A Sneak Peek at the Windows 8 Public Beta, by Katherine Murray. This month, all subscribers can download Chapter 1 and Chapter 5. In this excerpt you will learn about the new look of Windows 8, how to make things happen in it, how to use the apps that come with it, and how to get more apps.
We guarantee your privacy: We will never sell, rent, or give away your address to any outside party, ever. We will never send you any unrequested e-mail. Unsubscribe requests are honored within one business day. Privacy Policy
Related posts:
