What you're about to read might seem quite radical to you if you haven't thought about it before. Even if you have thought about it before, you may have concluded, "Oh it's all too hard" and gone back to doing things the way everybody else does, because of course, if everybody does it, it must be the best way. Or you may be an avid Linux fan and think "ho hum big deal that's soooo obvious".
Anyway, there is a very simple, effective and 100% free way to radically improve your Microsoft Windows computer's resistance to viruses/trojans/rootkits/malware/adware/spyware, etc. I am not saying that you don't need any antivirus software, but as there are deficiencies in antivirus software and lots of other vulnerabilities in many common Windows applications (yes, there are vulnerabilities in Unix/Linux too, but this article is aimed mainly at Windows users), this strategy will make your computer several orders of magnitude more resistant to viruses, making you less reliant on constantly having the latest virus database downloaded from your AV vendor. It does however mean that some tasks become a little bit more difficult, but that's the whole point... viruses try to modify your system in undesirable ways, so if we make it more difficult for them to modify your system, then naturally it's going to be slightly more difficult for the user to modify the system as well. But, when you consider that once you have your system set up the way you like it, and want it to stay that way, doesn't it make sense to prevent yourself from making further changes accidentally, with the only trade off being that it takes a little bit more effort to install new software, or make the occasional change to your system settings?
What I am talking about is a strategy that has been used in the Unix world long before DOS and Windows even existed, and long before the Internet was a commonly used medium, and will almost certainly continue to proliferate for all eternity in the Unix/Linux world. All it takes is *not* to give your normal user account adminstrator privileges, by *not* going to your local users and groups and adding your domain account to the local Adminstrators group. Most people will at some point add their regular user account to the Adminstrators group because they try to install some application which tells them that they need Administrative rights, and they don't want to log off and on every time they install something new. Instead, we can give our regular account the minimum level of privilege that it needs in order to run the software that you need to run from day to day, and invoke higher privileges only when necessary, without having to close your current session.
To do this, start by making sure you know the password of the local "Administrator" account of your machine eg; ARI-MBB-WS\Administrator, if your machine is called ARI-MBB-WS, which it better not be because that's my machine's name! :-P To test this, log out and try logging in as local Administrator (you have to change the "domain" field of the login box to show your machine's name). It is possible that the password is blank, which is another major security problem, so if you can login with a blank password, change this to something non-blank immediately. Once you have logged in as local administrator, go to Control Panel / User Accounts, and if your domain account appears there, change it to "Restricted User". I would strongly reccommend this over "Power User" or even "User". Why? You may say that you trust yourself as a power user, but ask yourself this: do you trust every piece of software that you use or may use in the future with the same power that you trust yourself with? What about software that installs itself without your knowledge... do you trust *it* as mush as yourself? In order to restrict the software that you (knowingly or not) allow to run on your computer, you must unfortunately restrict yourself. That is something that Unix users have understood for decades and learned to live with, and that's part of the reason that there's no such thing as a Unix or Linux virus.
The next thing you may complain is that you have to log off your regular account and log back on as administrator in order to make any system changes or install any software. Not true at all. You just need to use "Run As..." to perform administrative tasks, which requires entering the administrator's password, but does not require you to log off an back on and back off and back on. Being required to enter a password makes sure that a virus cannot make changes to your system, because any virus that runs while you are logged on as a Restricted User will be, as expected, restricted from modifying your system files and settings.
In some cases, the "Run As..." option is available directly by right clicking on the icon or start menu item for the thing that you want to run administratively. In many cases it's not, and this is an annoyance with Windows that I don't fully understand, which may or may not be related to the fact that Microsoft make money from AntiVirus software (ooh... conspiracy... well... who knows?). Anyway, you can run ANY task as an administrator, and considering the benefits, and how often you need to do so, it is well worth the extra effort. In order to run ANY task as administrator, look at the properties of the shortcut that starts it to find out where it actually resides on your disk(s). Then click on Start / All Programs / Accessories, and when you see "Command Prompt", don't just go clicking on it willy nilly, hold your horses! Right click on the menu item "Command Prompt" and choose "Run As...", then choose the MY-MACHINE\Administrator account and enter its password. Then go to the directory where the target application lives, by typing (for example) "cd /d D:\Installs\Subversion\TortoiseSVN". Then run the target application, which may be an MSI file, by typing "start TortoiseSVN-1.5.9.15518-win32-svn-1.5.6.msi". To save typing, you can always type the first few letters of the target application and press the "Tab" key until you see the correct name, or copy the name from Windows Explorer. Of course you still have to trust the source from whence you obtained said target application, and for this purpose some software providers provide checksums to allow you to verify the integrity of their applications. This is a different topic, but there is plenty of information on the Internet on how to verify checksums, which may come in the form of MD5 or GPG. Also, if you got your software from rapidshare or bittorrent or some website starting with an IP address or containing "....(ru|pl|cz):8000/dodgy-stuff/warez" then don't blame me if a white rabbit suddenly comes knocking on your door.
I may at some point work out how to start an adminstrative command prompt in any directory, or force windows to always show the "Run As..." option, in which event I may or may not be bothered to update this document.
If you don't want to try this straight away, I will be your guinea pig starting from the time of this writing and go where no Windows machine has gone before (okay, that might be a bit of a high claim). If you want to let sleeping dogs lie for a while and first see how things are going on my computer, I will more than happy to share my story with you.
As a final word, if any software does not work without adminstrator privileges on an ongoing basis, it's a badly designed piece of rubbish and you should either 1) ask to have this abominable deficiency fixed or your money back, or 2) just stop using it if you can get by without it and/or didn't pay too much for it.
Happy Windowing!
No comments:
Post a Comment