9. Administrators, Standard Users, and UAC
On any machine, you need to have multiple user accounts, each one of which is secured with a password. This allows you to have an administrative account that can update and install changes to your machine, and then a standard user account without these kinds of privileges that you use for web browsing and ordinary computer work.
Why? If you get something nasty on your system under the less powerful account, it will have a much harder time installing its malicious payload. Setting up administrator and standard user accounts should be done for every computer, regardless of OS, if it is possible to do so. Some very old OSes may not be able to support this functionality.
In Vista and Win7, there is a new feature called User Access Control (UAC) that provides stronger division between the administrative roles and the standard users, and which greatly reduces what the computer can automatically do – like install software or allow executables to run. Some people hate it because it nags you about installing things and makes you perform extra confirmation steps. It is less intrusive in Win7 than it is in Vista.
Ang's Personal Opinion: I think the UAC intrusion is minimal, but others are so irritated by it they turn UAC off. This is the most bone-headed and stupid move a computer owner can make, and you deserve every bit of malware that infests your system if you do. End opinion.
How to set up Windows user accounts:
Here are online instructions to walk you step-by-step through the process of creating accounts:
- User accounts under XP:
- User accounts under Vista (Note, there are several links on the page with account information):
- User accounts under Win7 (Note: more detailed and technical than the previous two, but extremely informative and walks you through all actions from the first account to a set of users. Can be used for Vista set up, too. This is the instruction set I used, and it worked very well for me. Deciding on my passwords took longer than all the rest of the set-up combined.)
Reduced user rights is one of the best ways to prevent a shell code exploit from installing its crap on your computer. If the account you are logged in with cannot install programs and is restricted to writing certain kinds of files, then most malicious activity is stopped before it can start.
In Win7, I set up an administrator account and a standard user account in less than 15 minutes. When using the machine under the standard account, if I need to install something, a window pops up and has me enter the administrator account password to authorize the install, and then everything goes as usual. Don't be afraid to set up these accounts.