How to use user-accounts to defend against viruses/malware

Every Windows machine (and OS/X) ships with a very powerful, well thought out system of “user accounts” and security. Unfortunately, by default they ship with that security essentially turned-off: you “automatically log in,” without a password, to a user with Administrator privileges. And I am now going to try to persuade you that this is not a Good Thing.

The reason: viruses and malware.

Any program that “you” run, or that runs in “your” session, runs as “you” with the full rights, powers, and privileges of “you.” That includes any virus, malware, nasty script or what-have-you. If you are running as an Administrator and a nasty bit of rogue code tells the computer, “Shoot yourself in the foot!” … hold your ears … ka-BLAM! No questions asked. :o

These same systems define different levels of privilege: Administrator, Ordinary or Limited user, and further Restricted users.

For ordinary purposes, other than actual system maintenance, you should be running as a “Limited” user. You can easily get there from here like this: - As your powerful self, create another user who is an Administrator. - Log off, then log on as that user, and from that user revoke Administrator status from your regular account. Also make sure that all of your accounts have non-trivial passwords, and that no “automatic” logins occur. - Log back on as your previous, now-limited, self. You can, of course, set up as many “Limited” accounts for yourself as you wish: files owned by each of them will be neatly protected from one another… and this protection will actually mean something. No one, not even a virus, can defy it.

Viruses and malware are strictly opportunists: theytake advantage of the fact that, out of 10,000 randomly-chosen systems, more than 90% of them might prove to be defenseless. (Not because they should be; certainly not because they have to be; just because they are.)

If your account is limited, and if you never respond to any prompt for an administrative password (you log-on instead), then there is nothing that any virus or any program can do to affect any “global” registry-entry or application file. Or, any file not owned by them whose owner has not expressly given permission. It doesn’t matter how the malware was concealed, or how it got into your system … the moment it tries to do something nasty, ZZZZZtttt! It just hit the proverbial super-bug-zapper and it’s dead.

I advise that you should not run a “Guest” account; and that you should remove it. No one should be able to use your system, in any capacity whatsoever, without a password or as a “guest.” If you find that guest-access is appropriate (say for your visiting nephews), its name should not be named “Guest.”

A better choice for your nephews would be a Limited user with further restrictions placed upon it … programs they can’t run, sites where they can’t go. (I mean, you can love the little rug-rats without trusting them with the crown-jewels of your machine.) These restrictons will “stick.”

You should do this. You should do this now.

For more information, search http://support.microsoft.com for “user accounts.” (Search the “entire site,” not just the knowledge base. You’ll find articles like this one…

In OS X, you put in a password just after installation for your admin account and the system still limits access to certain folders such as system critical folders. To change them, you need to enter your password. For totally critical items, you have to be root user. Therefore, it isn’t necessary to make a limited user account.

In Windows, I’d definitely suggest settings up a limited account but I’m pretty sure Windows installs a lot of things into protected folders. I recall installing basic applications and when I went to find where they went, they were in a folder that Windows had made invisible as a means of protection (which you bypass by clicking the big link that says if you want to see what’s invisible). This would probably mean having to enter your password a lot or having to login as a privileged user any time you wanted to install something, which you have to do in OS X for driver installation for example.

My point is not about which system is more secure btw, I’m pointing out that limited access users are good in theory but systems still require you to install stuff into protected folders and it just takes one virus to be dormant in a place where it can read your password in order to cause some damage.

You’re right that limited accounts will help avoid a lot of the nasty situations so Windows users should set up a limited account as well as Linux users if they need to but I’d say that over and above that you should keep a cloned backup of your hard drive on an external drive. If you didn’t get an installer disc with your system then definitely do so. This way if a virus does cause some damage, you can restore the parts it messed up or even the entire system. No system is 100% secure to any form of data loss through a virus or just the user making a mistake so always keep a backup.

For Windows users, you can clone a drive using:

http://www.xxcopy.com/index.htm

or some others on this page:

http://navasgrp.home.att.net/tech/clone_copy.htm

For OS X users, I recommend this app:

http://www.shirt-pocket.com/SuperDuper/SuperDuperDescription.html

For Linux users, you can use the method described in the following site (this will work on OS X too):

http://www.ebruni.it/en/docs/clone_linux/t1.htm

I’ll consider this very interesting virus defense idea. It seems very powerfull but I believe that a first barrier of defense that stops viruses from getting in the first place is better that killing them once inside. So far I havnt had one in years (mozilla +no script, no downloading weird stuff, no kaza or bittorent or any illegal downloading, good antivirus and Adaware) So far my pc is clean and running great :smiley:

Thanks for sharing your idea though.

Running Gentoo and windows XP here. And without antivirus I’ve never got a virus since I’m never on windows and I’ve never been hacked on gentoo since I keep my users closed with password or they don’t have any rights.
This concept of user protection is important even in a linux world. Not much for virus, but for hacker and Bots. If they can ssh in your box and download chrootkit to run a little bots… you computer is good for zombie meal. Always give good password for root.

I just did it. I’ve been meaning to for quite some time, but never got around to it. I just couldn’t bring myself to restrict my own account use.

If there was a sudo in windows, everything would be far more easy…

Can one still install things as a limited user, without having to log out, log in as the admin, and then install?

I often use: (Shift+) Right-click on the executable -> Run As. Then you can run it as an Administrator.