Get rid of "Run as administrator"

By Cosmin
in Microsoft (Windows)

 Share

Recommended Posts

Rising Star

gregrocker

Posted
Posted

The first thing I do when I install Windows is google "enable adminstrator account" then run CMD as administrator.

Then log off and log back in as Administrator.

Then go to User Accounts>Manage another Account to delete your named account.

The reason to do this when you first install is it will otherwise put your files on the desktop to redistribute, as it builds you a whole new desktop and User account as Admin.

But you will never be bothered by second guessing everything you do again. Just be sure of what you want to do.

Ignore Chicken Littles who say you are grossly compromising security. It's already been disproven and those of us who have always run as administrator never get infected because we know what we are doing.

Grand Master

devHead

Posted
Posted
The first thing I do when I install Windows is google "enable adminstrator account" then run CMD as administrator.

Ignore Chicken Littles who say you are grossly compromising security. It's already been disproven and those of us who have always run as administrator never get infected because we know what we are doing.

But Greg, this user may not know what he's doing (sorry, but the fact that he's running TuneUp Utilities in Win7 kinda shows that) and could mess something up if he did what you're suggesting as an advanced and experienced computer user. It's not a Chicken Little complex, it's just safe computing. And for some, that's what is necessary. You speak in your post of "those of us" and "we know". But that's not speaking for everyone; I dare say for most people.

Grand Master

XerXis

Posted
Posted
The first thing I do when I install Windows is google "enable adminstrator account" then run CMD as administrator.

Then log off and log back in as Administrator.

Then go to User Accounts>Manage another Account to delete your named account.

The reason to do this when you first install is it will otherwise put your files on the desktop to redistribute, as it builds you a whole new desktop and User account as Admin.

But you will never be bothered by second guessing everything you do again. Just be sure of what you want to do.

Ignore Chicken Littles who say you are grossly compromising security. It's already been disproven and those of us who have always run as administrator never get infected because we know what we are doing.

i know some people who run linux as root, they also claim they know what they are doing, we laugh at them too...

Grand Master

hdood

Posted
Posted
i know some people who run linux as root, they also claim they know what they are doing, we laugh at them too...

Can you explain why you feel the user/admin separation is so important on a single-user home computer? If we're talking about the potential to make mistakes that break the computer, then well, you really can't know whether Greg or anyone has the skill level required to not do so. Lots of people do. I know I could run it this way. There is a small chance that a program could unintentionally damage something it shouldn't have if running as admin, but I can't think of any such examples.

If we're talking about malware, then being administrator only gains the malware two things over being a user. One is the ability to infect other users, which isn't relevant here. The other is the ability to make itself harder to remove by hiding deeper in the system (which can also have stability consequences). Other than that, there's not much malware can't do running as your standard user. It already has access to everything of interest there, from your private data to the network. It also has the ability to hijack elevation requests, so that if you use UAC/sudo to elevate something while malware is running, you risk also elevating the malware anyway. The only thing that truly protects you is to not run random executables, and to have antivirus software that can block known threats before they execute.

Proficient

Grope for Luna

Posted
Posted
Or just turn off administrator approval mode and use your current account. There is nothing special about the legacy "Administrator" user. I don't know where this myth comes from.

Indeed. Everytime I hear about it I wonder if I'm missing out on something. I use regular admin-level accounts with UAC off and everything works fine.

Grand Master

hdood

Posted
Posted
When I read the topic title, I thought he wanted a way to hide/remove the "Run as Administrator" option but keep UAC on.

Hiding that option would be handy so people don't play with it ;)

Uhm... People can only play with that option if they are already administrator users. The answer is to make them standard users, in which case the default setup will instead prompt them for admin credentials (username and password). You can change it to prompt for credentials for administrator users as well, but that's rather pointless considering they just have to enter their own password.

Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted
I see Mr Linux hasn't responded.

To what? Your question for why running as root is bad?

Because anything you run (Windows/Linux/whatever) should only run with normal "user" permissions. You cannot damage the system that way (just your data). And, if in the course of your daily actions, you are suddenly prompted to elevate to Admin/root, that should set off warning bells. You see, malware or even silly user errors that would overwrite system files/settings won't happen automatically.

Grand Master

hdood

Posted
Posted
Because anything you run (Windows/Linux/whatever) should only run with normal "user" permissions. You cannot damage the system that way (just your data).

Right, the stability issue is valid to some extent, but from a security perspective it's much more complicated.

And, if in the course of your daily actions, you are suddenly prompted to elevate to Admin/root, that should set off warning bells. You see, malware [...]

The problem with this is that if you managed to run something malicious as a standard user, you could never trust any UAC requests after that point. Even ones you believe to be legitimate. It is not a matter of "suddenly" being prompted. Before you dismiss this as nonsense, know that it is a demonstrated attack vector. You have no way of knowing what you are elevating. You simply cannot make an informed decision. It may be useful in preventing self-inflicted damage or to protect you some of the time, but it is not a security barrier.

I personally do use AAM, but I do not live under the illusion that it keeps me safe (I'm not saying that you do). Only antivirus software and sensible use can do that. Spreading the idea that not being admin somehow makes you "safe" (the meaning of which I've yet to see defined) is dangerous.

Grand Master

Julius Caro

Posted
Posted
, but I do not live under the illusion that it keeps me safe (I'm not saying that you do). Only antivirus software and sensible use can do that. Spreading the idea that not being admin somehow makes you "safe" (the meaning of which I've yet to see defined) is dangerous.

Well, there must be a reason why most (if not all) operating systems make it kinda difficult to use the admin account. This discussion is very late 1990s. UAC, sudo, and whatever OS X uses, are not there to stop YOU from screwing up the system (though it comes handy for those who don't know what they're doing).. It is there to stop software doing more than it should be able to, intentionally or not.

Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted
Right, the stability issue is valid to some extent, but from a security perspective it's much more complicated.

The problem with this is that if you managed to run something malicious as a standard user, you could never trust any UAC requests after that point. Even ones you believe to be legitimate. It is not a matter of "suddenly" being prompted. Before you dismiss this as nonsense, know that it is a demonstrated attack vector. You have no way of knowing what you are elevating. You simply cannot make an informed decision. It may be useful in preventing self-inflicted damage or to protect you some of the time, but it is not a security barrier.

I personally do use AAM, but I do not live under the illusion that it keeps me safe (I'm not saying that you do). Only antivirus software and sensible use can do that. Spreading the idea that not being admin somehow makes you "safe" (the meaning of which I've yet to see defined) is dangerous.

No single thing makes you "safe". I agree with you on that. But not running as root makes you "safer"! An accidental mis-drag of some files won't trash my /sbin (or your /Windows/system32 or whatever).

Nothing fixes a stupid user that elevates apps he doesn't know. Well, there is ONE thing that fixes that. Remove their ability to elevate, and have a separate person as admin. ;)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.