I know a lot of you are security conscious and some of you even roll your eyes at clueless users who seldom think of security. But how many of you regularly use an account on your home or work computer (or both) that have administrative or root privileges?
Most of you KNOW that using an account with privileged access on a daily basis to create documents, read email, and surf the web , etc., is a bad idea. Perhaps you think that because you’re more security conscious and more careful that it isn’t as much of risk for YOU.
Fooling Yourself
I think you’re fooling yourself. You know better. Just admit it, you’re as lazy as the rest of us.
Either you’ve heard about the hassle of running as a normal user, or you’ve experienced it yourself. You don’t want to type another password occasionally when you need the access to do something a normal user can’t do. (Even server and application administrators should use one account to administer and another to do their basic tasks, no?)
Some would say with Vista (and later OSes) this isn’t a major issue as Internet Explorer and other OS components automatically run at a less than admin level, regardless of the account with which you log in as. First, remember that IE has a few flaws here and there, and I’d rather not bank on a browser’s security. Second, browsers are not the only attack surface, and I’d rather be running everything at a normal user level to provide myself the most protection.
Preach it Brother!
So you’re probably wondering if I practice what I preach (and you should). On my home computer, I run as a regular user, although I am called upon by family members, almost daily, to fix something. Which means entering another password, or worse yet, logging off and logging into my own admin account.
At work, I run as admin, simply because that’s how IT set me up, which is surprising, especially since I’m a consultant. I don’t like to monkey with my account for fear that it will cause issues, and I will have to explain why I changed my local permissions (although I don’t imagine the IT guys would care, I don’t want to take the chance).
On the other hand, one could argue I’m taking a bigger chance running as admin at work, but you’d have to understand the environment I’m in and the company culture. My boss wants his consultants to lay low, get their jobs done, and stay below the radar.
THINK
Notice however, a couple things: 1) running as admin bothers me, 2) I don’t run as admin at home, and 3) I reviewed the risk of running as admin at work and made a conscious decision.
Perhaps it’s time for you to think about this issue again regarding all the computers YOU touch.
Do you use an account with privileged access to do everyday tasks? Why or why not?
– – –
Update: 1/1/11
I find it interesting that since this article was posted on 3/22/10, not 1 reader has commented, “Hey, I run as a regular user at home,” or anything like that. Case closed.
Update: 9/11/13
Too many years later, and still no responses. I will shortly refer to this post in another post, so perhaps that will spark some attention. <Yawn>
Pingback: How to Ping a Server | ITauditSecurity
Holy system bus Batman! I have the same exact scenario you do!
LikeLike
Stand clear, Robin!
LikeLike