Malware and administrative rights

For about a year I have been telling a story to highlight how users running as administrators are much more likely to get malware installed on their systems than users who run as normal users. The story is actually in Protect Your Windows Network if you wanted to see it. The conclusion was that if you let your users run as admins, prepare to spend a lot of time removing malware from their systems.

Recently eWeek did some empirical testing on that type of claim. Their results are presented at,1217,a=166172,00.asp. Basically, they verified the same thing we already know: no persistent malware showed up on the system where the user was not an administrator (note that I consider Power User privileges to be functionally equivalent to Administrators but eWeek separated the two).

It is really interesting reading. Take a look at it.

Comments (6)

  1. Anonymous says:

    One of the reasons that people kick and scream about Vista is that they have been "ADMIN" for

  2. Anonymous says:

    <duh duh da da duh duh music playing in the background> Your job, Mr. Phelps is to devise a way

  3. Anonymous says:

    One of the reasons that people kick and scream about Vista is that they have been "ADMIN" for

  4. adminusr says:

    ok, i here this again and again, but no where, i see anyone explaining how to move from admin user to non-admin user.

    a step by step guide that explains how and all the possible gotchas.

    i run my home computer with just one account that has the admin rights, no password. i am on DSL, my compuer is always on. i have personal firewall, antivirus, antispyware all running and protecting me. i have with XP SP2 with its autoupdate on. i run Firefox. i get zero , thats right zero malware. still lets say i want to move to non-admin user, where is the guide? what happens to all my softwares?

    i guess little guidance will go long way of making security advisors dream a reality.


  5. Aron Roberts says:

    The following ZDNet blog entry mentions that Windows Vista’s User Access Protections (UAS) promises to make running Windows as a non-admin user much easier, and provides a link to an article on how – until then – you can make web surfing and email reading
    safer when running as an Admin user under Windows XP:

    Quoting from that blog entry:
    "The best thing we can do is to make sure we’re not running Windows as an Administrator no matter which browser we use. This may be a little hard before Windows Vista UAP (
    arrives because some applications break in user-mode, but even then there are alternatives like DropMyRights (
    that allow you to individually neuter applications even when you’re running as an Administrator. Keep in mind that non-administrative mode only reduce the security issues so it’s no substitute for staying up to date with security patches."

  6. Aron Roberts says:

    One other potential approach to make operating as a non-admin user in Windows somewhat less painful:

    "It is good practice for administrators to use an account with restrictive permissions to perform routine, non-administrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To accomplish this without logging off and back on, log on with a regular user account and use the runas command to run the tools that require the broader permissions. …"

    And now the jackpot: Aaron Margosis’ blog entries offer a large number of resources on this topic, not only regarding RunAs but also a "MakeMeAdmin" script, Fast User Switching, the PrivBar toolbar (also highly recommended by Jesper), and many more tools and techniques for running as a non-admin user in Windows 2000 and XP:

    I’m only a casual and rare user of Windows, but solely from casual observation these suggestions appear to be well considered and clearly written. Under Mac OS X, it’s relatively painless to routinely work as a non-admin user, and Fast User Switching, sudo (in shells), and the Pseudo shareware app pretty much facilitate the occasional needs for admin-level access that aren’t already handled by OS X’s built-in equivalent to Vista’s UAP (typo’d as "UAS" in my post above).