Who is Admin and Why is he such a Bad Guy?

There are many steps one may take to securing a brand new computer after purchase. An individual may buy into the retail store's up-sale of some security software anti-virus/firewall suite, or purchase extended service warranties to have their machine 'cleaned' when needed. They could also make sure their shiny new computer was properly configured to automatically install updates. However, the number one thing that could and SHOULD be done to protect your computer right after purchase is NEVER performed. Not even installing security patches and anti-virus is more secure than this one initial step.


And then use that account and only that account. Most everyone walks out of the store with their new computer, power it on, and configure a username and maybe password for the one primary account on the computer -- ADMIN (or for those Linux/Unix folks out there  -- ROOT). They may configure a kids account name and possibly password but 9 out of 10 times that account is also assigned with highest privileges. AND THAT IS A BIG NO-NO!. The store, when 'configuring' your computer and installing all their bloatware/crapware never configures for you, or tells you: "Hey. It is a really good idea to create an account that doesn't have administrative rights over your entire operating system." They do that by design because they know you will be coming back requiring their services.

So here is what to do and WHY. First you need to stop operating your computer with administrative rights. The only time you ever need to be working as an administrator is when you need to install/uninstall software, make operating system changes, and possibly create additional user accounts. Everything you regularly do on your computer can be done with a general user account.

Now don't jump to the steps to make the account just yet. I want to do a quick explanation of why and make sure you transition with as little of headache as possible. The reason for doing this is very simple: Everything you do on your computer, every program you run, every website you access runs with the highest privileges of the user currently logged in. Now think about what kind of power you are giving those popups when browsing the internet or downloading a file from a link someone sent you. That file or window has the same rights as you do and can act on your behalf installing malicious software in the background. You will never know it is happening. 

This does not apply to only Windows any longer!

Apple (MACs) are becoming increasingly vulnerable to these types of issues and no computer is immune to watering hole, phishing email scams or trojan software installations. The men and women over at AVECTO do Windows privilege management and recently did a study of Microsoft's 2013 Patch Tuesday security bulletins and came up with some very interesting numbers on how simply operating as a user instead of an administrator can protect you better than installing the security patches released. Again, bare in mind that though this study reflects Windows patches, all operating systems function in a similar manner.

What the AVECTO Study found (study found here):

  • there were 147 vulnerabilities published during 2013 with critical rating
  • 92% of those critical vulnerabilities would be mitigated by removing admin rights alone
  • 96% of those vulnerabilities which affected the Windows OS were mitigated by removing admin rights
  • 100% of the vulnerabilities affecting IE were mitigated by removing admin rights
  • 91% of vulnerabilities affecting Microsoft Office were mitigated by removing admin rights

And if that doesn't convince you, AVECTO published 5 Reasons to Keep Admin Rights off your PC

Now you can't actually "keep admin rights off your pc." Admin is still required for some functions. So here are the steps to get your computer safely configured as painlessly as possible.

  1. Rather you are a Windows user or a Mac user, create a new user account and make sure they have administrative rights. (click Windows or Mac links for instructions on creating new accounts)
  2. Assign a STRONG password to the account for obvious security reasons. Only give the password to individuals you want to be able to install software on the computer. This will help control what other family members install or access on your computer.
  3. Then once you have created the new account, log out of the account you are currently on, and login with the new admin account you created.
  4. Follow the previous steps to get where you created the account, but this time modify your old account to take away administrative rights. This will allow you to keep all your data and account information configured the way it was but still secure the account.
  5. While you are logged on as admin at this time you may want to consider creating individual user accounts for other family members.
  6. Once complete, reboot your computer to make sure all the permissions are assigned correctly. This is a requirement on Mac computers.
  7. And there you go. In the future if you want to install software, you do not need to log on as the admin account. I recommend you never logon to the admin account if you don't have to. When you start to install software on Windows 7 or greater and Mac OSX you will be prompted for an administrative user and password to complete the task. NEVER ENTER YOUR ADMIN USERNAME AND PASSWORD UN-SOLICITED. If you are being asked to enter admin rights and you are not purposefully performing an admin task, do not give the task permission to run.

Now that you have a new user account configured to not run whatever your computer wants on your behalf, you can rest a bit easier that you will not become victim to random malware being installed on your computer. You must still always be cautious of links you click on and webpages you visit.

If you have any questions, please do not hesitate to post a comment or contact us. Happy Computing!

Ross Wickman

Husband, Father, and owner @TactfulCloud. I help people better understand technology on the http://TechnicallyLivingPodcast.com . Not to mention a http://BusHitMyHouse.com