To Make Windows 7 Safer: Remove Admin Rights

Toggle sidebar Toggle sidebar
Status
Not open for further replies.
Even XP will be safer if the user have no admin right, the problem is most software require admin rights to run. M$ must have done something about this longtime ago advising software developer to create software which will run even with limited rights.
 
[citation][nom]saint19[/nom]In other words, don't disable the UAC.[/citation]
Running with UAC on and admin turned off?
No way in hell will that ever happen bud. I like to be able to use my OS.
[citation][nom]JohnnyLucky[/nom]Nothing new. Friends of mine have restricted access on the pc's where they work. Its been that way for a long time.[/citation]
I'd bring my own PC to work. If they said no, I'd run their PC and my laptop side by side, doing all work on the laptop and just transferring whatever data I need...
 
This would be effective for companies especially with those employees that has limited knowledge on PCs. As for me, it would affect my productivity as it would be annoying and frustrating to not be able to control my PC in my own accord.
 
Wait ... stop, seriously STOP.

Securing elevated privileges is the FIRST thing any competent systems administrator does. You NEVER EVER EVER do day-to-day business / work / operations with an account that holds elevated privileges. Instead you use a "normal" user account to do everything, browse internet / check email / play games, and only login with "administrative rights" to update drivers / install software. Heck this goes right up there with renaming the local administrator account and disabling the local guest account. Ohh and f*ck UAC, its just Window's method of attempting to do sudo. My view is that if your account doesn't have rights to do it, then do NOT do it with that account. Instead login with the admin account and install / update whatever it is you were doing, then log the f*ck out.

If someone can not do this, then they deserve to be attacked by malware.

Really ... doesn't anyone read DISA STIGS anymore...
 
admin right refers to other user account, but if you are the owner of the machine you will need to keep it enabled, otherwise you can't do anything other than just turn the machine on and surf the web, lol
 
[citation][nom]palladin9479[/nom]Wait ... stop, seriously STOP.Securing elevated privileges is the FIRST thing any competent systems administrator does. You NEVER EVER EVER do day-to-day business / work / operations with an account that holds elevated privileges. Instead you use a "normal" user account to do everything, browse internet / check email / play games, and only login with "administrative rights" to update drivers / install software. Heck this goes right up there with renaming the local administrator account and disabling the local guest account. Ohh and f*ck UAC, its just Window's method of attempting to do sudo. My view is that if your account doesn't have rights to do it, then do NOT do it with that account. Instead login with the admin account and install / update whatever it is you were doing, then log the f*ck out.If someone can not do this, then they deserve to be attacked by malware.Really ... doesn't anyone read DISA STIGS anymore...[/citation]
Not everyone intends to be switching accounts 20 times a day. I am constantly making changes, thus the choice for me is to use admin rights for day to day use.
Last I checked, the only way someone illicitly got to my banking info was the old fashioned way. Not involving a computer at all.
Now if you excuse me, I'm going to do a driver update, without logging off.
 

That's why any decent OS has this amazing new technology called elevation of privileges. Even administrators don't need to run with administrator privileges all the time, and should either use a limited access account or run with lowered privileges by default.

No user should run with higher privileges than they need. It's security 101 and MS didn't learn it until they developed Vista (recall that the default XP account is Admin). Sadly, their implementation of elevation (UAC) is poor. A password should be required so that if the computer "administrator" is logged in a random family member can't come along and elevate themselves so that they can install software. UAC is a step in the right direction, but only in concept.
 
@anamaniac: your logic baffles me.

Updating the driver requires a reboot, so you actually need to log off anyway - what does running with scissors - er, running as admin saves you from?

On another note, software certified 'designed for Windows XP' entails that it must be tested to be perfectly and completely usable on a simple user account, except for software that requires admin rights for admin jobs - which must warn the user at start time.

Current games, for example, can perfectly be installed as an admin and played as a limited rights user.

Moreover, bringing your own machine to work and storing company data on it could be considered data theft. As far as I know, this is liable to have your contract terminated, you prosecuted and put in jail with a heavy fine.

And that would be perfectly normal, even outside the brain-dead US legal system.

@hollowtek: UAC is a bit more than sudo. It is more a combination of sudo (which allows a user limited rights escalation) and the POSIX user rights system, which allows a user to access a process that doesn't run in its user space (provided the user identified correctly). It is a good idea, done in the best way one can think of.

It is however, due to its after-the-fact implementation, a heavy drain on resources (UAC actually has to control a software's influence and monitor any attempt by the process to do stuff outside a normal user's parameter range), that's why disabling UAC on Vista/7 is annoying - because the Linux way (opening a terminal, running su to become root, start an app in the root space, do whatever, then close it, the whole thing without leaving your user session screen) is rather hard to emulate in Windows: you need at the very least to switch session with fast user switching, which is slow, prevents stuff such as the clipboard to work, and doesn't allow you to have, say, a user-mode web browser window open and an admin-mode app open at its side to administer your system.

So yes, UAC is useful. No, running as a normal user when you spend a lot of time doing REAL admin work is impractical.

What it comes down to.

- if you typically spend your time doing 'normal' user stuff: browsing, chatting, gaming, office work, then you can shut down UAC and set up a password-protected account and a normal user account. That will save 5-20% CPU time and 100 Mb of RAM. Just remember to sometime log in as admin, do all your software updates and system management and you're done.

- if you typically do admin stuff on your machine (you're a software developer): keep default settings. I'd recommend increasing UAC levels to max in 7, to replicate what Vista does (which is, actually, more secure than 7 by default).
 
Nice to know I'm doing the right thing. I've always browsing and downloading with limited user account. I only the admin account to install software or to play games, but never use it to connect to the internet.
 
I've had problems running games installed as the admin when I'm logged in as a limited user. But, then again, I don't game while connected to the internet.
 
Best practice is to use a normal user account and use the 'run as administrator' option for those applications that require it. Heck, in vista at least you even need to use run as when logged into an administrator account half the time, so how different would it really be. Most of us here know better than to visit sketchy sites/open strange emails anyway, but for the majority of 'users' out there, they should certainly not be using an admin account for day-to-day operations. UAC's effectiveness relies on the user being prompted to understand what they're doing, but most users don't read warnings, they just click whatever they have to so it goes away, and continue on their merry way/downward spiral.
 
[citation][nom]anamaniac[/nom]I'd bring my own PC to work. If they said no, I'd run their PC and my laptop side by side, doing all work on the laptop and just transferring whatever data I need...[/citation]
Yea cause outright defiance at work is such a GREAT idea, you work with the tools they give you, the PCs they use should be enough to do your job and that is it. Those PCs are not for you to surf on or check your Facebook, they are company property and that is what they are for, company work, I am sure completely ignoring what you are told at work will be reasons for termination. Have fun looking for a job if you do that.
 
and in other news :


"steave job annouces mac safer than PC , all you have to do is not ever turn your mac on , and it will remain free of any problems period , can windows say that ?"
 
UAC is the least useful thing I've ever been into! I tried to back up my HDD by connecting it to a Vista based system. Vista capped the max amount I could transfer at a time to about 60GB, UAC interrupted and denied me for every file I tried to transfer (I got no words for how annoying that is when you have to transfer several thousand files). At the end I thought I found how to kill that sh*t, but no, It didn't work even I did it right by the manual.

I don't understand how this possibly could make the system safer?! It interrupts almost every single action taken. I tried to replace a corrupt file in the System folder, but no, it wouldn't let me do that either.
I rather rely on a good up-to-date antivirus software.
 
I agree with PaTrond. UAC is the most annoying hindrance in both Vista and Win7. It constantly freaking asks you if you're sure you want to do something. I mean, c'mon. I can't install drivers, can't copy files, can't delete useless folders, can't modify user preferences, can't get my games to work online through the firewall. It is absurd. Basically, it's like shooting yourself in the foot every single day so that you don't get shot in the face once.

Why the heck can't web browsers make web browsing bulletproof? 99% of viruses and trojans are not transmitted online. I wouldn't mind so much having UAC limited only to web browsing and not everything else I do with my machine.
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom