Administrative Rights (Windows)

Posted by

Now I have a piece of advice that is old in the tech biz.  I realize everyone wants to be in control as an administrator of their machine, and popups or notifications to allow something to continue can be a delay that is frustrating.  However you may not have realized by bypassing all the notifications, and giving yourself Godly rights to your machine, you are also opening yourself to an immediate takeover.

You should not be an administrator!

“What are you talking about?  Of course I should be an admin of my own machine!!” 

I’m not talking about locking you out of your own machine.  Actually, I am talking about limiting what your logon can do, and still have an admin logon to approve anything that wants to change your computer settings.

You can still allow anything by creating a separate Administrator logon.  That means anything that wants to modify your operating system files in any way requires you to type in credentials.  Yes that is an extra step, but here is why that is a good thing.  By taking away the admin rights on your main logon, you prevent anything from taking over by starting at your administrator level of control without you even being aware.

In a business, there is a good reason not to have users as local admins.  If you allow everyone to be an admin, they can cause a lot of unnecessary support intentionally or unintentionally installing software on the workstation.  They have the instant ability to change the design of the workstation, upgrade or install unapproved software.  This leads to the “one off” workstation or user that is needing additional support because the system is no longer functioning like the rest of the team, or functioning at all.

If you are an admin on your machine, and you go to a malicious website, you are in fact allowing that website to potentially do something as an admin because you are opening it as an admin.  Hopefully you understand the risk there, especially if something like that has hosed your operating system.

Hopefully this has opened your eyes a little.  For those that get it and would just like to know how to protect themselves from this overly easy way of access to your content, here is what you need to do.

  1. You start by creating an Administrator.  I recommend using Computer Management, create an Admin user by creating the local user account and adding to the Administrators Group.  Yes there are even more ways to create and modify users using command lines, Settings, and Control Panel.  Congrats you know it all, now why are you still an admin? (heavy sarcasm here)
  2. Finally, you remove your admin rights from your main logon.  I prefer to use Computer Management to do this, as all you need to do is remove yourself from the Administrators Group.  Now I am not giving deep instructions here, but if you would like a little video on one way to accomplish this, here is one from MICROSOFT.

Keep in mind, you are strengthening your defense here.  That is really the point to removing your admin rights.  Nothing can perform an admin function without your explicit permission as you have to type in the admin username and password to continue that action.

Hope this helps!



One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s