My 2/17/08 Missoulian column
Last week I advised that you shouldn’t install any software on your PC unless you know exactly where it’s from, and to keep your antivirus and system updates current to prevent Web site trojans and e-mailed spyware from installing themselves. But there is a way to keep malware from getting a toehold on your PC, and it all comes down to limiting access to the inner workings of your computer system.
Chances are good that you are giving too much access to your your PC every time you use it. Access to whom? To a million or more hackers sending trojans and spyware. You wouldn’t give someone the keys to the car, your bank account number, access to your e-mail and everything else, right? Why give hackers out there potential access to your PC?
How do people and their malware get access to a PC? By you, the user, doing your day-to-day work – Web browsing, e-mail, etc. – with an administrator account. What’s that? That’s a perfectly understandable question, because computer manufacturers want to make things easy for users (doesn’t always seem like that, does it?) and when you start up a new computer and type in a new login name and password, you get an administrative account that lets you install software and do everything else you need. And then you forget about having that kind of account, and the operating system isn’t going to remind you.
User accounts on all computers – both Windows and Apple Macs – have the capability for different privileges and different levels of users. An administrative account can do anything: install software, delete files, etc. But an account that has less than administrative privileges can still use the computer; that kind of account just isn’t privileged to install software and doesn’t allow access to the real guts of the computer. That’s the key here: access and privileges.
Privileges on a computer are like keys to the front door of your house. When you install a program, you give it the key to your front door and it gets access by unlocking the door and making itself at home. An administrative account owns the house and has a master key that opens any door in the house. A user account with less privileges can only open the front door and can’t get to the fridge or the gun closet. If you run in an account with less than administrative privileges, malware that knocks on your door can’t get a key to the lock, no matter how many times it asks the computer.
That’s why many security experts stress day-to-day use of limited accounts, and many IT managers in businesses and organizations require all their PCs to run under limited rights, as trojans and viruses, given the chance can spread like fire in a business network.
So what you do is this: run an administrative account, but don’t use it for day-to-day work. Login to the admin account to install software, then logout and go to work in a lower level account with less privileges.
On Windows, checking to see what kind of accounts you have and setting up other accounts is fairly easy. The best thing to do is go to the source – Microsoft – and read the instructions. Running a limited account is different in Windows XP Home and Pro editions, so investigate before you start. Windows Vista is different still.
When you run Windows under a limited user account, you can set your anti-virus and Windows updates to run automatically in the administrative account while you use a lower-level account for day-to-day work. That way your system gets updated without you having to log back into the administrative account.
If you use Apple, good news: running a limited account on a Mac is very easy. This is because OS X is based on a multiuser system called UNIX that has been in use for many years. All versions of OS X can be set up with a new account in the Accounts Preference Pane, where you can check to see what kind of account you already have. Check the box if you want to give any account administrative privileges. Logout and then when you login, you’ll see a screen with a list of all available accounts. If you want to learn more, go to the Apple OS X Support page and select your OS X version.
The other good news for Apple owners is that there are very few active trojans circulating for Macs, so a limited account isn’t quite as important as Windows. But still be aware of anytime you are asked for your administrative password: that’s the indication you’re about to install software, so be sure you know where it’s from.
There’s another benefit to using different accounts on Windows or Apple: you can give accounts to other family members and when they login to their own account, they can change the desktop pattern, the screen saver, have their own e-mail accounts and settings, and on and on. And when they logout and you login, everything goes back to where you want it. As the holder of the administrative account, you have final control of everything on the computer, so be sure the password to the administrative account isn’t something easy like your dog’s name, or someone will guess it and go about changing things they shouldn’t.
Next week: How not to get hooked by phishing scams