Mochabomb

In the past year, most customers are not fired up about one proven security measure I grew to appreciate in my Unix days: user versus root accounts.

In XP, they are equivalently “Limited” and “Computer Administrator”.

For decades Unix has had these two basic levels because like most things in life - one person sets something up, the rest of us use it:

• contractor - homeowner
• network administator - employee

Contractors and network admin’s can tear down, reboot, rebuild, install - do as they need. And just like a we can mis-measure something to be cut (remember measure twice, cut once?), we can delete/uninstall something on accident and cause ourself a headache, or at least time.

Thieves - virus’s - that get the contractors keys or the network admin’s password can go in and wreck/steal/destroy our work.

Employees/limited users on the other hand can only do what they are given access to: use the facilities. If their keys are taken, or their level of access is compromised by a virus, it can only do damage to what it has access to…

It’s one reason virus’ were not a problem on unix systems - only a few had admin privleges, only those few could damage the computer. The other hundreds/thousands of users did just that - use the computers. It has worked for decades and it’s the reason Windows was not really secure for most of us until XP came along.

So, with that background, lets look at XP Limited versus Computer Administrator account access in general:

Limited:

• Use the computer
• Run programs
• Save files

Computer Administrator - all the above plus:

• Add/remove programs
• Add/remove hardware
• Add/remove users
• Configure network, hard disk, memory, anything!

As you can see, the limited user is appropriately named. What’s good is if a limited user launches some spyware or virus on accident, the damage is typically limited - contained to that users home folder; typically because some virus’ do lots of damage in other ways, like mass spamming.
Now, suppose the same user instead had Computer Administrator rights - the damage is not contained or limited - it could harm the entire system. The criminal - the virus - had access to anything and everything. I have seen systems loaded with spyware and subsequently sluggish because nephews/nieces downloaded a tropical fish screensaver from a seemingly friendly but diabolical website.

On my home system, I run Outlook, Internet Explorer and anything -not- system related in a limited account. For admin tasks like installing a printer or removing a seldom used program, I switch to a Computer Administrator type of account.

It’s a hassle, but the payoff is time saved. I can rest assured that when other family/friends/kids use my computer with Limited accounts, they won’t and cannot change or install anything without talking to me first. The time saved there is my pay.