To Make Windows 7 Safer: Remove Admin Rights

In other words, don't disable the UAC.

So instead of malware disabling the abilities of my computer, I should disable them?

As long as the effected users aren't installing things, or editing certain types of files, its fine...

Yet another recommendation from the blatantly obvious IT security practices department.

Even XP will be safer if the user have no admin right, the problem is most software require admin rights to run. M$ must have done something about this longtime ago advising software developer to create software which will run even with limited rights.

wait i thought this was a no brainer...

Trying to catch up with Linux, Ubuntu uses the sudo command to gain access. That's what it seems like to me.

Nothing new. Friends of mine have restricted access on the pc's where they work. Its been that way for a long time.

Running with UAC on and admin turned off?
No way in hell will that ever happen bud. I like to be able to use my OS.


I'd bring my own PC to work. If they said no, I'd run their PC and my laptop side by side, doing all work on the laptop and just transferring whatever data I need...

This would be effective for companies especially with those employees that has limited knowledge on PCs. As for me, it would affect my productivity as it would be annoying and frustrating to not be able to control my PC in my own accord.

Wait ... stop, seriously STOP.

Securing elevated privileges is the FIRST thing any competent systems administrator does. You NEVER EVER EVER do day-to-day business / work / operations with an account that holds elevated privileges. Instead you use a "normal" user account to do everything, browse internet / check email / play games, and only login with "administrative rights" to update drivers / install software. Heck this goes right up there with renaming the local administrator account and disabling the local guest account. Ohh and f*ck UAC, its just Window's method of attempting to do sudo. My view is that if your account doesn't have rights to do it, then do NOT do it with that account. Instead login with the admin account and install / update whatever it is you were doing, then log the f*ck out.

If someone can not do this, then they deserve to be attacked by malware.

Really ... doesn't anyone read DISA STIGS anymore...

admin right refers to other user account, but if you are the owner of the machine you will need to keep it enabled, otherwise you can't do anything other than just turn the machine on and surf the web, lol

Not everyone intends to be switching accounts 20 times a day. I am constantly making changes, thus the choice for me is to use admin rights for day to day use.
Last I checked, the only way someone illicitly got to my banking info was the old fashioned way. Not involving a computer at all.
Now if you excuse me, I'm going to do a driver update, without logging off.

That's why any decent OS has this amazing new technology called elevation of privileges. Even administrators don't need to run with administrator privileges all the time, and should either use a limited access account or run with lowered privileges by default.

No user should run with higher privileges than they need. It's security 101 and MS didn't learn it until they developed Vista (recall that the default XP account is Admin). Sadly, their implementation of elevation (UAC) is poor. A password should be required so that if the computer "administrator" is logged in a random family member can't come along and elevate themselves so that they can install software. UAC is a step in the right direction, but only in concept.

@anamaniac: your logic baffles me.

Updating the driver requires a reboot, so you actually need to log off anyway - what does running with scissors - er, running as admin saves you from?

On another note, software certified 'designed for Windows XP' entails that it must be tested to be perfectly and completely usable on a simple user account, except for software that requires admin rights for admin jobs - which must warn the user at start time.

Current games, for example, can perfectly be installed as an admin and played as a limited rights user.

Moreover, bringing your own machine to work and storing company data on it could be considered data theft. As far as I know, this is liable to have your contract terminated, you prosecuted and put in jail with a heavy fine.

And that would be perfectly normal, even outside the brain-dead US legal system.

@hollowtek: UAC is a bit more than sudo. It is more a combination of sudo (which allows a user limited rights escalation) and the POSIX user rights system, which allows a user to access a process that doesn't run in its user space (provided the user identified correctly). It is a good idea, done in the best way one can think of.

It is however, due to its after-the-fact implementation, a heavy drain on resources (UAC actually has to control a software's influence and monitor any attempt by the process to do stuff outside a normal user's parameter range), that's why disabling UAC on Vista/7 is annoying - because the Linux way (opening a terminal, running su to become root, start an app in the root space, do whatever, then close it, the whole thing without leaving your user session screen) is rather hard to emulate in Windows: you need at the very least to switch session with fast user switching, which is slow, prevents stuff such as the clipboard to work, and doesn't allow you to have, say, a user-mode web browser window open and an admin-mode app open at its side to administer your system.

So yes, UAC is useful. No, running as a normal user when you spend a lot of time doing REAL admin work is impractical.

What it comes down to.

- if you typically spend your time doing 'normal' user stuff: browsing, chatting, gaming, office work, then you can shut down UAC and set up a password-protected account and a normal user account. That will save 5-20% CPU time and 100 Mb of RAM. Just remember to sometime log in as admin, do all your software updates and system management and you're done.

- if you typically do admin stuff on your machine (you're a software developer): keep default settings. I'd recommend increasing UAC levels to max in 7, to replicate what Vista does (which is, actually, more secure than 7 by default).

Remove admin and most games and apps will not work correctly. As good as Windows 7 runs they failed on application support.

Nice to know I'm doing the right thing. I've always browsing and downloading with limited user account. I only the admin account to install software or to play games, but never use it to connect to the internet.

I've had problems running games installed as the admin when I'm logged in as a limited user. But, then again, I don't game while connected to the internet.

You can't make win7 safer. You have to educate the users instead.

Best practice is to use a normal user account and use the 'run as administrator' option for those applications that require it. Heck, in vista at least you even need to use run as when logged into an administrator account half the time, so how different would it really be. Most of us here know better than to visit sketchy sites/open strange emails anyway, but for the majority of 'users' out there, they should certainly not be using an admin account for day-to-day operations. UAC's effectiveness relies on the user being prompted to understand what they're doing, but most users don't read warnings, they just click whatever they have to so it goes away, and continue on their merry way/downward spiral.

Yea cause outright defiance at work is such a GREAT idea, you work with the tools they give you, the PCs they use should be enough to do your job and that is it. Those PCs are not for you to surf on or check your Facebook, they are company property and that is what they are for, company work, I am sure completely ignoring what you are told at work will be reasons for termination. Have fun looking for a job if you do that.

and in other news :


"steave job annouces mac safer than PC , all you have to do is not ever turn your mac on , and it will remain free of any problems period , can windows say that ?"

UAC is the least useful thing I've ever been into! I tried to back up my HDD by connecting it to a Vista based system. Vista capped the max amount I could transfer at a time to about 60GB, UAC interrupted and denied me for every file I tried to transfer (I got no words for how annoying that is when you have to transfer several thousand files). At the end I thought I found how to kill that sh*t, but no, It didn't work even I did it right by the manual.

I don't understand how this possibly could make the system safer?! It interrupts almost every single action taken. I tried to replace a corrupt file in the System folder, but no, it wouldn't let me do that either.
I rather rely on a good up-to-date antivirus software.

I agree with PaTrond. UAC is the most annoying hindrance in both Vista and Win7. It constantly freaking asks you if you're sure you want to do something. I mean, c'mon. I can't install drivers, can't copy files, can't delete useless folders, can't modify user preferences, can't get my games to work online through the firewall. It is absurd. Basically, it's like shooting yourself in the foot every single day so that you don't get shot in the face once.

Why the heck can't web browsers make web browsing bulletproof? 99% of viruses and trojans are not transmitted online. I wouldn't mind so much having UAC limited only to web browsing and not everything else I do with my machine.

I meant to say 99% of viruses and trojans ARE transmitted online.

The best way to make any OS safer is to remove the most critical security flaw...the user.

I'm not American.
The company supplies computers and everyone uses them. However, my boss and my boss's boss wouldn't give a damn if I backed it all up to my personal drive.
If I was required to use a computer all day, and was forced to use it crippled without the option to use my own, I'd look for new employment.

Windows Vista and 7 are more than secure enough for most users even with admin rights and UAC off. The whole world isn't out to personally get you, so cool your damned jets. I'm perfectly fine with Microsoft Security Essentials and default firewall. I'm not some paranoid arse running Win95 anymore thinking everything will give me a virus.
If you really think the whole damned world is out to get you, just don't use a computer...

You think only software devs benefit highly from keeping admin on?

software does not require admin rights to run, only to install. There are very few and mostly proprietary (ofen badly written) software that requires admin rights to run, in which case if you are an admin and it is a work related program you are better off using Windows XP virtual mode and sandbox it inside Windows 7.

Funny thing is windows 7 asked you to set up additional accounts when you installed the OS. I have a admin-enabled account (not named "administrator") for core maintenance. For everyday usage my machine on a restricted "User" account. In windows 7, I never have to log into the admin account to install updates, or programs. The UAC asks me for admin password authorization to install updates, change settings, and install programs when I am logged into the "restricted-User" account. I do not see what the problem is? Like my Unix environment(s), I have always had an Admin (sudu) account.

Useful advice is often ignored by those who choose not to follow the lessons learned by others, that's ok, just keep passing along your experiences for all of us to enjoy and maybe attempt. Good or Bad

Yes, of course IT policy should promote this without choice or exception, and the consequence will be that all scientists, researchers and technologically sophisticated computer users will be completely hampered in their day to day work. Thanks to IT policies not allowing admin rights people can't even adjust their font scaling without admin rights in my organization with Win XP, I'm going to hate to see what it'll be like when Win 7 is deployed. I'll have to call a 1-800 number and beg permission to take a leak in the washroom at that point.