Ask Leo!

Are Limited User Accounts effective?

Home » Windows

Summary: Limited User Accounts in Windows restrict the ability of malware to cause problems on your system. Unfortunately, it may also limit your ability as well.

How effective is using a limited user account to surf the net? I've read that if you get infected with a virus/trojan etc,the amount of damage caused can be dramatically reduced if you were logged on with a limited account. Also if I set up such an extra account (for surfing), do you have run anti virus updates, and do scans on both the administrator and limited account, or does an ONE anti virus/anti spyware scan cover all the accounts on the computer.

In a word, yes - Limited User Accounts are very effective at reducing the potential impact of a virus or spyware.

Unfortunately my experience has been that they're also effective at reducing your abilities in other areas as well.

I'll be honest ... every time I've attempted to set up a Limited User Account (often referred to as LUA), I've been frustrated, and eventually ended up reverting that account to full administrative privileges.

My frustration is not with LUA itself, per se, but with other software.

The concept behind LUA is simple: you don't need every privilege on your machine in order to do most day-to-day activities. Surfing the web, sending email, writing documents or balancing your checkbook do not, and should not, require anything other than the most basic of permissions on the computer.

Taking away certain types of permissions - such as the ability to write to certain system directories, install activex controls and the like - means that it's more difficult for malware to do those things if you happen to run across it as a Limited User. Since so much malware relies on exactly those types of operations, it's actually a very effective strategy.

And yes, even though I have my own frustrations with it, I do recommend it, if possible, as a very valid step towards increasing the overall security of your system. I particularly like the idea of families setting up their children's accounts on a shared computer with LUA.

To do so, by the way, in Control Panel, User Accounts, click on the account you wish to change, click on Change My Account Type, and then select Limited. Note that you will not be able to change the primary Administrator account, and that not surprisingly, you need administrative privileges to actually do this to any account.

"...I do recommend it, if possible, as a very valid step towards increasing the overall security of your system."

Now, about my frustration.

Every time I try to run as an LUA, I keep running into things that I can't do. Things that I want to do. For example installing software in general is an issue using an LUA. If that software expects to be installed for the current user, then logging in as the administrator to install it may still not set up the software for use in another Limited account on the same machine.

Now, to be fair, there are often workarounds. One could temporarily elevate the Limited account to administrator just long enough to install whatever software needs installing. But there are also frequently still complications, and it's certainly an additional, somewhat cumbersome step to what's typically already a complicated process.

Now I definitely understand that there is a fundamental conflict here - you want to prevent installation of malware, while allowing the installation of trusted applications. Unfortunately there's no easy way to distinguish, so LUAs must prohibit both - or at least those that affect protected system areas.

The more fundamental problem is that while many applications do need it, too many assume administrative privileges when they don't. As a result, they fail when installed or run from LUAa.

If there's good news in all this, it's the answer to your other question about anti-spyware and anti-virus software. Most of these applications are installed at the system level, and as such work on the entire machine, regardless of what user you happen to be logged in as, or even whether you're logged in at all.

So, yes, I'm one of those folks who apparently needs to use software that requires or assumes administrative privileges often enough that running as an LUA is simply not a practical option for me. My advice to you: try it. I know I'm an edge case - I do a lot of things that more normal people don't. You may find that all your needs are met in an LUA, and as a result, you will definitely be safer.

Related:

More articles about: Windows

Article Useful? Link to it from your own website; just copy/paste this HTML:

Article 10941 | Posted November 20, 2006

Recent Comments

Windows Vista finally has a practical LUA implementation, many many years overdue, and linux has always had it. The implementation in Ubuntu is really quite elegant. Everyone is defaulted to a power user account, and if you'd like to perform a root-level task, you're simply asked for your password.

Posted by: Mike at November 21, 2006 10:10 AM

The Mac is much like Ubuntu in this regard, and I agree, it's perhaps the most elegant compromise.

What I *don't* know is how often that requirement (administrative access) pops up in what would otherwise be "normal" work. That's what's most frustrating about XP's LUA.

Posted by: Leo Notenboom at November 21, 2006 04:05 PM

>> What I *don't* know is how often that requirement (administrative access) pops up in what would otherwise be "normal" work.

Anecdotally, I read that this was one of the biggest complaints about the early RC's for Vista..that even in trivial tasks like deleting a file from your desktop, Vista would password-prompt you (not once, not twice, but) *three* times. However, Microsoft has corrected this in later RCs, and supposedly trimmed down the number of tasks that require entering a password.

Posted by: Mike at November 21, 2006 06:39 PM

I have added a Limited account to the computer that I most use for Web Wandering and intend to use that account only for that purpose. Is this sensible?

Posted by: Gordon at December 3, 2006 03:10 AM

In early 2006, I found a reference to a small program on Microsoft's website called DropMyRights. It's used with user setup desktop shortcuts to fire-up DropMyRights which then starts ups another program (such as Internet Exporer, Firefox, Outlook Express) with LimitedUser rights (non-Administrator). I've been using it for the 3 programs above for most of 2006. When I look at the security setting of any of these DropMyRights invoked programs using ProcessExplorer (from SysInternals), ...right-click application name > Properties > Security tab > BUILTIN/Administrators setting: it shows "Deny,Owner" rather than "Owner". I think that for WinXP, this is a pretty good compromise. I can logon with Administrator rights, but then fire up some programs such as browsers and email with LimitedUser rights. I think that this protects me pretty well! I get the benefits of the need for Administrator rights with many applications as well as the protection of LimitedUser rights with my Internet facing applications. I keep my standard desktop icons for browsers, etc. for WindowsUpdate and other such work.

Posted by: Jim at December 3, 2006 05:31 PM

I have windows vista and I have asked Dell, as well as my IP. how can seperate two users in email. Right now my wife's email comes in my acct. and if she sends it goes out in my name not hers.

Posted by: Grant Phillips at September 30, 2007 07:14 AM

I believe many people are not aware that it is possible to run an application in a LUA with administrator rights (provided you have the password). The feature is called "Run as..." and is accessible through right-click in Explorer on the program you want to execute. It will only be valid for the current session and is an excellent way of quickly getting things installed or configured without the hassle of temporarily elevating permission rights. It is even possible to setup a shortcut or program to always run as a different account (although I wouldn't recommend that as a design, it's a compromise for the exceptions).

Posted by: Alex at November 26, 2007 05:18 AM

I have setup my system exactly as described and since I don't use games (which are the ones that are most fiddly about permission rights) everything works fine without hickups or hassles. Admin accounts is ONLY for installation of new programs.

I DO wonder how protected I am with this scheme. Knowing a little about how permissions work with NTFS, I can't figure how a virus could bypass this. Of course there is a way because enterprises get viruses just as anybody else (albeit not as often) and in a corporate environment LUA is exactly the norm. So how do viruses do it? If they can't get write access to the registry, how do they make themselves executable on system restarts?

Posted by: Alex at November 26, 2007 05:27 AM

Post a comment on "Are Limited User Accounts effective?":






(Email Address will not be published.)

Remember Me?

By popular demand...
my tip jar
Cuppa Joe
Buy Leo a Latte!


New!

RSS feed Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Please wait. Your comment is being processed ...

Ask Your Question:


ask-leo.com
Web

Archives

By Category
By Date

Advertisers

Advertise on Ask Leo!

««   »»

Question? - Ask Leo!
Who is Leo?
Link to Leo!

Terms, Conditions & Privacy

http://ask-leo.com/are_limited_user_accounts_effective.html
Copyright © 2003-2008 Puget Sound Software, LLC and Leo A. Notenboom