There is one simple trick that will make your PC or Mac much safer from malware and hackers. It doesn't involve buying antivirus software or throwing in a command line.

That precious secret? Create a limited user account for yourself. Use this limited account for all your daily computer activities, including online and office activities.

Make sure everyone who uses it is also on the limited accounts. Save your administrator account for administrative tasks, including installing and updating applications and other software. Using this system will prevent or reduce most malware infections on both PCs and Macs.

The only thing you'll give up is the ability to install, modify, or remove software instantly, no questions asked. But with today's operating systems, all you have to do is enter an administrative username and password. The security you gain will be worth the minor inconvenience.

How limited accounts protect you

This system of segregated accounts works because, unlike administrator accounts, restricted accounts cannot install, update, or delete applications and other executables.

As a result, malware - viruses, worms, trojans, rootkits, ransomware, and so on - that tries to infect your machine through a restricted account often won't be able to install itself and won't get into your computer. If it fails to infect a restricted account, it will usually only affect that user's files, folders, and user-specific applications. The malware will usually not be able to get into the operating system or other user accounts.

A report by Avecto, the UK-based security firm Microsoft's Vulnerabilities Report, released in February 2017, was clear: "93 percent of vulnerabilities in Windows 10 can be mitigated by removing administrator rights ... including 100 percent of vulnerabilities affecting the latest Edge browser."

We don't have similar numbers to cite for Macs, but Mac Antivirus Maker Intego recommends using restricted or "standard" accounts on Macs for the same reasons.

How to create limited accounts

Microsoft and Apple set up every new user with administrator accounts by default. But in reality, you only need one administrator account on each computer - and each user should have a limited account for everyday use.

You'll need to be using an administrator account to do this, but the steps in each current version of Windows are similar.

In Windows 7, go to Start --> Control Panel --> Add or Remove User Accounts, or User Accounts --> Create New Account. Enter the desired user name, select the Standard User button, and click Create Account. Then click Create Password and enter the desired password.

In Windows 8 or 8.1, press the Windows key and I at the same time to bring up the Settings menu. Select Control Panel, and then select Add or Remove User Accounts or User Accounts, depending on your Control Panel display option. Select Create a new account. Enter the desired user name, select the Standard User button, and click Create Account. Then click Create Password and enter the desired password.

In Windows 10, go to Start --> Settings -- Accounts --> Family and other users. Click "Add someone else to this computer." Then select "I don't have this person's sign-in information" and click Next. (Ignore the request for the user's email address or phone number).

On the following screen, select "Add user without MIcrosoft account" and click Next. (Windows 10 Home and Professional versions may not display the previous two steps). On the next screen, enter the desired username and password, and then click Next. (We have an illustrated guide here).

Why this solution is not well known

So why aren't more people doing this? I think most people don't know about restricted accounts, or if they do, they only think of them as a way to control a child or guest's activity.

Another reason is that up through Windows XP, using a restricted account was terrible. Most applications assumed that the user would have full administrator rights, and many of them didn't work properly under a restricted account. If a user with limited access encountered a process that required administrator authorization, they would have to switch to an administrator account to proceed.

This changed with Windows Vista and the introduction of Microsoft User Account Control, which made the process easier. Developers were required to give maximum functionality to restricted accounts, and if administrator authorization was needed, a dialog box appeared asking the restricted user for the administrator account username and password.

I've been using this system on all my Windows PCs for several years and have never found it to be much of a hassle. When software needs to be updated, I get a pop-up and enter the administrator credentials. On both Windows 7 and Windows 10, Windows Update works without issue. I rarely have to log into my separate administrator account.

What you can't do with limited accounts

This precaution will not prevent or mitigate all malware infections. Some malware can "escalate" its system privileges and give itself privileges that a limited user does not have. But regular, run-of-the-mill malware, which is what most people face most of the time, doesn't do that.

Nor does it stop social media attacks that are designed to trick you into giving up sensitive information. If an email asks you to log in to a fake Facebook or Gmail page, a restricted user account won't help. If the rogue software asks for your administrative username and password so that it can install itself, providing these details erases the benefits of having a limited account in the first place.

The truth is that only you can stop social engineering attacks. But limited user accounts can stop almost anything else.

Comments (0)

Leave a comment