Restricting Everyone But Especially….Yourself!


If you work in IT you would have heard of the principle of Least Privilege.

Least Privilege is only allowing the computer account that you use enough permissions to do the job it needs to do.  You’ll see this at work if you use a corporate network.  Say, for example, you work in the warehouse, then there’s no need that your network account needs access to the payroll or permission to install new programs onto the computer.  The account will need to access the warehouse management system but won’t need access to other things because your role dictates what it needs or doesn’t need. We tend to live with it in the corporate world and recognise why it’s there.

If you’re a decent Sysadmin then you’ll be applying the principle in your daily life and use at least 2 accounts, one for logging on and doing your day-to-day tasks such as reading emails and the other, an administrative account with higher permissions, to make changes to configuration, install and uninstall etc.

Home life is different and I’ll guarantee that just about everyone reading this makes this mistake. 

You’ve just bought your nice and shiny laptop, log on for the first time and create the first account which has administrative rights.  You may decide to create user accounts for the kids so that they can’t install loads of rubbish onto the laptop but you leave your account with administrative privileges so that you can install all manner of programs. Herein lies the problem.

You need to make it hard for the viruses.  Should you click on a dodgy link then, as you’re logged on as the dude with total control over the laptop, that virus is now going to exploit this and it’ll have the ability to do all sorts of things with those administrative privileges. It can rename user accounts, create new ones, delete information, change the integrity of data and worse of all, because it’s got the top privileges going, it can seek out and amend or delete those controls that you’ve put in place against viruses such as uninstalling anti-virus software or deleting your back up.

Treat your day-to-day account on your home laptop or desk the same way that you treat your kids accounts. Give yourself a user account that doesn’t have admin rights. If you need to install a program then choose to install it with the separate administrative account, either by right clicking and running as an Administrator or logging specifically as the administrative account and then logging off once done.

I won’t lie, I’ve been very very guilty of doing this at home but not anymore.  Experience has taught me it’s far better to avoid disaster than to manage  and restore from one.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s