Windows Tips I – users and security in XP

okay. I am not a Windows user. I am a Unix admin by trade (solaris/HP-UX/Linux), but whenever I go home I try to help my family out with their machines. It seems that everybody is running XP now, and I helped out with a few things.

Ryan got a new laptop. It’s a Dell running XP. Brand spankin new, and he wants to install all sorts of crap on it and, you know, connect it to the web and stuff. The internet is a dangerous place. There is a lot of malicious stuff, and one wrong move can change a computer forever. Really.

So a lot of people are running Norton this or Windows Security that, and that is great! Keep it up! The problem with these is that I believe the manufacturers or providers are being extremely irresponsible. They promote the belief that by running their software you will be absolutely safe. That is totally wrong.

How to be safer:

  • keep running Norton or Windows security or whatever. Make darn sure that you update it a lot. Some do it automatically, make sure that they are. Do it manually when you think of it anyway.
  • Be smart about your user accounts! I’m going to write more about this after this list, because this is the main point I want to get across here
  • Don’t trust websites or ads! Popups and banner ads are notorious. They pretend to be things they’re not, and the buttons usually don’t do what they say they’re going to do. By clicking on these, it is entirely possible that you are running arbitrary code on your computer or giving up information that you’d rather not give up. Click on the little ‘x’ in the top right corner of popups to close them.

Okay, more about users and permissions. One of the reasons that windows has classically been so much less secure than, say, Linux is that you do everything as the administrator or root user. With the more recent Windows releases (XP), this does not have to be the case. Unfortunately, it appears to me that out of the box systems are not configured this was. Nor is it emphasized or even explained that this might be a good idea.

How should I setup my computer to be safe? It’s not that tough. You need to create a new admin user, and you need to remove administrator rights from your everyday user. As your everyday user (who is probably an admin), go to the Control Panel, and choose user management.

  • Create a new user (admin works, or administrator, or root, or boss, or whatever you like) and give that user administrator access. Also, give that user a password. It doesn’t have to be complicated, and it doesn’t have to be different than your everyday user’s (but it should be).
  • Log out as yourself, then login as the user you created above.
  • Go back to the user administration thing in the control panel, and edit your everyday user. Remove administrator rights from that user.
  • Now, logout and log back in as your everyday user (we call this user a mortal user). Make sure your usual stuff works. If not, that sucks. There’s either a problem with my instructions, you, or your computer.

In case there’s a problem, just log back in as admin and give your mortal user administrator rights again. You’re no worse off than you were, but I’d recommend talking to somebody and figuring out wtf. Either that or create a new mortal account and only do risky things (email, browse, games, run software, chat, login, etc) as that user. Which is what I would do.

dangit, now it’s a pain to install software! Amazingly, this is by design. In fact, it’s the whole point of this exercise.

  • download the installer X as the mortal user (your admin may need to create a place on C: or D: or H: or wherever that the mortal user can write to).
  • go to Log Off and select Switch Users. Become admin.
  • Think to yourself, is this screensaver of little puppies coming from a safe place or is it going to open a hole to my computer the size of Crater Lake so that little hacker kids and store pr0n and pirated photoshop on it. Really.
  • install the software for all users to use.
  • Log off or switch users back to your mortal user, run the new software, and have fun!

Okay, I apologize for any misinformation, I am not a Windows guru. The concepts are simple: do risky things as a user who can’t modify the system significantly. If you handle really sensitive stuff, you may even want a third user who never does risky things either. Or a second computer.

Other things that are useful (look for a windows software roundup soon for more info): firewall. Most home routers have this functionality. It’s simple, easy, cheap, and it keeps the a-holes out. Get one and use it. ZoneAlarm is cool, it’s a firewall software and it tells you if things are trying to access the internet. It can be a pain, but it’s worth it. Ad-Aware rocks. It’s free, it’s easy, and it works wonders. Get it, use it, keep it updated, and keep on using it. It basically looks for worms/viruses/bad cookies/other malicious crap and removes it for you. I cannot emphasize enough…get it and use it.

  • Rick Sr.

    This is good information. I actually new this because that is the way the computers at work are configured. At work, only the tec people can enter as the administrator thus stopping people from downloading software. I had not thought to do the same thing at home to stop others from accessing my files. Thanks, I will try it.

  • rick

    My point is similar, but a bit more subtle perhaps. I’m not worried about others accessing your files by sitting down at the computer, but more about your computer accessing files on your computer, or you accessing your files without realizing it. Basically a worm (or other green meanie) executed on your computer is a lot less damaging if it is not executed as an admin user, so use the admin user as little as possible.