Thursday, February 12, 2009

Viruses cannot do what you cannot do

I've long held that one of the best methods of stopping viruses and other attacks is to refrain from using accounts with administrative privileges. What most people miss about virus attacks is that while a virus does things that you don't want to have done, but it does these unwanted actions as you. The computer operating system, in other words, believes that the requests from the virus is coming from you. Just another example of how computers don't "think" like a person. The idea of "why would anyone want to do that?" does not come into play with a computer.

If you are using a computer that cannot delete/create/modify applications, it is very unlikely that a virus would be able to do so, as well. Both OS X and Windows Vista deal with this issue by running in a standard -- limited -- mode and asking for permission. Of course, if you're one of those people who automatically clicks on permission pop-up windows, this security system does little good.

Beyondtrust has just released a report that documents that removing administrative rights on a Windows computer can protect it from over 90% of common security vulnerabilities. This is higher than even I was thinking it would be but it does confirm the notion that restricting user rights is a great security strategy.



praVeen said...

Or still you could just Go ahead and use Ubuntu Desktop where every users permission is clearly demarcated and plus You can just forget the Viruses. Perfect for Educational institutions .

Thane said...

Good point. Of course, many people don't have control over which OS they will be using or they may be forced to use an OS because of some application that can only run on it. The same argument can of course be made for the Mac -- to a slightly lesser extent.