Warning! You have administrator rights

Running a Windows computer as a restricted/limited/standard user is much like exercising and eating green vegetables; it's the right thing to do, but not enough people do it.

In large part, I feel that Microsoft is to blame. For one thing, Windows inevitably ships (in my experience) with nothing but pre-existing administrator class users. They also fall down when it comes to educating non-techies on the subject.

For example, start at www.microsoft.com/security and you'll find nothing on the topic in the consumer section of the page. There is a link to a page with 4 steps to protect your computer, but running as a limited user is not one of the steps. Microsoft has a Security Tips and Talk blog for consumers, but, like any blog, it's not arranged by topic. Based on the tag index, I doubt the topic is addressed.

There probably is a page at microsoft.com that addresses the topic, but it should be front and center, not a needle in a haystack.

This issue should should also be front and center when someone is using Windows.

Filling this void is none other than Avira, the company that makes the AntiVir antivirus program.

I recently installed the free version of AntiVir on a Windows XP machine and after re-booting was shown the warning message below.

They are 100% right. It is generally recommended to use a restricted user account. Unfortunately, Windows only has "restricted" users in concept, not in name. The terminology in Windows 7 is "standard" and in XP it's "limited". Yet another Microsoft failing.  

It would be nice if Avira detected the version of Windows and adjusted the message to use the appropriate term (standard or limited). It would also be nice if they could link people to some Microsoft documentation on the topic. Perhaps they couldn't find any either.

Still, I applaud them for making an effort. None of the other antivirus programs I'm regularly exposed to issues a warning like this. 

UAC PROTECTION IN WINDOWS 7

Perhaps some of you are thinking that in Windows 7, UAC offers protection to the extent that there is no need to run as a standard user. You may have heard that even when logged on as an administrator, Windows 7 lowers your rights to those of a standard user and warns you with a pop-up when administrator rights are needed.

That's not the full story.

The fact is, malware can still get administrative rights, silently, behind your back without any prompt from UAC.

To cut down on UAC nagging, Windows 7 includes an auto-elevation feature which automatically grants administrative rights to programs that are part of the operating system. But, auto-elevation can be abused, a fact that Microsoft is fully aware of.

For the details, here are some quotes from Inside Windows 7 User Account Control by Mark Russinovich of Microsoft:

"Several people have observed that it's possible for third-party software ... to take advantage of auto-elevation to gain administrative rights. For example, the software can use the WriteProcessMemory API to inject code into Explorer and the CreateRemoteThread API to execute that code, a technique called DLL injection. Since the code is executing in Explorer ...  it can ...  modify system registry keys or directories and give the software administrative rights. While true, these steps require deliberate intent [and] aren't trivial ... The follow-up observation is that malware could gain administrative rights using the same techniques. Again, this is true ... From the perspective of malware, Windows 7's default mode is no more or less secure than the Always Notify mode ("Vista mode") ...  "

Russinovich also points out that "malware can compromise the system via prompted elevations as well". Thus, Windows users that depend on UAC prompts for malware protection, are a single keystroke/click away from disaster.

Standard user good. Administrator bad.