Back to Blog

Small Business Cybersecurity 3 of 7: When to (NOT) be an Admin

This is part three in a seven-part series regarding security concepts for small businesses.  As an owner or principle of a small to medium sized business, you have the ability and the responsibility to understand security basics and ensure they are implemented for you.

This month we are speaking of one of the most important, and sometimes difficult, steps to take in implementing best practice cybersecurity.   It sounds simple: Don’t be an Administrator on your computer, unless you are intentionally doing Administrator-type things.  Then, when you are done doing Administrator-type things, stop being an Administrator. 

What is an Administrator?  Glad you asked that.  An Administrator is a type of user who can do pretty much anything on a given computer, including install programs, change the operating system settings and more.   This is compared to a Standard user, who can only do standard things, like read email and surf the web.

The Problem 
Sounds easy, but in most home workstations or business workstations (which are not on a domain), things are almost never set up with an Administrator-user option. It has gotten somewhat better in recent years, but for the most part the “out of the box” computer configuration is set up as such: 

  • The machine comes with one user, something like “Computer Owner.”  
  • The user has no password.
  • The user is a full-time Administrator

If I were a hacker or malware designer and I wanted to provide instructions to computer manufacturers on the ideal setup for me to hack and spread malware, my dream setup would be exactly as listed above.   To be clear, we are talking about Windows workstations.  MAC OS is set up differently, and now Windows 10 is better, but that does not help the 80% of Windows computers which are not yet using Windows 10.

Poorly Designed Business Software
Many business software packages are designed in such a way that they require full administrator privileges on your machine just to run on a daily basis. You should have to be an Admin to install the software, it should not be required to use it on a daily basis.  Even though this is best practice, many software packages insist that you must always be in Admin mode just to run the program.  The important thing in this case is not to take the vendors word for it.  Test, ask questions and ask for help if needed, but try not to allow one program to force you into admin mode all of the time.

Why Does this Matter?
Malware has the same power as you:  If you are always running as an Administrator as you surf the web, read email and open attachments – you give that exact same power to any malware or virus you encounter.  Being a full Administrator means the malware can take any action it wants, including turning off your anti-virus and changing your machine to suit the malware and make it undetectable.  

It is easier to break the machine yourself!  If you are running as a full Administrator at all times, and make a mistake which damages your machine, there is little to stop you.  Having to take an extra step and put in an admin password gives you a small amount of time to reconsider your actions and perhaps make a better decision.  

What to Do
The following steps work on most home workstations and many small business networks.  If you are on a larger business network, the steps are similar but you may need to consult your IT Professional for assistance.  

1> Check if you are an Admin on your computer.  You can go to Control Panel > Users, or the equivalent place in your operating system and look at your user type.  If you are logged in as the user you run as all the time, it should have you labeled as a “Standard” user or something similar to this. 

2> Create an Admin user.  If you are an admin user, and you are the only account on your computer, you have to make another admin user before you can demote yourself to a standard user.   I suggest create one, even if another “Administrator” account exists.   You can call it anything you want.  If your name is “Joe” you can call the admin user “AdminJoe” or something to that effect.

3> Turn on UAC.  UAC is User Account Control.  This exists in Windows Seven and newer operating systems.  You might have to search for how to turn it on as it is different in different operating systems, but in general it is not hard to find.

4> Demote your daily user account to “Standard.”  Slightly different on different operating systems, but in general go to Control Panel > Users, find your user and check “Standard.”

 5> Make sure you have a decent password on both accounts.  No, not the word “password” in any form, not your own name, but perhaps your dog’s name. If the dog is not named “password.”  

Once you have done these things, when admin rights are needed, you should receive a popup asking to authenticate as the admin user you created.  If the popup occurs at a time when you are intentionally trying to make legitimate changes, then authenticate.  If it happens when a pop-up shows up telling you that you have won millions of dollars from a foreign prince, then cancel it and be more careful knowing that you have dodged a major bullet.   

There can be a bit more to this than what I have depicted, but my hope is that it gives you the general idea and you can grow your knowledge from here.  

Thanks and remember, you can and should understand your own technology. 

TIM WEIDMAN

tim_web_photo

Tim Weidman is the Director of Information Technology at Frankel Zacharia Tech Services, a department of Frankel Zacharia, LLC. Tim has a technology career spanning over 25 years and holds professional certifications in Certified Ethical Hacking and Penetration Testing, Security+, A+, Network+ as well as Microsoft, Apple, Linux and Novell technologies.  For more information visit:  fztechservices.com.

Back to Blog