This old cartoon from XKCD somehow came to my attention the other day (I think it was on Digg or one of the many security blogs I frequent) and it got me to thinking: aside from being very funny, this cartoon's subject is one the easiest ways to prevent problems on any given machine. In short, don't run as Root / Administrator unless you absolutely have to! To do any real damage, malicious code requires that you run it in the context of a powerful user (preferably the system itself, but a high-level user will do in a pinch.) If you're not running as Root / Administrator all the time, and you accidentally / unknowingly invoke malicious code, it's like a lit stick of dynamite that just fizzles out - maybe a bit of sound and color, but little or no damage done.
Does this mean that, when you run as non-Root /Administrator, you have to re-login every time to perform any Root / Administrator tasks? Nope. The Unix command sudo allows you to run any command as a Root-equivalent or other account (assuming, of course, that you know this other account's password:). For Windows, the RunAs command serves the same purpose; conversely, the DropMyRights program from Microsoft allows people running as Administrator to run the most danger-causing programs (web browser, email, chat) as a plain-vanilla user.
There is definitely a challenge in finding a balance between keeping yourself safe and being able to do your work (a challenge that Vista's User Account Control fails, rather hilariously in this Apple ad) but for important systems, running as (mostly) a standard user is a great supplement to the anti-virus, firewall and host intrusion detection systems you should already have in place.
No comments:
Post a Comment