Do you hold really sharp scissors in your hand all day so that they're always convenient to use? Of course not. The risk of injury to yourself and others outweighs the convenience. Similarly, when using your computer you usually don't need to be a user with full privileges. For example, Student Technology Center users are able to check e-mail, surf the web, write documents and edit spreadsheets, all while logged in with limited rights. The University Information Security Office suggests following the Principle of Least Privilege. This principle teaches that you should normally operate without administrative privileges, logging in as a restricted user instead of administrator (Windows), or root (UNIX) access.
Giving yourself too much power can be dangerous – allowing viruses and other attacks to more easily compromise your computer. The University Information Policy Office drafted policy IT-12, Policy on Security of IT Resources in 2002. It states that you should "perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities." Logging into a computer with limited rights also limits the ability of any attempted computer attack that might happen. An attack on a fully patched computer can only gain the attacker the rights of the currently logged on user. If you log onto a computer as an Administrator and get tricked into clicked a malicious link, you are giving the attacker administrative control of your computer.
The UISO suggests that you use a tool such as Run As in Windows, sudo in Unix/Linux, or Fast User Switching when you need to perform tasks that require administrator privileges. These tools allow you to perform tasks that require elevated privileges as needed while still logged in as a user with limited privileges.
In Windows, Run As..., or Run As Administrator is usually an option when you right-click on a shortcut or program. In some cases (in the Control Panel), you will have to hold down Shift while you right-click to see the Run As... option. You can instruct a shortcut to always run with different credentials by right-clicking on it, choosing Properties, clicking Advanced, and checking Run with different credentials. Also, in Windows Vista or Windows 7, you can run a program as the local administrator by entering ".\Administrator" in the username fied and the local Administrator password in the password field. The ".\" is a shortcut that saves you from typing the name of the computer everytime. A convenient way to open an Explorer window with administrator privileges is to create a shortcut to Internet Explorer, and setting it to run with different credentials. Then after it is open, you can type c:\ or Control Panel in the address bar.
Most of your day-to-day activities - checking email, surfing the web, listening to music, and typing papers – can (and should) be performed by accounts that are restricted. Yes, this is more work for you to do, but so is always having to go find and retrieve your scissors every time you need to make a cut. In both cases, the need for safety outweighs the need for convenience. It is just too dangerous to log onto a computer as Administrator all the time. So, remember not to hold your scissors all the time. You'll hurt yourself.
Additional Resources:
