Leo, I’ve heard that browsing with an admin account puts you at more risk and I’m wondering what are some ways to stay protected without switching to a less privileged user account. Also, what is sandboxing?
What you’ve heard is correct. Running with what’s called a limited user account (LUA) is indeed safer.
It’s also something that unfortunately, many people don’t do… including myself.
Become a Patron of Ask Leo! and go ad-free!
The weakest link is … you
The single best thing you can do if you need to run as administrator is to use common sense. Basically, learn to understand where you should and should not browse, what you should and should not download, and just generally what steps you need to take to stay safe online.
Honestly, all of that can really go a long way towards keeping you safe regardless of whether you’re using an admin account, a limited user account, or a guest account. Understanding how to be safe is the single most important tool you can develop.
Unfortunately, of course, it’s not 100% reliable.
UAC is almost LUA
So the second most important thing you can do if you need to run as administrator is to run Windows 7 or better and have User Account Control (UAC) enabled. UAC is that annoying pop-up that says, “I’m about to change your system. Is that ok?” It’s enabled by default.
With UAC enabled, you’re running as administrator, but not really. You’re running as an account that’s allowed to be administrator, might be a better way to put it. Then pay attention to those pop-ups. Those are the things that are requesting true, full administrative access to your machine.
Often, they are things you want, like a program that you’re installing. Sometimes they’re things you don’t want, like malware. Being able to understand the difference is key to keeping yourself safe.
And naturally, the traditional litany of using anti-malware software, firewalls and common sense is worth reiterating.
Playing in a sandbox
A sandbox is an interesting additional solution. You can think of sandboxing software as kind of a protective wrapper around some other program. When you run that program within a sandbox, it looks to that program like all of the changes that it’s making to your system are actually being made.
In reality, they’re being held by the sandboxing software. When you exit the program, all those changes can be discarded, which is particularly nice if those changes happen to be a malware installation. You shut down your browser, the sandbox cleans up, and all of that malware is gone.
Of course, using a sandbox quickly gets complicated because there are still some changes that you want! Things like your browser settings, or certain cookies, or the bookmarks that you saved, or downloads that you really want to keep and so on.
So it’s not a simple “just do this” kind of a solution without some ramifications, but it can be a very good approach to safety. I know a number of people who swear by it.
Sandboxie is the most common example (originally, a “Sandbox for IE”, hence it’s name). It can now be used to sandbox just about any program you might want to run.