5

Separating privileges, i.e using a non-admin account and escalating only when needed, seems to be something everyone agrees on. I can roughly understand why it's important on every system : prevent an attacker from modifying the system and taking complete control of the machine, and on shared systems, prevent a user's mistake from propagating to the others.

However, on a personal computer, all the data I care about is in my user folder, which is accessible without admin rights by every program running on the computer. Basically, if a malware runs, I've lost, be it with admin rights or not. All the damage can be done without admin rights, and reinstalling the system to nuke the malware is easy.

In this context, why is using a non-admin account so important ?

Please keep in mind that I already know some of the reasons and am not advocating going back to XP's default policy. I just want to know if there are some reasons I missed.

Relevant xkcd :

Relevant xkcd.

Hey
  • 1,905
  • 1
  • 16
  • 23
  • So use several accounts/VMs for different purposes, so if your gaming or browsing compartment gets compromised the banking or work compartments remain safe. – CodesInChaos Oct 09 '16 at 13:44
  • I tried, but it doesn't seem worth the trouble (and personal VM softwares like VirtualBox weren't really written for security : sophisticated malwares could use a flaw in the virtualization software to escape it). Also, I *do not* want to use an unprivileged account for everyday use, as I said in the post : I just want to confirm that privilege separation is less important in the case of a personal, single-user PC. I'm confident enough on my OS and browser's security to keep using my computer like that, it's just a theoretical question. – Hey Oct 09 '16 at 13:58
  • While I **do** recommend this for ordinary users such as my children, I'd point out that I too find it too much trouble for everyday use. I live & work on my PC :) Standard security practices and adblocking are generally enough when combined with a good, multi-version, offsite backup schedule. – Julian Knight Oct 09 '16 at 16:39

2 Answers2

5

What Julian says is not correct.

The odds of malware getting a foothold are unchanged. If you can encrypt all your data, so can malware. If you can send packets, so can malware.

What's different between running as an admin and a less privileged user is the effort that malware must expend to persist or survive when you run antivirus software to clean up. If you're running as admin, then it has far more places, and more powerful places, into which to hook, making the job of the AV software much harder.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • As I thought more about it, I realised that the ransomware example was probably the wrong one anyway for the reason you mention. I did however talk about the effort involved as this is the nub of it. – Julian Knight Oct 09 '16 at 18:19
  • "greatly reduces the risk of allowing malware to get a foothold" - not too sure what is wrong about that! There are many types of malware that will not take hold if you run as a standard user. – Julian Knight Oct 11 '16 at 11:51
  • I believe "get a foothold" means "can execute instructions of its choice on the CPU." Malware can't know if it's admin before that point. – Adam Shostack Oct 11 '16 at 15:07
1

You've already answered your own question

if malware runs, I've lost

Running as a standard user greatly reduces the risk of allowing malware to get a foothold.

It isn't about drivers necessarily, it is about malware that is able to entirely encrypt your data or even worse potentially, start leaking data without you knowing or maybe using your computer as part of a botnet (since not everything is about your data). It maybe about giving you some obvious malware but also installing a sleeper that will trigger in 6 months time - a popular trend amongst ransomware.

All of that is so much harder when you are running as a standard user.

Julian Knight
  • 7,092
  • 17
  • 23
  • It doesn't stop malware messing up your data, it helps prevent malware getting started in the first place. No malware, no messed up data. It is called "risk mitigation". – Julian Knight Oct 09 '16 at 13:44
  • Oh, I just read the edited version of your post. Still not really convinced, as I don't see how encrypting data, leaking data, working in a botnet or installing a sleeper would be "so much harder" on a normal account. – Hey Oct 09 '16 at 14:01
  • 3
    I'm not saying that it should be the *only* security! Merely one way of mitigating risk. It is harder because attackers are not always interested in a simple attack. Many attacks are complex and that requires installed software or replacing system files to make the malware very hard to get rid of permanently. This is what is made so much harder. Getting something to run permanently when running as a standard user is very hard indeed. – Julian Knight Oct 09 '16 at 14:04
  • Thank you, I understand your point now. Kinda like the "SSH mitigation by changing the port" example. – Hey Oct 09 '16 at 15:05
  • Yes, another of my favourite tricks ;) Because attacks are changing so fast, it is sensible to take a range of mitigation measures to help protect against the "unknown unknown's". – Julian Knight Oct 09 '16 at 15:12