Managing and understanding privileged use
Naturally, most parents worry what their children do while on the computer. Most are particularly diligent about monitoring their time online. But many parents don't realize there's potential for an even larger problem that often goes unnoticed - privileged use.
Privileged use refers to administrative access to a computer. Non-privileged users don't have any administrative access. Many parents don't even realize there is such a thing, and unknowingly let them login to the computer with far more access than is really needed.
Why is restricting administrative access so important?
For starters, most children are naturally curious and may want to know what makes the computer tick. Some kids are just down-right mischievous and want to mess with the computer. In many cases children end up toying with things like the Windows Control Panel or editing or deleting special system files which can create major problems with the computer.
In some cases the problems can be so severe it can prevent the computer from starting at all, which can be costly to fix and often difficult to undo, particularly if personal documents are permanently lost. If children login to the computer with a non-privileged account, the computer won't let them carry out harmful tasks.
Secondly, if children have administrative access, they may have the technical ability to lock the parents out of their own computer. Not all children know how to do this, but with an ever-growing number of computer savvy kids, chances are it won't take long for them to figure it out.
And lastly, if a child with administrative access to the computer unknowingly opens a questionable email or visits a malicious website, they can inadvertently infect the entire system with a nasty virus, spyware or another kind of malicious program. Generally, once such a program runs, it runs with the same privileges that the logged on (active) user has. So if the user has limited access to the computer, the malicious program's damage will also be limited.
This is an especially important issue because many rogue viruses that get installed this way sit quietly and collect personal information about the user, which is transmitted electronically to identity thieves. In other words, parents' personal information may be at risk because of an inadvertent action of their child.
There are cases, however, where viruses can inflict system wide damage regardless of the type of access the user has. These scenarios come into play when a malicious program utilizes an un-patched or yet undocumented vulnerability, bug or other kind of weakness in the operating system that allows the program to bypass the lack of administrative access the user may have and infect the computer anyway. That is one reason why frequently applying computer updates is very important.
So due to the potential problems privileged use can bring, parents should consider making children login to the computer using one or more non-privileged (non-administrator) user accounts. For further protections, some parents may also choose to use a non-privileged account for their own daily use, and create an administrative account for special situations that require administrative access, like making system configuration changes, running Windows Update, and so on.
Unfortunately, Windows 95, 98, 98 SE and ME do not provide any sort of security whatsoever, so no such protections are possible. Windows 2000 and XP do, however. Other operating systems, like Apple's OS-X and Linux have supported user security from the very beginning.
To limit user accounts in Windows XP, login using an account that has administrative access. Go to the Windows Control Panel (via the start menu) and double-click the User Accounts icon. Click on the user that you want to configure or change. Click on the "Change the Account Type" link and then select the "Limited" option. Then click the "Change Account Type" button at the bottom of the window. Click "OK" on all the remaining open boxes.
To limit user accounts in Windows Vista, login using an account that has administrative access. Go to the Windows Control Panel (via the start menu) and double-click the User Accounts icon. Click the "Manage another user account" link. Click on the forthcoming "Continue" button (User Access Control ("UAC") box). Then, once the account list appears, click on the user that you want to configure or change. Select the "Standard user" option and click "Change Account Type." At this point the procedure is done and you may close the open window.
Those with Windows XP Professional or Vista Business or higher can further restrict user accounts. Unfortunately, this is outside the scope of this article. Computer owners should check their PC documentation for more information.
Computer owners may also choose to enable the built-in Windows guest account if guests frequent the computer. The guest account is already restricted and typically requires no configuration except that the account must be enabled before it can be used.
Be warned, however, that there are some caveats to using non-administrative user accounts. Many older Windows programs were not designed to run in a security controlled environment. As a result, many do not run (or don't run right) on Windows 2000, XP or Vista - especially programs designed to run on Windows 95, 98/98 SE and ME. Many parents will have to decide between security and backwards compatibility - a decision that isn't always the easiest to make.
Have comments about this article, or suggestions for an additional Tech Tips article? Send an e-mail to email@example.com.