There's a single simple trick that will make your PC or Mac much more secure from malware and malicious hackers. It doesn't involve buying antivirus software or dropping into the command line.
- How to create and remember super-secure passwords
- Best VPN services
- How to stop Facebook from sharing your data
This treasured secret? Create a limited user account for yourself. Use that limited account for all your daily computer activities, including internet and office tasks.
Make sure everyone else who uses that machine is on limited accounts as well. Save your administrator account for administrative tasks, including installing and updating applications and other software. Using this system will prevent or limit most malware infections, both on PCs and Macs.
The only thing you'll be giving up is the ability to immediately install, modify or delete software, no questions asked. But on today's operating systems, all you'll need to do so is type in an administrative user's username and password. The security you'll gain will be well worth the minor inconvenience.
How limited accounts protect you
This account-segregation system works because, unlike administrator accounts, limited accounts can't install, update or remove applications and other executable software.
As a result, malware — viruses, worms, Trojans, rootkits, ransomware and so on — that tries to infect the machine through a limited account often won't be able install itself and won't get a toehold. If it does manage to infect the limited account, it will normally affect only that user's files, folders and user-specific applications. The malware usually won't be able to get to the operating system or to other user accounts.
A Microsoft Vulnerabilities Report from British security firm Avecto (opens in new tab), released in February 2017, was clear: "93 percent of Windows 10 vulnerabilities could be mitigated by removing admin rights ... including 100 percent of the vulnerabilities affecting the latest browser, Edge."
We don't have similar numbers to cite for Macs, but Mac antivirus maker Intego (opens in new tab) recommends using limited or "standard" accounts on Macs for the same reasons.
How to create limited accounts
Microsoft and Apple used to set up each new user with administrator accounts by default. But in fact, you need only one admin account per machine — and every user should have a limited account for daily use.
You'll need to be using an administrator account to do this, but the steps in each current version of Windows are similar.
In Windows 7, go to Start --> Control Panel --> Add or Remove User Accounts, or User Accounts --> Create a New Account. Type in the desired username, select the Standard User button and click Create Account. Then click Create Password and enter the desired password.
In Windows 8 or 8.1, tap the Windows key and I key at the same time to bring up the Settings menu. Select Control Panel, then either Add or Remove User Accounts or User Accounts depending on your Control Panel viewing options. Select Create a New Account. Type in the desired username, select the Standard User button and click Create Account. Then click Create Password and enter the desired password.
In Windows 10, go to Start --> Settings -- Accounts --> Family & Other Users. Click "Add someone else to this PC." Then select "I don't have this person's sign-in information" and click Next. (Ignore the prompt to enter the user's email address or phone number.)
On the following screen, select "Add a user without a MIcrosoft account" and click Next. (Windows 10 Home and Professional editions may not display the previous two steps.) On the next screen, type in the desired username and password and click Next. (We've got an illustrated guide here.)
Why this solution isn't well known
So why don't more people do this? I think most people don't know about limited accounts, or, if they do, they only think about them as a way to control the activities of a child or guest user.
Another reason is that, up through Windows XP, using a limited account was terrible. Most applications assumed that a user would have full admin rights, and many didn't work properly under a limited account. If a limited user encountered a process that required authorization by an administrator, he or she would have to switch to an administrator account to move forward.
That changed with Windows Vista and the introduction of Microsoft's User Account Control, which smoothed out the process. Software developers were required to give maximum functionality to limited accounts, and if administrator authorization was needed, a dialogue box popped up asking the limited user for an administrator account's username and password.
I've been using this system on all my Windows PCs for several years, and I've never found it to be much of a handicap. When software needs to update, I get the pop-up box and enter the admin credentials. On both Windows 7 and Windows 10, Windows Update runs without a hitch. I rarely need to log into my separate administrator account for anything.
What using limited accounts can't do
This precaution won't prevent or mitigate all malware infections. Some malware can "escalate" its system privileges and give itself powers that a limited user doesn't have. But regular, run-of-the-mill malware, which is what most people face most of the time, doesn't do that.
Nor will this stop social-engineering attacks meant to fool you into giving up sensitive information. If a phishing email asks you to log into a phony Facebook or Gmail web page, a limited user account won't help. If rogue software asks for your administrative username and password so that it can install itself, providing those credentials will erase the benefits of having a limited account in the first place.
The truth is that only you can stop social-engineering attacks. But limited user accounts can stop almost everything else.