I see your point, Mike, and it makes sense. It's foolish not to have the UAC
security safety net. However, is there a way to configure UAC and those
other protections so that they run while logged into, or using priveleges of,
that "big Administrator" account. Would this be secure? If it's a BIG
production to do this, then I'll just forget about it.
The reason why I'm asking is that security people say there should be a
minimum of administrator accounts floating around.
One last question on a slightly different topic. Since the discovery of
this account, I did some exploring around. I discovered the existence of a
SYSTEM user group and the existence of an INTERACTIVE user group. What are
these groups ? These are in the security properties of many files.
Regards,
Paul
▬▬▬▬▬▬▬▬▬▬
"Mike Brannigan" wrote:
> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:A55143B9-78FE-4D68-B4A9-F8785D53FCEA@microsoft.com...
> > This is interesting, Mike. Perhaps I should delete "root" and make this
> > "administrator" account my new "root" account. You say it shouldn't be
> > used
> > unless there are 'extreeme circustances'. What are these extreeme
> > circmstances ?
> >
>
>
> Interesting question - the "Administrator" account could be enabled or day
> to day use - but is extremely highly privileged in that it will ignore
> pretty much all the other security protections that are even in place around
> your root account. While some people object to the User Account Control
> popping up and checking if you really want to do something it is there for
> your protection so using the Administrator account may pose a risk to you
> and your system - imagine accidently opening a file with a day zero exploit
> root kit or virus in it and this is now going to execute with absolutely
> nothing to stop it doing anything to hide itself and damage your system,
> etc.
>
> I would advise keep your root account and use that as you day to day admin -
> you are unlikely to even need the big A admin account.
>
> > I rarely log into my "root" account. I log into my "root" account when I
> > have to do a series of administrative tasks that would, otherwise, require
> > me
> > to right-click and "run as administrator" many times in succession.
> >
> > Funny, I thought that my "root" gave me complete and unhindered access to
> > all files and folders. I didn't realize there was something "higher up".
> >
>
> Indeed an account that is made an administrator (small "a") is indeed an
> admin account but it is still subject to UAC and potentially requiring you
> to confirm some actions etc and some applications may require addiotnal
> confirming permission elevation etc. The Administrator account bypasses all
> of this but obviously there is an inherent risk too, to your systems
> security by running asks under extremely highly privileged accounts.
>