SLAC Computer Security
Search SLAC
Running With Least Privilege on Windows XP

Often an exploit discovered will describe how the attacker can obtain the privileges of the logged on user. If we can do our jobs and be using the lowest privileges possible then we are giving less opportunities to any criminal that makes it through the exploit and into our computer.

If you have a Desktop Administrator they would be the best person to advise you as to which method would work for you.

Warning: Making the wrong changes to these accounts could cause you to lose access to your computer. Depending on the level of the error it could mean you would have to get your operating system re-installed!

If you are not sure if you are an Administrator on your computer do the following: Start; Settings; Control Panel; Double-click on User Accounts.

If you are not a Windows expert then please have a discussion with your Desktop Admin and develop a plan to remove your userid from the Administrators group. We have the following suggestions:

NOTE: If you use Remote Desktop to access to your computer from remote locations you will need to add your regular account into the Remote Desktop Users Group on your computer. Instructions. You should do this BEFORE removing yourself from Administrators Group. You have to add your account individually because by default all members of Administrators Group automatically have this right. Once you remove yourself from Administrators group you've lost the right unless your userid is individually entered. Only an account with Administrator privileges can edit the Remote Desktop Users Group.

Various Ways to Temporarily Raise Privileges

When you are working on your computer using a regular account and you find you need to run a program with elevated privileges you could use one of the following methods. With the options below the program will be able to run under the privileged account but you are still using your unprivileged account for all your other work. You could certainly use the "Good for Laptops" method above too. These are just other options.

Warning: Please see your Desktop Administrator for assistance if you are not confident your actions won't cause irreparable harm to your computer.

Owner: SLAC Computer Security
Last Updated: 05/17/2011
Feedback: Please send to
Computer Security Feedback