I often read on international boards people comparing their security products, people who are installing tons of different security products on their PC and praise the security of their computers. That's an interesting topic, until I discover they are running their user accounts with administrator privileges. Then all the topic become kinda funny to my eyes.

Running your account with administrative privileges doesn't help you at all. Using an administrator account - as it is the standard Windows XP account by default - means that every software you are running has the key to the heaven, to the heart of your system.

When you need to install a security product, you need administrative privileges because the product needs to interacts with the system kernel, e.g. by installing a file system driver able to scan your drives or a self-protection driver.

If you use a limited account, then the operating system will ask you the authorization to gain administator privileges. This is not the case if you are already running as administrator, because you already have these privileges.

If you are running your PC with an administrator account, every software you are executing inherit by default administrative privileges, every software can access to the Windows kernel and potentially bypass all the filters added before by security softwares.

No matter how many security protection layers you have added on the kernel, both malware and security products are running at the same level. Both are having fun in the kernel, the highest privilege level available in the system. It actually becomes a race condition, a game between security products and malicious softwares.

A nice example is the last TDL3 rootkit we have talked about in a couple of blog posts some months ago. This is a really nasty infection, able to bypass almost all security products and stay invisible in the system.

This happens because the malware dropper has got administrative privileges, otherwise it couldn't get access to the system kernel. MBR rootkit is another example of an infection that could have been prevented by using a limited user account.

Both Microsoft Windows Vista and Windows 7 have done a great step ahead by adding the User Account Control for all members of the local administrator group. Every local administrator runs by default in an Admin Approval Mode, which means they are running with standard limited user account privileges. Then, if a software needs higher privileges, an alert is showed by Windows and the user is asked to choose wheter grant those privileges or not. By doing so, a malware wouldn't have by default any privilege to interact with the system at low level.

Is the limited user account enough by itself? Actually not at all. The fact that a malware doesn't have administrative privileges by default, that doesn't mean it couldn't do any damage. Actually it could do everything from user mode too.

An example are two well known trojans: both ZeuS and SpyEye could run from unprivileged account, they are still fully able to steal important data from your browser and your keyboard (hint: unless you have Prevx SafeOnline installed :) ). They can still make use of user mode rootkit techniques to hide themselves in the system.

The primary vector of infections today is the browser. By using a number of flaws in web browsers or browser plugins, or still flaws in the pdf reader,a malicious webpage could drop a malware in your system and run it with the privileges of the browser.

What would happen if you are running Windows XP with an administrator account? Your browser has administrative privileges, then the malicious code has by default administrative privileges too. It could have full access to the Windows kernel.

What would happen instead if you are running your Windows XP with a limited user account? Your browser doesn't have administrative privileges, so the malware inherit standard user account privileges. It can still be dangerous, though the security product has an advantage: it is working at higher privilege level.

A security product needs to be installed in your PC, it is more than needed to prevent malware infections, but you need to take care about your system too. If you are running your system by using a limited user account or by using an account with UAC active, you are helping yourself, your security products and your system safety.

If you are not, you are leaving your security product and every new malware fighting at the same level, with same privileges. And this potentially couldn't help your security, even if you have installed dozens of security products.