So I have a challenge.
The Myth: You can get Crypto-locker or other crypto-viruses from just visiting a web site.
The Other Myth: You can get these viruses even if you are running without Administrative Privileges.
Now I admit that LOTS of people believe these things. Sometimes people even swear by it. So here's
The challenge: Prove it.
So prove it.
Post a link here that I can click on. Post a web site I can browse to and magically infect my machine.
I'm backed up. I have images. I'm willing to rebuild.
So bring it on.
- - - - -
I've had several conversations with people that lead me to believe that they believe these myths and they operate their computers with admin rights. I know this because they say things that make it clear they don't know the line between what you need these rights for and what you don't need these rights for.
Here's the deal with security: It can be a pain in the neck. It doesn't have to be.
UAC - User Access Control - should be enabled at all times for all users. I can see an exception for the actual administrator on the server. But I also assume you're going to be careful and thoughtful.
All users - including the network administrator - should operate without administrative rights at all times. When asked to elevate your privileges, slow down and think about it. Why did this pop up and do I really need it?
Users can be given access to a text file in a secure area on the server with an administrative logon and password so they can elevate privileges when absolutely necessary.
How do you know if you have administrative rights? That's easy: Click on an installation program of any kind. You won't be able to install a program if you do not have admin rights. Period. That includes programs we call "viruses."
I highly recommend that you craft an actual policy for assigning rights within your own company and within your clients. A great place to start your education is here: https://technet.microsoft.com/en-us/library/mt620094.aspx.
(As a general rule, the Knowledgebase, Library, and Technet Magazine sections of Technet are very good and reliable. The "Forums" are stupid and useless. They're filled with a lot of people saying, "Yeah, I have the same problem. Has anyone found an answer yet?")
Why Do People Think They Need Admin Privileges?
Again, we get back to spreading myths. Many people think you need admin rights to install printers. Not true. If you (the administrator) installed the correct drivers when a machine was set up, then any user without admin rights can set up a printer ("install" a printer). No additional code is being installed because the drivers are already there.
Some people say they need to make basic changes like setting the time zone. I'm sorry. Why do you need to change the time zone? If a client needs that for whatever reason, they can enter a service request.
Some programs won't run without Admin Rights. This is rarely true. One of the oldest myths in the I.T. business is based on false logic.
- Running as the administrator solves my problem.
- Therefore I have to run as the administrator to solve my problem.
These programs are trying to do a specific thing, such as write to a secure area. In most cases, this is going to be the registry or an administrative area of the hard drive. You can solve your problem by adjusting that user's rights without giving them the ability to install executable code.
But to do that you have to do some research and you have to test. And you have to not be lazy.
The bane of our existence is old Line of Business applications that run as administrator on the server because sloppy, lazy programmers were not willing to define exactly which rights were needed and limit their code to those specific functions. So we "solve" the problem with administrative rights.
The old friendly days of the Internet (and Windows) are gone.
You can't be lazy any more. You need to educate yourself and define safe procedures that are in your client's best interest. This might cost them a little money. But they won't have the expense from downtime because of encrypted files.
- - - - -
Alright, all you people who visit magical web sites where your computer is suddenly stricken with viruses: Prove it. Post the URL of the web site, blog, link, etc.
For those who argue that there are new, evil viruses that can install themselves without administrative privileges: Prove it. Post a link to such a virus.
And if I'm wrong - I'll report exactly what happened. Then I'll rebuild that machine and do it again to verify exactly how the bad guys were successful.
Disclaimer: I am going to browse and click on everything entered in the comments here. I am responsible for the damage done to my own machine. I am not responsible for the damage you do to your machine!
If you do not have an absolutely secure computer, do not click or browse anything posted here. If you do not master an understanding of your computer's security, do not click or browse anything posted here.
- - - - -
Update July 8th: Please watch the sample presentation I give to clients regarding safe computing, viruses, and why they can't have administrative rights. Like it and share it if you like it. Includes link to download the presentation so you can make this presentation to your clients.