This page has been imported from our previous wiki and is still in the process of being reviewed. It may be out of date or inaccurate.

Introduction

By virtue of your Windows 7 system being part of the Windows Campus domain the administration of your system is split between 3 entities:

  1. NUIT
  2. The Computing Science support team
  3. Yourself, termed here the "owner" of the PC.

Owner without Local Admin Rights

When you first get a machine you will not normally have local administration rights. If you do not have local administrator rights i.e. you do not have the password to a local administrator account, then you need do little to administer your machine apart from:

  • ensuring it is regularly rebooted to get all updates
  • act on any warning from MS Forefront, the anti-virus program

Owner with Local Administration Rights

Once you have been given local administration rights (raise a ticket if you think you need this capability) then you have considerable control over your machine and must take more responsibility for its maintenance. It is advisable to only run with local admin rights when you need them (e.g. to install some software, format a disk, change a disk drive letter etc.): this enforced in Windows 7/Vista via User Account Control (UAC - see below). Those systems, unlike XP, will usually help you by asking for an administrator account password whenever admin rights are needed whatever account you are logged in with. This reduces the chance of the system being accidentally misconfigured by you, by one of the programs you have installed, or by a viruses/worms (which typically run with the privilege of the logged on user, for example the MyDoom worm needed local admin privilege to update the relevant parts of the file system and registry). See Why you shouldn't run as admin... and Applying the Principle of Least Privilege to User Accounts on Windows XP for reasons why it is good to run as a "limited" user for as much time as possible.

/!\ Unlike a home PC, your machine is on a fast local area network along with thousands of other machine - an infection may quickly spread to your colleagues' systems.

You should:

  • reboot the system regularly and check the anti-virus program is running correctly as for a non-administrator above.
  • ensure any local administrator password is not easily crackable: although passwords for local accounts must adhere to the domain policy (see How do I change my password?) something stronger is advisable.
  • not create any other accounts with local admin rights unless absolutely necessary.
  • not install any software which might compromise your system, and hence perhaps others (in particular that you do not inadvertently install a virus/worm). When you install some software with administration rights you are trusting that software not to behave maliciously, and it is fairly common practice for "trojans" to be deliberately added to software installers, particularly when acquired from "dubious" sources.
  • check that any software you install has been done so legally, i.e. that you had the right to do so. Just because you have access to some software on the campus network does NOT mean you have the right to install it yourself.
  • keep the Windows Firewall enabled with as few exceptions as possible. This is particularly the case if you have a machine with a public IP address, see NetworkSecurity. If disable the firewall temporarily to figure out why some application isn't working remember to re-enable it as soon as possible. In case you forget it will be re-enabled by Computing Science group policy on reboot.
  • keep important data in backed up network space, such as your H: drive.

Local Administrator Rights

User Account Control (UAC) means that all accounts runs with normal privilege until admin rights are required: at this point the screen blinks and a login dialog appears: you should enter a password for one of the admin accounts shown (an admin user account is one which is in the local Administrators group). The procedure is termed elevation and the new activity is sometiems refrred to as running with "elevated" rights.. The local Administrator account itself is disabled and should not be enabled; you should use the local account CMDadmin instead (CMD stands for Campus Managed Desktop). Despite UAC, the safest way of performing occasional tasks which need local admin rights is, as in XP, to log in with a separate administrator account. Here is a technical explanation which includes: "If you value security over any convenience you can, of course, leverage the security boundary of separate user accounts by running as standard user all the time and switching to dedicated accounts for unsafe browsing and administrative activities".

You can run an individual application with administrator rights by right clicking on its icon and selecting Run as Administrator; you will then get the chance to enter a password for the CMDAdmin account.

(!) Running a command prompt as administrator is particularly useful as you can run further programs already elevated. The easiest way to do achieve this is to enter cmd.exe into the Start Menu search box, then right click and select Pin to Start Menu. Once cmd.exe is in the Start Menu you can launch by right clicking and select Run as Administrator. Note, an elevated command window has the prefix Administrator: in its window title.

(!) Xplorer2 (see CS Portable Apps) has the useful ability to create an elevated window (from Window->Administrator).