windows 7/8 user accounts: security questions

[mynetdude]

I've heard over and over that when setting up windows that I should always create a standard account and an admin account and use my PC normally from a standard account that way if an app needs to update or I want to install an app (which I happen to do a lot especially on my gaming rig).

I've even been told EVERYBODY's computer should be setup this way, even after reformatting a customer's PC and at first I thought to myself ok this is no big deal; but I'm starting to see some problems and implications that could be troublesome for the end users UNLESS there is something I am missing?

A) every time a windows app (especially for windows 8 because Metro Apps don't require the same admin permissions) wants to install or update you have to enter the admin password for the admin account since you are not logged in as admin. Well ok, this theory is OK except that this is going to happen for EVERY update, EVERY install and we're not even talking about UAC which is totally different.

B) I'm told that UAC is important, yes I can see that and I agree; you are prompted with a yellow/white window with a yes/no option to allow it, shouldn't that be enough? Now windows 8 has smartscreen and it will challenge applications that aren't recognized (not just Metro apps, but they are almost always recognized because Microsoft wouldn't allow it to be in the app market if it had questionable credibility).

I'm a little confused here; why would I want people to have to go through the burden of entering their admin password for every single update/install since UAC is going to challenge it even on an admin account (unless UAC is set really low or turned off).

The other thing is I've been told that windows doesn't create an admin account on first install; if that's the case then why is the very first account an admin account anyway? If windows does indeed create an admin account perhaps I don't see it? (or is that a safe mode feature? Even in safe mode the extra "super" admin account doesn't always appear.

Right now I have a customer whom I think is having issues with the admin+standard account password challenge for updates/installs and she has to ask me what her password is I think its overly complex don't you?

 

[carnageX]

I've heard over and over that when setting up windows that I should always create a standard account and an admin account and use my PC normally from a standard account that way if an app needs to update or I want to install an app (which I happen to do a lot especially on my gaming rig).

I've even been told EVERYBODY's computer should be setup this way, even after reformatting a customer's PC and at first I thought to myself ok this is no big deal; but I'm starting to see some problems and implications that could be troublesome for the end users UNLESS there is something I am missing?

Usually a good practice to do.

A) every time a windows app (especially for windows 8 because Metro Apps don't require the same admin permissions) wants to install or update you have to enter the admin password for the admin account since you are not logged in as admin. Well ok, this theory is OK except that this is going to happen for EVERY update, EVERY install and we're not even talking about UAC which is totally different.

B) I'm told that UAC is important, yes I can see that and I agree; you are prompted with a yellow/white window with a yes/no option to allow it, shouldn't that be enough? Now windows 8 has smartscreen and it will challenge applications that aren't recognized (not just Metro apps, but they are almost always recognized because Microsoft wouldn't allow it to be in the app market if it had questionable credibility).

I'm a little confused here; why would I want people to have to go through the burden of entering their admin password for every single update/install since UAC is going to challenge it even on an admin account (unless UAC is set really low or turned off).

Because you're setting it up as a non-admin account, which will require admin privileges to install applications that modify the system.

The difference between the SYSTEM admin account and a user-made admin account, is that the user-made admin account is more like a power user account, rather than an actual "Admin" account.

Can just make the account 'Admin' and then let UAC take over (this is how standard computers are setup). If you're trying to set restrictions on certain accounts however, then you'll want to create a primary Admin account, and secondary 'Standard Users' accounts, so that if they try to modify the system in any way from the standard user account, the admin account verification box will pop up (password box you're seeing) to approve the change.

The other thing is I've been told that windows doesn't create an admin account on first install; if that's the case then why is the very first account an admin account anyway? If windows does indeed create an admin account perhaps I don't see it? (or is that a safe mode feature? Even in safe mode the extra "super" admin account doesn't always appear.

Yes it does. It's just hidden by default since Vista came out, unlike in XP where it was readily accessible by just rebooting into Safe Mode.

Open command prompt, and type:
netuser Administrator /active:yes

Log off and you'll see the Administrator account available on the login screen.

to deactivate, type:
netuser Administrator /active:no

 

[mynetdude]

I'm just trying to get a consensus because many people seem to just run around with admin accounts without adding standard accounts unless they are wanting to impose restrictions which I wouldn't dare do on my own customer's PCs unless they ask me to.

I was trying this concept in hopes security would be improved, but I'm realizing its just more of a hassle and I think UAC is beneficial yet everybody seems to scream bloody murder if you only let UAC do the job which kind of doesn't make sense for the average "mom & pop" computer user.

 

[WinOutreach2]

Under most circumstances, the industry standard is for each user account to reflect an individual. Permissions for that user account can then be configured to properly reflect that individuals rights within the organization and over the system. There are exceptions to this rule, but in the scenario you have described, proper UAC (User Account Control) is able to provide the same level of security.

There are some circumstances where the configuration you have described would be applicable, such as in an organization or a family where some individuals may not have rights to modify the system or the software. In such scenarios, the administrators would be required to authenticate major changes, such as installing applications. There is some detailed information on user accounts and how they can be regulated available here from TechNet.

If you are configuring Windows for clients and you are looking for ways to improve the services you provide to them and the configurations you set up for them, you definitely might want to spend some time checking out the Springboard Series on TechNet. The resources provided by the Springboard Series on TechNet are designed for IT Professionals. There is quite a bit on there, so let me point you to some of the best resources. There is a great rundown of the latest technologies in the 6 part Windows 8 Jump Start Training and access to the Windows 8 Enterprise Evaluation so that you can try out Windows 8 yourself. The Springboard Series Insider newsletter and the Springboard Series Blog provide regular updates of the best content for professionals working with Windows clients.

Brandon
Windows Outreach Team- IT Pro
The Springboard Series on TechNet

 

[DistraughtSysop]

I'm just trying to get a consensus because many people seem to just run around with admin accounts without adding standard accounts unless they are wanting to impose restrictions which I wouldn't dare do on my own customer's PCs unless they ask me to.

I was trying this concept in hopes security would be improved, but I'm realizing its just more of a hassle and I think UAC is beneficial yet everybody seems to scream bloody murder if you only let UAC do the job which kind of doesn't make sense for the average "mom & pop" computer user.

I believe that the idea of using a standard account is to limit the damage in the event that the session gets hijacked; the attacker would be unable to run malicious code because the user account being used does not have admin rights. It's sound in theory but it's such a pain, especially if you have a complex password. Honestly, having your session hijacked is pretty rare compared to all the other threats that are out there.

It is a good security practice, but it's probably more than the typical home user needs. Most of the time they'll be okay as long as they keep everything updated, they stay away from questionable sites and they don't click on things that they aren't supposed to. Of course, a lot of people don't do that. I'd say that user education would help a lot more than anything else.

Unfortunately, it's a zero sum game when it comes to security and usability; having more of one means having less of the other, and people sure do love convenience. The funny thing is that the people who need security measures the most are also the ones who are most inconvenienced by it. Ah, well. In the end all you can do is give the end users what they want and warn them about the dangers that they are likely to face even if they think that it won't happen to them.

 

[mynetdude]

WinOutreach2:

I understand that TechNet requires a subscription, I'll do that later this spring its $200 and I've got a long list of software and tools I want to buy

Distraughtsysop:

How true! I find it an inconvenience myself, but I don't need that much security because I don't wander to random websites, and I love the ability to go to a questionable website on android because they aren't nearly as affected as windows (same as Macs I suppose?); no its not foolproof and windows is sure more vulnerable.

I also use a silly tool called "WOT" (Web of Trust) it tells me what sites are safe/not safe; unfortunately some are safe just very untrustworthy (spam). But it does help as a "thin" layer of protection as a guide to which websites are good/bad.

 

[PP Mguire]

For me, the main user of the computer always has admin, and anybody else under them gets a standard account. Personally each of my machines I have ever owned only has one account. Having different account names on permissions for files that get swapped during format can be messy later on. Swapping back and forth would be a total ***** only for security which should be common sense.

 

[WinOutreach2]

I believe that the idea of using a standard account is to limit the damage in the event that the session gets hijacked; the attacker would be unable to run malicious code because the user account being used does not have admin rights. It's sound in theory but it's such a pain, especially if you have a complex password. Honestly, having your session hijacked is pretty rare compared to all the other threats that are out there.

It is a good security practice, but it's probably more than the typical home user needs. Most of the time they'll be okay as long as they keep everything updated, they stay away from questionable sites and they don't click on things that they aren't supposed to. Of course, a lot of people don't do that. I'd say that user education would help a lot more than anything else.

Unfortunately, it's a zero sum game when it comes to security and usability; having more of one means having less of the other, and people sure do love convenience. The funny thing is that the people who need security measures the most are also the ones who are most inconvenienced by it. Ah, well. In the end all you can do is give the end users what they want and warn them about the dangers that they are likely to face even if they think that it won't happen to them.

What you have just described is exactly the sort of scenario where User Account Control (UAC) comes into play. In Windows Vista, 7, and 8 with UAC enabled (which it is by default) software is unable to simply “install itself” without any user input. The separation of standard and administrative users is often between those who have the knowledge to comprehend what software should be installed on the system and what is malicious software trying to reach in, and those who do not and would just click OK whenever prompted. Unfortunately, if it is the same user, the account separation does nothing but give either type of user an extra step to pass through.

WinOutreach2:
I understand that TechNet requires a subscription, I'll do that later this spring its $200 and I've got a long list of software and tools I want to buy

There is a subscription to TechNet which provides evaluation licensing for Microsoft software, information on that can be found here, but all of the links I included above are entirely free and open for use. Not only is the information free and the evaluation software free, but there are dozens of tools provided by Microsoft to ease the life of an IT pro which are linked, explained, and detailed in the Springboard Series on TechNet.

Utilities like the Microsoft Deployment Toolkit (MDT), which is an immensely powerful deployment tool for creating images of Windows so that they can be deployed to systems. You can even import applications and drivers into the MDT store so that when you deploy you can deploy to various hardware configurations and select from a list of applications to install.

Another utility would be the Application Compatibility Toolkit (ACT) which allows you to assess an application which is having compatibility issues with a modern version of Windows, determine what the issue is, and install a fix, or shim, which allows the incompatible application to run.

These are immensely powerful tools available from Microsoft entirely for free just to make life easier on the IT pros who run and support the Windows operating system in the wild. Details on these tools and more are available in step-by-step guides, great videos, and detailed articles, so that you can introduce yourself to them in whatever way works best for you. Some videos I can recommend are this one on ACT and this one on MDT, which might help get you started without inundating you with an overload of information. If you have a bit more time, the video Alphabet Soup Deployment: Understanding MDT, WDS, MAP, ACT, SCCM, and USMT dives deeper into the technologies and provides a good overview of several different technologies and how they fit into the scheme of things.

Brandon
Windows Outreach Team- IT Pro
The Springboard Series on TechNet

 

[mynetdude]

For me, the main user of the computer always has admin, and anybody else under them gets a standard account. Personally each of my machines I have ever owned only has one account. Having different account names on permissions for files that get swapped during format can be messy later on. Swapping back and forth would be a total ***** only for security which should be common sense.

Yeah same here, I'm the only user of all my PCs; file ownership(s) can be a hassle that's the number one reason why I prefer to use external HDDs or flash drives, etc. And I preach that mantra to everyone I know, and yes they do have to spend a little money but its worth it IMO.

WinOutreach2:

You're probably the best person I've met here on these forums (in my eyes anyway ).

I didn't mean to assume, a pro should never assume; but based on what I knew about TechNet until now was why I made that comment. And I thank you for that information/knowledge; I'll be looking into all of this .