Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Why Use a Standard Account Instead of Administrator?

09 Apr 2014   #11
UsernameIssues

W7 Pro SP1 64bit
 
 

I'm back :-)

MozyHome does not like my demotion to a standard user, but I'm going to stay a standard user (for now) and I'll figure MozyHome out later.


My System SpecsSystem Spec
.
09 Apr 2014   #12
andrew129260

Windows 10 Pro
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
You cannot say or know that you have not been infected.

You can only say that you have never found an infection.

There is a big difference.

That tis true. Although I usually scan with almost every AV known to man, so if an infection is on my machine, its quiet and runs completely silent, does not show in task manager- and is not known by any AV company.---yet
My System SpecsSystem Spec
09 Apr 2014   #13
Alejandro85

Windows 7 Ultimate x64
 
 

Let me ask the opposite question instead: Why use an administrator account 24/7 when a standard one will suffice?

The answer to all this is security. The idea of that recommendation is to reduce the attack surface of an hypothetical infection/virus/attacker/whatever that might strike your computer, as well as badly-behaving programs that might take more concessions than they should.
Standard user accounts only have permissions to modify things that affect that user account only, like all documents, desktop settings, user-specific program settings and so, but nothing beyond that.
Administrator accounts on the other hand have full, unrestricted access to everything in the system. They can modify system-wide settings, install, remove, modify programs, change drivers and global configurations and all files and registry settings on disk.

This recommendation follows the Principle of least privilege, which also recommends that any process should run with the bare minimum set of permissions to accomplish its task, and nothing else, so that programs cannot perform anything that they're not supposed to do (which helps preventing trojans, and limits the damage by viruses and possible vulnerabilities).


Quote   Quote: Originally Posted by King Arthur View Post
I personally use an administrator account as plenty of software (especially older software!) expect to be running under administrator privileges
Often UAC can help with that while remaining as standard, with file/registry virtualization, that relocates writes to system protected areas to user-specific folders. Of course, some programs do legitimately need full admin access.



My personal preference which adopted a few years ago. I use a standard account for everything, and created a second, administrative account for use though UAC elevations for thing that do need more access. For a few internet-facing programs, I use additional dedicated accounts for each one. While this is, in fact, somewhat harder to use it also it's a nice way to get a little more security. I remember once to have detected a virus trying to sneak in because it triggered a sudden UAC elevation request, which possibly would have done its things if I were using the Windows default settings.
My System SpecsSystem Spec
.

10 Apr 2014   #14
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
Let me ask the opposite question instead: Why use an administrator account 24/7 when a standard one will suffice?
~~~
1) Things that use environmental variables can break.

rd "%userprofile%\AppData\Local\.......

...might require elevated privileges.

Once elevated, %userprofile% operates in the context of whatever admin account was selected.

2) MozyHome does not handle backing up a standard user well.

3) Utilities might need to be setup twice:
e.g. Task Manager runs as the standard user, but once elevated, it operates in the context of whatever admin account was selected during the elevation process. All of the customizations that the standard user setup, must now be repeated for that admin account. If the standard user opts to add a column to one of the tabs, that user must add the column twice: once as a standard user and once as an admin user. The same "set up twice" is true for Process Explorer, Autoruns and a host of other utilities.

4) Running CPUID CPU-Z as admin, going to the tab named About and clicking on a web link, starts the default browser in the context of whatever admin account was selected during the elevation process. In my case, IE was started. IE (of course) did not have the favorites on the favorites bar that I was used to seeing because IE is not using my user profile. If I had done much surfing while in that mode, I would have been at a greater risk than if I had been an admin user:

4a) IE is running at the high integrity level. Drive by infections can have more of a field day than if I were an admin user that launched IE at the medium/low integrity levels. Do you really expect the average user to understand the impact of integrity levels?
4b) IE does not have 64bit tabs - despite EPM being turned on. This lowers security since ASLR cannot make full use of my 8GB of RAM.
4c) not all aspects of Internet Options launches in the correct context - e.g. while IE is running as admin, asking Internet Options to show you the location of Temporary Internet Files folder will take you to the standard user's Temporary Internet Files folder. Not the correct admin folder where temp files are being placed.

Why Use a Standard Account Instead of Administrator?-ie11-high-32bit.png

5) CCleaner and a few other apps need to be re-installed due to the account demotion.

6) Unlocker and a few other apps cause Window's consent app to create the secure desktop (e.g. darkened desktop) where I would normally be asked to select an admin account and enter admin credentials, but no dialog box is ever presented. This might also be the result of the demotion.

I'm sure that there are other things that my brief time as a standard user did not ferret out.


My System SpecsSystem Spec
10 Apr 2014   #15
gregrocker

 

I have never installed any other than the Admin-level account issued during OS install since the installed is assumed to be the owner.

I can't remember this ever being a problem except for both my Dad and one friend, because they were being chronically infected, I downgraded them to a Standard account. I considered this more or less silly because they then had to ask themselves if they wanted to give permission to something they were doing and most times just merrily clicked along as far as I could tell. They swore they never got the prompt for something they weren't doing, but who knows?

What finally did work and has kept either from being infected since is adding Malwarebytes Real Time Protection for $29.95 for life in addition to MSE. Neither has been infected again in several years. My friend did call me a year or two ago to ask if he could turn off MBAM to install a player from a sketchy site and I said No. MBAM should change their disable prompt to "I want to infect my computer."
My System SpecsSystem Spec
10 Apr 2014   #16
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Quote   Quote: Originally Posted by gregrocker View Post
My friend did call me a year or two ago to ask if he could turn off MBAM to install a player from a sketchy site and I said No. MBAM should change their disable prompt to "I want to infect my computer."


I was under the impression Microsoft is referring to the default windows account to stop all prompts for admin permissions,
Either way feel free to use user accounts as you see fit,
I'll do the same,
Best advice is to read carefully install terms
Cheers.
My System SpecsSystem Spec
10 Apr 2014   #17
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Quote   Quote: Originally Posted by gregrocker View Post
What finally did work and has kept either from being infected since is adding Malwarebytes Real Time Protection for $29.95 for life in addition to MSE. Neither has been infected again in several years. My friend did call me a year or two ago to ask if he could turn off MBAM to install a player from a sketchy site and I said No. MBAM should change their disable prompt to "I want to infect my computer."
LOL, that should be standard issue on all security software.
My System SpecsSystem Spec
10 Apr 2014   #18
Computer0304

Windows 7 Professional 32-bit/Windows 8 64-bit/Win7 Pro64-bit
 
 

Quote   Quote: Originally Posted by ThrashZone View Post
Quote   Quote: Originally Posted by gregrocker View Post
My friend did call me a year or two ago to ask if he could turn off MBAM to install a player from a sketchy site and I said No. MBAM should change their disable prompt to "I want to infect my computer."


I was under the impression Microsoft is referring to the default windows account to stop all prompts for admin permissions,
Either way feel free to use user accounts as you see fit,
I'll do the same,
Best advice is to read carefully install terms
Cheers.
My System SpecsSystem Spec
Reply

 Why Use a Standard Account Instead of Administrator?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
How can a standard user gain access to an administrator account?
My Son And I Share A Laptop Running Windows 7 Home Edition , Am The Administrator And He Is The Standard User But He Keeps Going In And Changing My Account To Standard User And His To Administrator , Can Someone Tell Me How He Is Doing It And How Can I Put A Stop To It
General Discussion
Windows 7 admin account is locked, on;y stuck with a standard account.
Hi, I basically had 3 accounts on my computer, one being "Administrator" (w Admin rights), one "test" (Standard User rights) and one more "User" that is the one I use most frequently (with Admin rights). When I last used it last Friday the User account was still present and all my programs were...
General Discussion
I can't change a standard account to an Administrator Account!!!
I recently logged onto my account about 2 days ago to finish a project. The music file I used for the account was could not be found and when I went to locate it I was told I didn't have administrator rights. I went to Control Panel because I was sure I was an Administrator, but sure enough, I was...
General Discussion
Default User Account (Administrator) acts like Standard Account
I am using Windows 7 Pro 64x and apparently the default user account (Owner) that I use is not working correctly. Unless I have UAC set to Never Notify, I cannot open Control Panel or UAC again. When I try, I get the error message listed below. I have created a second user account as Administrator...
General Discussion
Using default admin account vs standard user account
I have always been running admin and even until now I run as admin. But, I have been doing a little bit of research and realize that using a standard account is a safer practice. I have never even used a standard account. Is using a standard account a better practice? Also, how does doing average...
General Discussion
Keeping Standard Account Users out of the Administrators Account
I am about to start using Windows 7 Home Premium. As I understand it, a Standard user can install software if that user can provide a valid Administrator User name and password during the install process, when prompted by Windows 7. My question is, if you providide a Standard user with...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 19:54.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App