Why Use a Standard Account Instead of Administrator?

TomBrooklyn · 07 Apr 2014

Why ought somebody who has a PC and put's Windows on it, create a standard account and use it for their everyday computing, instead of just using the Administrator's account they created when they installed Windows?

The following page from microsoft.com,
Change a user's account type - Microsoft Windows Help
entitled "Change a user's account type, says:

When you set up Windows, you were required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you'd like to use. Once you finish setting up your computer, we recommend that you create a standard account and use it for your everyday computing.

Britton30 · 07 Apr 2014

An admin account runs with higher permission levels than a Standard one. If the account in use is Admin level it's easier for malware to infect the PC.

Having said that, I use only one, Admin, account on my machines.

LMiller7 · 07 Apr 2014

By default programs run with the same privileges and rights as the active user account. This is very convenient for malware if the user is using an admin account as it can do pretty much anything it wants to. If the user is using a limited account that is bad news for malware as it will be under the constraints of the limited account. Much malware will give up. There are always easier targets elsewhere.

UAC provides many of the advantages of using a limited account with less inconvenience. With UAC enabled an admin account has only limited rights unless more is requested. It is a reasonable compromise between convenience and security. Using a limited account for general use is still better for security but depending on how you use the computer this may be quite inconvenient. Most people opt for the default behavior of using UAC.

gregrocker · 07 Apr 2014

I would use the Admin account set up when Win7 is installed, with UAC fully enabled. As stated that should be sufficient.

King Arthur · 08 Apr 2014

I personally use an administrator account as plenty of software (especially older software!) expect to be running under administrator privileges, however this does come with heightened personal responsibility for maintaining your computer's and other computers' safety.

andrew129260 · 08 Apr 2014

For the average customer: I do what Microsoft recommends. I set up their pc with a separate admin account called admin. I create a password for it and give them that password. I then disable the built in admin account. I then create a standard user account for them with uac at the highest setting to always notify. It sounds like a lot of work, but its actually done very quickly. I have them use the standard account and when they need to do something that requires elevation, the uac box pops up asking for the admin password. Since they have to type a password in instead of clicking yes or no, I find it helps them stop and think about what they are about to approve.

Results? I get way less support calls (about malware) and now make it my default strategy.

For myself: admin with UAC always notify.

Computer0304 · 08 Apr 2014

andrew129260 said:

For the average customer: I do what Microsoft recommends. I set up their pc with a separate admin account called admin. I create a password for it and give them that password. I then disable the built in admin account. I then create a standard user account for them with uac at the highest setting to always notify. It sounds like a lot of work, but its actually done very quickly. I have them use the standard account and when they need to do something that requires elevation, the uac box pops up asking for the admin password. Since they have to type a password in instead of clicking yes or no, I find it helps them stop and think about what they are about to approve.

Results? I get way less support calls (about malware) and now make it my default strategy.

For myself: admin with UAC always notify.

That's exactly how I have it too.

UsernameIssues · 08 Apr 2014

andrew129260 said:

~~~
For myself: admin with UAC always notify.

So... if you ever visit a reputable website that is infecting visitors in a way that bypasses the UAC, then that infection will have admin rights on your computer.

If you had visited that same website as a standard user, the infection might still bypass UAC, but it would still need to ask for the admin's credentials.

andrew129260 · 08 Apr 2014

UsernameIssues said:

andrew129260 said:

~~~
For myself: admin with UAC always notify.

So... if you ever visit a reputable website that is infecting visitors in a way that bypasses the UAC, then that infection will have admin rights on your computer.

If you had visited that same website as a standard user, the infection might still bypass UAC, but it would still need to ask for the admin's credentials.

True, But I have not been infected since I have been a computer user, so ether I have been very lucky or very smart.

I don't know which lol. Anyways, I do most critical things in a Linux VM anyway, so it does not matter much. No such thing as 100% security :)

And do you run as a standard user? I doubt it

UsernameIssues · 09 Apr 2014

You cannot say or know that you have not been infected.

You can only say that you have never found an infection.

There is a big difference. Sophisticated Spy Tool ?The Mask? Rages Undetected for 7 Years | Threat Level | WIRED

I run this employer supplied laptop via an admin account because that is what my employer wants. That is the only configuration the help desk supports. Like you, I do important stuff via a VM. But hey, how hard could it be to operate as a standard user? I can always promote my account back to admin if I need the company help desk.

I'll be right back - as a standard user