Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Creating a standard user account for security purposes?


26 Oct 2013   #31

Windows 7 Home Premium 32 bit
 
 

I don't think that Microsoft has ever changed their recommendation that running under a limited account is still the "best" security policy. But Microsoft also recognizes reality. They know from past experience that most home users do not use a limited account for general use and this is unlikely to change. Rightly or wrongly, most users perceived this as being too inconvenient.

When Vista was in the planning stages security was a growing problem. Microsoft knew that their best practice of using a limited account would improve security, but had been rejected my most users. So they devised a compromise. By default an admin account (which most people were using) had only the limited privileges of a standard account. But when needed the user could grand himself the full rights of an admin account. This provides most of the benefits of using a standard account but with less inconvenience. This feature is known as UAC and is the default configuration in Vista and later. It is not an ideal solution but that is the nature of a compromise.

For those individuals who do not find using a standard account as being too inconvenient, great.

But for the rest of us their is UAC which is almost as good. This is what Microsoft actively recommends, as opposed to the "best" policy of using a standard account.


My System SpecsSystem Spec
.

26 Oct 2013   #32

Windows 7 Ultimate X64 SP1
 
 

Quote   Quote: Originally Posted by gregrocker View Post
So why does the Windows 7 installer install an Admin account for the assumed PC owner, without any choice or warning that this is not the Best Practice (if it is)?
Not really a valid argument... Why did XP let you run as an admin without ever warning you that you shouldn't do this other than a small note in the help file?

On the other hand, I am quite amazed that UAC isn't attacked more often. As turning off UAC doesn't trigger a UAC prompt it seems to me this would be a good attack vector for malware, as the user would be no idea they were no longer being protected and it could gain full admin rights? Or is this only when the user does it?
My System SpecsSystem Spec
26 Oct 2013   #33

Windows 7 Ultimate x64 x2 + x86 + Windows 8.1 x64 x2
 
 

The Windows Vista/7/8 Dual Token system is a microsoft compromise to increase security over the totally open and compromised system used with XP. XP was essentially a single desktop operating system, in an era when few home systems were attached to a network permanently. Network systems even in the XP era had standard user security but this was set-up and controlled by the server or a network admin.

Due to the virtualisation and permissions levels set up in a fresh install of Windows 7 running as a standard user is inherently safer for the system, than running as a XP style Admin account. A standard user account cannot action changes to system files or applications - therefore if and when a piece of malware takes control of a standard account it is only capable of limited damage.

As a system admin I always ran two accounts and would need to log-out of one account and back in as another to perform any critical system tasks, this of course then required logging out of the admin account and back in as a standard user after the changes

Using the dual token system gives the best of both worlds - you run as a standard user and when a call for an admin token is received the system isolates the critical systems, and prompts for a password in a separate process. on completion of the task the token is automatically reset, to a secure level
My System SpecsSystem Spec
.


26 Oct 2013   #34

Windows 7 Home Premium 32 bit
 
 

Quote:
On the other hand, I am quite amazed that UAC isn't attacked more often. As turning off UAC doesn't trigger a UAC prompt it seems to me this would be a good attack vector for malware, as the user would be no idea they were no longer being protected and it could gain full admin rights? Or is this only when the user does it?
The registry values controlling UAC are in HKEY_LOCAL_MACHINE and require full admin rights to change. Any software having access to this key can already do anything it wants without further user permission. If that software is malicious you are already infected. Most malware likes to keep a low profile (at least initially) and doesn't wish to do anything to tip off the user that anything has changed.

Turning off UAC might have been useful for early types of malware. But modern varieties have no need for anything that crude.
My System SpecsSystem Spec
Closed Thread

 Creating a standard user account for security purposes?




Thread Tools



Similar help and support threads for2: Creating a standard user account for security purposes?
Thread Forum
Solved Any way to prevent a Standard account from creating a password? General Discussion
Solved Default User Account (Administrator) acts like Standard Account General Discussion
Using default admin account vs standard user account General Discussion
standard user account Software
Solved Creating a New User Account Similar to an Existing User Account Performance & Maintenance

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:39 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33