Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Creating a standard user account for security purposes?

26 Oct 2013   #31

Windows 7 Pro 64 bit

I don't think that Microsoft has ever changed their recommendation that running under a limited account is still the "best" security policy. But Microsoft also recognizes reality. They know from past experience that most home users do not use a limited account for general use and this is unlikely to change. Rightly or wrongly, most users perceived this as being too inconvenient.

When Vista was in the planning stages security was a growing problem. Microsoft knew that their best practice of using a limited account would improve security, but had been rejected my most users. So they devised a compromise. By default an admin account (which most people were using) had only the limited privileges of a standard account. But when needed the user could grand himself the full rights of an admin account. This provides most of the benefits of using a standard account but with less inconvenience. This feature is known as UAC and is the default configuration in Vista and later. It is not an ideal solution but that is the nature of a compromise.

For those individuals who do not find using a standard account as being too inconvenient, great.

But for the rest of us their is UAC which is almost as good. This is what Microsoft actively recommends, as opposed to the "best" policy of using a standard account.

My System SpecsSystem Spec
26 Oct 2013   #32

Windows 10 Pro x64

Quote   Quote: Originally Posted by gregrocker View Post
So why does the Win7 installer install an Admin account for the assumed PC owner, without any choice or warning that this is not the Best Practice (if it is)?
Not really a valid argument... Why did XP let you run as an admin without ever warning you that you shouldn't do this other than a small note in the help file?

On the other hand, I am quite amazed that UAC isn't attacked more often. As turning off UAC doesn't trigger a UAC prompt it seems to me this would be a good attack vector for malware, as the user would be no idea they were no longer being protected and it could gain full admin rights? Or is this only when the user does it?
My System SpecsSystem Spec
26 Oct 2013   #33

Windows 10 Pro x64 x3, Ubuntu

The Windows Vista/7/8 Dual Token system is a microsoft compromise to increase security over the totally open and compromised system used with XP. XP was essentially a single desktop operating system, in an era when few home systems were attached to a network permanently. Network systems even in the XP era had standard user security but this was set-up and controlled by the server or a network admin.

Due to the virtualisation and permissions levels set up in a fresh install of Windows 7 running as a standard user is inherently safer for the system, than running as a XP style Admin account. A standard user account cannot action changes to system files or applications - therefore if and when a piece of malware takes control of a standard account it is only capable of limited damage.

As a system admin I always ran two accounts and would need to log-out of one account and back in as another to perform any critical system tasks, this of course then required logging out of the admin account and back in as a standard user after the changes

Using the dual token system gives the best of both worlds - you run as a standard user and when a call for an admin token is received the system isolates the critical systems, and prompts for a password in a separate process. on completion of the task the token is automatically reset, to a secure level
My System SpecsSystem Spec

26 Oct 2013   #34

Windows 7 Pro 64 bit

On the other hand, I am quite amazed that UAC isn't attacked more often. As turning off UAC doesn't trigger a UAC prompt it seems to me this would be a good attack vector for malware, as the user would be no idea they were no longer being protected and it could gain full admin rights? Or is this only when the user does it?
The registry values controlling UAC are in HKEY_LOCAL_MACHINE and require full admin rights to change. Any software having access to this key can already do anything it wants without further user permission. If that software is malicious you are already infected. Most malware likes to keep a low profile (at least initially) and doesn't wish to do anything to tip off the user that anything has changed.

Turning off UAC might have been useful for early types of malware. But modern varieties have no need for anything that crude.
My System SpecsSystem Spec
Closed Thread

 Creating a standard user account for security purposes?

Thread Tools

Similar help and support threads
Thread Forum
Any way to prevent a Standard account from creating a password?
My friend has a kid that keeps password protecting their account so their parents can't get into the kid's account. The kid has a standard account and obviously, the parent can go in and remove the password, but its getting tiresome. Is there some sort of way to block a user with a standard account...
General Discussion
Default User Account (Administrator) acts like Standard Account
I am using Windows 7 Pro 64x and apparently the default user account (Owner) that I use is not working correctly. Unless I have UAC set to Never Notify, I cannot open Control Panel or UAC again. When I try, I get the error message listed below. I have created a second user account as Administrator...
General Discussion
Using default admin account vs standard user account
I have always been running admin and even until now I run as admin. But, I have been doing a little bit of research and realize that using a standard account is a safer practice. I have never even used a standard account. Is using a standard account a better practice? Also, how does doing average...
General Discussion
standard user account
I installed a program on the administrator account, Asus SixEngine that works correctly on this account, but the standard account, this program does not retain settings and every restart the program runs with default settings, not those made ​​by me. We walked to the permission, I gave full...
Creating a New User Account Similar to an Existing User Account
I have a Dell XPS 9100 with Windows 7 Prof. I am using the user account made during the initial bootup of the new computer, to make the desired settings and adding software installations. However after I finish with the initial tweaking, I will reduce the account privileges from Administrator to...
Performance & Maintenance

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:36.
Twitter Facebook Google+