Reverting an admin to a limited user?

[Carbonyl]

Sorry if this is the wrong place to ask this question. I'm not sure where else it should go, and since it's related to security I thought I might get the best answer here.

I've been running on a default account for Win 7 Professional (x64) since the RTM was released. I thought, at the time of installation, that the default user was not the administrator - But I've found that I was wrong on that point. I have the UAC set to maximum, by the way.

Anyhow, I'm interested in setting my user as a LUA now, and I've found fairly thorough instructions on how to do so online here. Before I take this plunge, though, I'm concerned about the impact this might have on my system stability and security. I have a number of applications that require administrator access during automated procedures - ESET NOD32 autoupdates itself, and obviously needs Admin access to do the automated scans that I have scheduled - not to mention the realtime access it requires. EVGA precision tool and RealTemp require Admin access to run. Beyond that, some programs autoupdate themselves, or record log files - Steam and my IM Client both engage in this behavior.

If I were to change my existing account to a LUA, would that break a lot of these programs? Would I still be able to run the programs I usually do, or patch the programs I need to? Would all of my programs fail to save logs, or fail to patch themselves, because they no longer have appropriate access levels?

In effect, would taking an administrator down to a standard user effectively break all of the applications installed under the Admin user?

Running as a standard user seems like a good security measure, but if it compromises stability and functionality, I'd like to avoid that before I fiddle with things I shouldn't.

 

[Blender]

From what I can understand, you want to have one account on the computer. That account shouldn't be an admin, right?

I don't think that there is a way to do this, but maybe (if this helps) run this (Win-key + R):

control userpasswords2

You can change a lot of settings through this...

 

[Barman58]

If you are running with UAC on full then in effect you are already running as a standard user

The default (first) user in win7 is using a dual token security system.
The normal state is that the user has the rights of a member of the users group and UAC will prompt you when it needs to gain membership of the Administrators group.

If you create a standard user and keep UAC at the same level then it will act the same except that it will prompt for the User name and password of a member of the administrators group.

You have to have at least one member of the Administrators group so if you wish to demote your current user you will need to create an second user as an admin.

I personally find the UAC a convenience as my former practice was to run as a standard user and manually "run as Administrator" UAC provides me with the same security without the hassle

It is possible through Group Policy to require the user to supply a password even when running the "admin" account under UAC if you require that extra step to prevent the automatic "click without thinking" response to the prompt

 

[Carbonyl]

Thanks to you both for the information! Very useful stuff. I did not know that the default user with maximum UAC was actually a standard account. That gives me a little more peace of mind.

I should clarify - I intend to keep an administrator account around if I follow through with this plan. I would first make an admin-level account, one I don't plan to use for daily purposes. Afterward, I would then demote the current (default/first) account, so as to keep all my settings and files and whatnot. I realize that there's a possibility that I might lock myself out of the system by removing the admin if I don't do this first.

My main reasoning behind lowering the privileges of my current account is to set up SRP. I have professional, not ultimate, so Applocker is not accessible to me. However, manual SRP looks like something I can implement with a little research. So far, what I've been able to tell is that SRP will only work for an LUA, and can't be instated for an Admin user.

 

[Victek]

Thanks to you both for the information! Very useful stuff. I did not know that the default user with maximum UAC was actually a standard account. That gives me a little more peace of mind.

I should clarify - I intend to keep an administrator account around if I follow through with this plan. I would first make an admin-level account, one I don't plan to use for daily purposes. Afterward, I would then demote the current (default/first) account, so as to keep all my settings and files and whatnot. I realize that there's a possibility that I might lock myself out of the system by removing the admin if I don't do this first.

My main reasoning behind lowering the privileges of my current account is to set up SRP. I have professional, not ultimate, so Applocker is not accessible to me. However, manual SRP looks like something I can implement with a little research. So far, what I've been able to tell is that SRP will only work for an LUA, and can't be instated for an Admin user.

.

Here is a quote from an article by Mark Russinovich:

"Even processes elevated from standard user accounts can conceivably be compromised because of shared state. All the processes running in a logon session share the internal namespace where Windows stores objects such as events, mutexes, semaphores, and shared memory. If malware knows that an elevated process will try to open and read a specific shared memory object when the process starts, it could create the object with contents that trigger a buffer overflow to inject code into the elevated process. That type of attack is relatively sophisticated, but its possibility prevents OTS elevations from being a security boundary.

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer."

http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

As I understand the above using an Admin account with UAC set to max does not provide the same security as using a LUA. If you want the best security and you're willing to put up with UAC prompts and entering passwords, then using a LUA is the way to go. Why not try it and see how it effects your applications? If it breaks something it's easy enough to change the limited user account back into an Admin account. As you've already noted make sure you create another Admin account before reducing privileges on your current account. By the way, "fast user switching" is a clever way to move between the accounts with minimal hassle - never occurred to me.