Administrator account - Built-in vs. new one

[Guest]

It is generally recommended to use a standard account for day-to-day
operations, and to reserve the administrator account for any actions that
affect all user(s) on a system. Even when there is only one user, say on a
home PC, if I understand things correctly, it is best to have both an
administrator and a standard account.

But what is the better alternative, if any: enable the built-in
administrator account and convert the administrator account that is created
automatically when installing Vista to a standard one; or create a second,
standard account alongside the administrator that is created when installing
Vista, and leave the built-in administrator account disabled.

Any thoughts or recommendations?

 

[Bruce Chambers]

It is generally recommended to use a standard account for day-to-day
operations, and to reserve the administrator account for any actions that
affect all user(s) on a system. Even when there is only one user, say on a
home PC, if I understand things correctly, it is best to have both an
administrator and a standard account.

Correct. Routinely using a computer with administrative privileges
is not without some risk. You will be more susceptible to some types of
malware, particularly adware and spyware. While using a computer with
limited privileges isn't the cure-all, silver bullet that some claim it
to be, any experienced IT professional will verify that doing so
definitely reduces that amount of damage and depth of penetration by the
malware. If you get infected/infested while running as an
administrator, the odds are much greater that any malware will be
extremely difficult, if not impossible, to remove with formating the
hard drive and starting anew. The intruding malware will have the same
privileges to all of the files on your hard drive that you do.

Vista's UAC adds an additional layer of protection, even if you
don't enter a password each time it warns you; the important thing is
that you're being warned, and can then make your own decision. A
technically competent user who is aware of the risks and knows how to
take proper precautions can usually safely operate with administrative
privileges; I do so myself. But I certainly don't recommend it for the
average computer user.

But what is the better alternative, if any: enable the built-in
administrator account and convert the administrator account that is created
automatically when installing Vista to a standard one; or create a second,
standard account alongside the administrator that is created when installing
Vista, and leave the built-in administrator account disabled.

Any thoughts or recommendations?

The built-in Administrator account really was never intended to be
used for day-to-day normal use. The standard security practice is to
rename the account, set a strong password on it, and use it only to
create another account for regular use, reserving the Administrator
account as a "back door" in case something corrupts your regular
account(s).

I create both an administrative account and a regular account for my
use, reserving the built-in Administrator account (after renaming it and
placing a strong password on it) for emergency use should my "normal"
administrator account become damaged or otherwise unavailable.



--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Guest]

Hi Bruce,

Thank you for your detailed explanation. To be on the safe (safest) side
then, I had better create a second, standard account for myself (I'm the only
user, by the way) to be protected best against malware, use the administrator
account that was created when installing Vista only for those actions that do
require administrator-privileges, and leave the built-in but unabled
administrator account untouched (the built-in one doesn't seem to be subject
to UAC, if I understand correctly, so doesn't provide quite the same
protection that any other administrator account does).

 

[Bruce Chambers]

Hi Bruce,

Thank you for your detailed explanation. To be on the safe (safest) side
then, I had better create a second, standard account for myself (I'm the only
user, by the way) to be protected best against malware, use the administrator
account that was created when installing Vista only for those actions that do
require administrator-privileges, and leave the built-in but unabled
administrator account untouched (the built-in one doesn't seem to be subject
to UAC, if I understand correctly, so doesn't provide quite the same
protection that any other administrator account does).

You're welcome. However, I don't recommend leaving the built-in
account disabled. If you do that, you'll be unable to use it when you
need it. I'd recommend enabling it, renaming it, and setting a strong
password on it.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell