Standard user or administator account

[Vince]

I've been researching the benefits of standard user accounts vs administrator
accounts, I still do not see any reason for the average user to use a
standard account.

I CAN understand using it with youngsters and others who you do not want to
be able to install programs or access administrative functions.

But for a person who is the only user of a computer, what is the advantage
of a standard user account as far as security?

People often say it will afford a higher level of security against malware
installations. But a regular adminstrator account (not the hidden full
administrator account, that is a different story) will prevent the
installation of driveby malware because it requires the elevation prompt
before any installs. This will prevent malware installing itself without
your knowledge.

In the standard account compared to a regular administrator account, the
only difference I can see is that the standard account requires you to enter
the admin password when elevation is required. So that will block
unauthorized users, but it does not afford any additional protection (over an
admin account) from malware installations that happen without the user's
knowledge.

So it seems like if you are not worried about unauthorized users at the
keyboard, then why use a standard account? It seems the level of protection
from malware installation is the same with both.

Am I missing something here?

Thanks

 

[Vince]

Thanks for the reply.

I am not looking to set up accounts with the most power. I am wanting to
know if, when I am setting up computers for "regular users", is there any
reason to use the standard account when there is only one user? I am
referring to computers with no unauthorized users, no children. The only
security concern is protecting from malware installations. I do not see any
additional protection with the standard account compared to the regular admin
account. It seems like both types of accounts require elevation for the same
tasks, the only difference is the standard account also asks for an admin
password.

Thanks

 

[oscar]

Good question.

Damage to files in one account does not necessarily mean damage to the other
account. The advantage of using a standard account v.s. straight
administrator account is that if a user damages files in the standard account
the user can always go back to the administrator account and set up a new
standard account. If the user damages files in the administrator account it’s
harder to fix the problem. Computers are imperfect and so are the users.
Users will eventually damage system files. It’s easier to overcome file
damage if it’s done in a standard account.

 

[Mr. Arnold]

Thanks for the reply.

I am not looking to set up accounts with the most power. I am wanting to
know if, when I am setting up computers for "regular users", is there any
reason to use the standard account when there is only one user? I am
referring to computers with no unauthorized users, no children. The only
security concern is protecting from malware installations. I do not see
any
additional protection with the standard account compared to the regular
admin
account. It seems like both types of accounts require elevation for the
same
tasks, the only difference is the standard account also asks for an admin
password.

Admin is locked down to Standard user, when not using the Full Admin token
and UAC prompt for Admin is *allow* or *disallow* when elevations to the
Admin Full rights token is required.

<http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml>
<http://technet.microsoft.com/en-us/library/cc709691.aspx>

There is no more Power User on Vista, as stated in the article.

<http://technet.microsoft.com/en-us/magazine/cc160882.aspx>

 

[Vince]

Thanks Oscar,

Interesting point, but I'm not sure that it makes a difference since there
is always the default Admin account to fall back on. Also I always use
imaging software to be sure I can restore a damaged OS.
My main concern with this question is security, protection against malware
installation.

Mr Arnold, not sure what your bottom line is here. Do you think standard
user has more protection than an admin user against malware installs?

Thanks

 

[Gordon]

Thanks Oscar,

Interesting point, but I'm not sure that it makes a difference since there
is always the default Admin account to fall back on.

But only if you enable it first - it's disabled by default in Vista....

 

[Mr. Arnold]

Thanks Oscar,

Interesting point, but I'm not sure that it makes a difference since there
is always the default Admin account to fall back on. Also I always use
imaging software to be sure I can restore a damaged OS.
My main concern with this question is security, protection against malware
installation.

Mr Arnold, not sure what your bottom line is here. Do you think standard
user has more protection than an admin user against malware installs?

You're not Admin. You are Standard user, until you get that prompt to
escalate privileges to the Admin full rights token if you are Admin on the
machine, which will be the Allow or Disallow prompt from UAC for Admin.

You're reverted back to Standard user again as an Admin once the escalated
right to Admin Full rights has completed for the task, and then you are not
Admin on Vista with Full Admin rights anymore.

You're reverted back to Standard user on Vista with a account named Admin
internally for a lack of better words.

If you are a Standard user on Vista with only the Standard user token, then
UAC prompts you for an Admin user-id and psw to escalate rights, instead of
the UAC prompt of Allow or Disallow, if you were Admin.

Either way you go with Admin or Standard user, you have to approve the
action. To me, that's the key is if you recognize the allow or disallow or
give the Admin user-id and psw, and the situation you're in at the time of
the prompt.

Standard rights are more restrictive in their permissions to do things over
all than Admin, which is it really comes down to what rights a Standard user
would have concerning NTFS permissions, because any user with Admin has all
rights with NTFS.

However, you should read the information in the link and decide for yourself
as to what type of an account you're going to use, just remember Admin on
Vista is a Standard user most of the time.

There is a hidden Admin account called Super User that has Full Admin Rights
all the time and never gets prompted by UAC.

 

[kapibarra]

You're not Admin. You are Standard user, until you get that prompt to
escalate privileges to the Admin full rights token if you are Admin on
the machine, which will be the Allow or Disallow prompt from UAC for Admin.

You're reverted back to Standard user again as an Admin once the
escalated right to Admin Full rights has completed for the task, and
then you are not Admin on Vista with Full Admin rights anymore.

You're reverted back to Standard user on Vista with a account named
Admin internally for a lack of better words.

If you are a Standard user on Vista with only the Standard user token,
then UAC prompts you for an Admin user-id and psw to escalate rights,
instead of the UAC prompt of Allow or Disallow, if you were Admin.

Either way you go with Admin or Standard user, you have to approve the
action. To me, that's the key is if you recognize the allow or disallow
or give the Admin user-id and psw, and the situation you're in at the
time of the prompt.

But why does a power user/user account behave as an admin once you mess
with UAC? I had a power user/user account with UAC turned off. I could
not execute administrative tasks (it would tell me access denied). So
then I went in as admin and enabled UAC. Logged back in as power
user/user account (with UAC turned on) it would prompt me for admin
credentials which I provided one time for one action. Then I logged off
as user, logged back in as admin, disabled UAC, logged back in as power
user/user account and it lets me do any admin action I want (without the
UAC provide credentials prompt)!! I created a new user account with
only user permissions, and I can do any admin action I want (without the
UAC provide credentials prompt) under this account too! Is my standard
user token barched now?! I also tried going into secpol.msc and setting
'UAC:Behavior of the elevation prompt for standard users' to
'Automatically deny elevation requests' and there has been no change.
Can anyone explain this please?

 

[Vince]

I don't seem to be communicating my question correctly, since it is not
getting answered.
So I will re-phrase.
It seems to me that the only difference between a standard user and a
(regular) administrator is that when the need to elevate to admin privileges
comes, the administrator account only needs to click "Continue" while the
standard user has to enter an administrator username and password. Other
than that difference, it seems the two account types are the same, both
before the elevation of rights, and after the elevation of rights.
Can anyone confirm or deny this?
Thanks

 

[Mr. Arnold]

I don't seem to be communicating my question correctly, since it is not
getting answered.
So I will re-phrase.
It seems to me that the only difference between a standard user and a
(regular) administrator is that when the need to elevate to admin
privileges
comes, the administrator account only needs to click "Continue" while the
standard user has to enter an administrator username and password. Other
than that difference, it seems the two account types are the same, both
before the elevation of rights, and after the elevation of rights.
Can anyone confirm or deny this?

One more time, Admin on Vista is *locked down* to be a Standard user. When
the Admin needs Full Admin rights on UAC, then the Admin is escalated to
Full Admin rights, and the user is an Admin for the task at hand. Once the
task has completed that required Full Admin rights as Admin, the Admin is
locked down to *Standard* user again.

So, yes what you're talking about with both accounts are *Standard* users is
correct.

That's what I have been telling you, and that is what those links I gave you
are telling you.

 

[Mr. Arnold]

But why does a power user/user account behave as an admin once you mess
with UAC? I had a power user/user account with UAC turned off. I could
not execute administrative tasks (it would tell me access denied). So
then I went in as admin and enabled UAC. Logged back in as power
user/user account (with UAC turned on) it would prompt me for admin
credentials which I provided one time for one action. Then I logged off
as user, logged back in as admin, disabled UAC, logged back in as power
user/user account and it lets me do any admin action I want (without the
UAC provide credentials prompt)!!

You disabled UAC. How is UAC looking at anything if you disabled it?

I created a new user account with only user permissions, and I can do any
admin action I want (without the UAC provide credentials prompt) under
this account too!

You disable UAC. How is UAC looking at anything if you have disabled it?

Is my standard user token barched now?! I also tried going into
secpol.msc and setting 'UAC:Behavior of the elevation prompt for standard
users' to 'Automatically deny elevation requests' and there has been no
change. Can anyone explain this please?

If UAC is disabled, then it doesn't apply.

https://windowshelp.microsoft.com/Windows/en-US/Help/34cdee3d-cfe2-4481-80b2-45efb7c09a521033.mspx

Power User is there for backwards compatibility. If you have UAC disabled,
then things are as they were on XP.

With UAC enabled and me taking a Standard user account and making it a Power
User, it seems that Power User has a little more power than Standard user.
But UAC is prompting for an Admin user-id and psw, if I try to do
administrative things, like go to Computer Management, but once I give the
admin user-id and psw, I can do anything I want.

I removed Power-User off the account and put it back to Users Group, and
went back to Computer Management gave it the Admin user-id and psw on the
UAC prompt, and I have the same power as Power User. So, UAC is no longer
looking at that account as being a Standard user. On the other hand, if I
use the account as Power User or User and try to change a short-cut's
properties to Run As Administrator using the Advanced button, it wants a
Admin user-id and psw.

So, your guess is as good as mine as to what UAC is looking at in this
situation.

 

[Vince]

Since there seems to be so much mis-information about these account types, I
decided to run a few limited tests of my own. I've found that an unelevated
standard user account is definitely NOT the same as an unelevated (regular)
administrator account.

This can be seen if you open either regedit or services.msc. The admin is
presented with the UAC elevation prompt, and can then make changes. On the
other hand, the standard user is NOT presented with a UAC prompt, and the
standard user is only able to view the settings, and is unable to change
them. If the standard user instead right clicks and selects Run As
Administrator, then he is able to make changes.

So since it is clear that this difference exists, I am (still) wondering
what other differences there are between an unelevated standard user and an
unelevated administrator. Of particular interest is whether malware that
gets installed on a standard account (whether when elevated or not) is
limited in the harm it can do.

 

[Paul Montgomery]

Of particular interest is whether malware that
gets installed on a standard account (whether when elevated or not) is
limited in the harm it can do

That is precisely the reason that users are urged to use a standard
account in their day to day operations.

 

[Vince]

Yes I know that seems to be implied but I have done quite a bit of research

 

[Paul Montgomery]

Yes I know that seems to be implied but I have done quite a bit of research
on Microsoft sites and elsewhere, and I cannot find reliable documentation
that this is the case.

Then you are either lying about the "research", or you are a moron and
don't know how to use Google.

Googling "vista standard account is more secure", I got a bazillion
hits. Scanning the previews led me to open this one - the 15th in the
list - first:

https://windowshelp.microsoft.com/Windows/en-US/Help/bf6372bb-c95c-4b39-aa50-de7e5bf034681033.mspx

"reliable" enough for you?

 

[Dick]

As I am the original poster, my concern was not about the pros & cons but of
the fact that the different ways of 'elevating' the priviledges were not
equivalent. Therefore, how do I know when to use 'runas admin' vs provide
credentials when the screen pops up?

Dick

 

[Paul Montgomery]

As I am the original poster, my concern was not about the pros & cons but of
the fact that the different ways of 'elevating' the priviledges were not
equivalent. Therefore, how do I know when to use 'runas admin' vs provide
credentials when the screen pops up?

You may not know in advance without amassing some experience with all
the programs giving you the pop-ups.

If you learn that running as admin will preempt the popups, then
that's what you should do.

Sorry I can't provide anything more. I've turned UAC completely off
here so I only get a pop-up when I'm installing something new.

 

[Vince]

Paul Montgomery, nothing on that link you referred to really addresses the
issue I started this thread with. The only reference to more security seems
to assume the standard user does not have an admin password, and is therefore
blocked from installing software when the elevation prompt appears. But
please don't bother to respond. I'd rather hear from people who have more
consideration and courtesy.
Statements like "Then you are either lying about the "research", or you are
a moron" are unproductive.

Again, I'd like links to pages with details of exactly how a standard
account (in the instance where the user is the only one using the computer,
and therefore has the admin password and inputs it when prompted for it),
will limit the damage that can be done by the standard user. Just a vague
and unsubstantiated statement by MS of "we recommend all users employ a
standard account" is not what I am looking for.

Thanks

 

[Mr. Arnold]

As I am the original poster, my concern was not about the pros & cons but
of the fact that the different ways of 'elevating' the priviledges were
not equivalent. Therefore, how do I know when to use 'runas admin' vs
provide credentials when the screen pops up?

http://technet.microsoft.com/en-us/magazine/cc138019.aspx

<copied>

Granting a process administrative rights is called elevation. When it's
performed by a standard user account, it's referred to as an Over the
Shoulder (OTS) elevation because it requires the entry of credentials for an
account that's a member of the administrator's group, something that's
usually completed by another user typing over the shoulder of the standard
user. An elevation performed by an AAM user is called a Consent elevation
because the user simply has to approve the assignment of his administrative
rights.


Conveniently Accessing Administrative Rights
There are a number of ways the system and applications identify a need for
administrative rights. One that shows up in the Explorer UI is the "Run as
administrator" context menu entry and shortcut option. These items include a
colored shield icon that should be placed on any button or menu item that
will result in an elevation of rights when it is selected. Choosing the "Run
as administrator" entry causes Explorer to call the ShellExecute API with
the "runas" verb.


If you read the information in the link that has been provided to you, you
can figure who, what and why.

 

[Paul Montgomery]

Statements like "Then you are either lying about the "research", or you are
a moron" are unproductive.

But apparently they are true.

You want - or probably NEED - someone else to do your Googling for
you.