Windows 7 - Can I add a new Administrator account, then change my main to standard?

In Windows 7 Home Premium x64, I have only one account on my computer and it is an Administrator account.

Here is what I am trying to do:

1) Change my main account to a standard user for security;
2) With that standard user account be able to give Administrator UAC permission if something needs it (installing application need to do something like run CMD at Administrator level etc.) on the fly by using the Administrator name and password.

To do 1) I think I will need to set-up a new Administrator account with password. Then after it is created, change my main account to standard.

Is that correct?

And will my goal of 2) work? Will I be able to do Administrator stuff in my main Standard account by using the Administrator account name and password at the time it is needed while in the Standard account - or do you have to actually log into that administrator account?

And if so, will this add to my security versus running in an Administrator account?

 

It is possible, but probably highly inadvisable on any version of Windows. By default, Windows makes whoever creates a file or directory the owner of that object, with full control over it. So your admin user owns everything you installed as that user; and that ownership is kept when you turn the user into a limited one. So the "limited" account still has full access to protected areas.

I'm not sure what impact UAC has on this. I'm guessing the answer is "not a sufficient impact."

 

Thanks. Question please: so even if I made a new administrator and change my main account to standard, it would still really be administrator as far as stuff installing etc.?

 

No, it would behave like a Standard User account and would require elevation (giving the Admin account's credentials) to install stuff, at least to the normal locations like Program Files. Whether your formerly-an-Admin account is technically the Owner of a given directory or not, it will still require elevation to do Admin stuff once it becomes a Standard User. You can test this for yourself. Begin by maxing out UAC from your Admin account, in any case.

If you'd still prefer to have a completely new Standard User account that's never been an Admin, use the Windows Easy Transfer feature to transplant your user settings/preferences, cookies, bookmarks, files and stuff. Export them from your established account, then create your new Standard User account and use Easy Transfer to import them. Once you're satisfied you got everything, you can create a fresh Admin account and nuke your old one completely if you wish.

I guess I should add that Ownership and access control are separate issues. If your goal is to loophole-proof your Windows installation so a Standard User (or something exploiting it) cannot install stuff, you should audit your protected locations for exceptions. Real-world example: last I checked, when Steam is installed, it'll make its folder within the Program Files directory and give Full Control permissions to your Users group. Yikes. Towards the end of my SRP page I have the NSA's recommended auditing routine listed in Step 6: http://www.mechbgon.com/srp/index.html Whether you use SRP or not, the audit will find the loopholes in your access-control list.

 

Horrible. Unforgivable. I never thought an installer would /could do that. Never crossed my mind. Thanks for the info.

 

Sure thing. Yeah, I was Not Amused when I tried the NSA's auditing routine and it flagged Steam's directory as wide-open. I promptly reduced the Users group to the normal permission level, which naturally broke my Steam games unless I elevated Steam itself to get my games launched. GENIUSES

I also got a horrific wake-up call when I used the auditing routine on a Gateway PC we have at work. Gateway, in their infinite wisdom, had imaged the system so that the entire Windows directory was at Full Control permissions for the Users group . I took a shot at resetting the permissions structure, but it wasn't working. I resorted to a clean install from a normal Windows CD.

So props to the NSA for their whitelisting guide

 

The programmers at Steam, Gateway etc, for no reason, obviously came up with unnecessary and very ugly solutions and this clearly shows we can't blindly trust "trustable" producers.

I looked through my system thoroughly with Accesschk and found some folders that I've missed adding in my SRP settings but saw on your excellent page that a SRP setting on a main folder will cover its subfolders too. The "main" folders were already covered by my SRP settings, so I'm glad.

Nevertheless, seems to me it's a very good idea to run Accesschk after new software installations!

 

Regarding Steam, I've been trying out the setup of denying elevation prompts under a SUA and only doing administrative tasks when I am logged into that account. I was wondering what to do about Steam, as I really don't want to have to log in as an admin just to play games, and hash rules would be a pain since it frequently updates.

I was considering just leaving the whole thing open, but I wonder if some protection is better than none at all, and I could set a publisher rule for Valve. For games that I'm pretty sure aren't being updated anymore, I could use hash rules, but would they conflict with the publisher rule? I'm thinking that SRP could allow both whatever is signed by Valve and whatever has a hash rule, and block anything else. Is that correct?

Some games' folders would still need to be unrestricted due to mods. Many mod utilities/scripts just copy the files over without regard to working with permissions (maybe this is why Valve grants full control to Users). Some modded games even have to be removed from Steam's jurisdiction itself, else they run into problems. If I set an "unrestricted" rule for those folders, would they allow mods to install, even though the parent folder has a publisher rule? I'm guessing that a more specific rule would override a general rule, but I'm not sure.