I just want to know other people opinion about it. Why do you prefer using SUA (Standard User Account) or PA (Protected Admin account) over the other. i guess the comparison criteria are usability, compatibility, security ; but feel free to add others.
I guess its all down to privacy concerns. I prefer to use a standard account as i have no need to backup my settings and Apps to my Onedrive.
Perhaps because Win 10 users are forced to deal with more serious issues on their machines, as seen in other threads related to Win 10. Anyway, as for me, I have more accounts on my machine but all with the admin rights. In fact I use the workgroup account.
I always create and use Standard user accounts on every PC I am involved with, including work, friends and family. Keeps them (and me) from doing something without really thinking about it. At work, no one is allowed to have Admin credentials at all for any reason. For friends and family (where it's not my PC), they get the Admin password for their own use, but are instructed to always ask questions before using it. For Win 7 (and maybe Vista but I have limited exposure to it) and higher, running as Standard seems to cause almost no negative issues and the benefits of limiting Admin related issues are pretty much gone. I'm no Linux person at all but this has been the model there forever and it seems to work well there too...
In Windows 10, of course. I use limited accounts in all OSes that support them and any version of Windows should be run from a limited account unless you are using software that absolutely needs administrative privilege. Most apps these days work fine under a standard account and such things as using .ini or .xml files in the program files directory for app configuration are not as common as they once were. My Windows 10 installations are mostly upgrades and the upgrade preserved the ACL settings which are tighter than the default MS ACLs.
As far your opinion goes, do you think a Standard User Account is enough, without the need of other protection(s) - Examples: Antivirus, Sandboxing, etc.?
@MisterB, Care to eleborate on the tight ACL settings. Guess you might have combined standard user with a deny execute and or remove write access for standard user to enforce SRP like protection, so would be interested your ACL tweak
If you add the registry tweak to prevent execution of unsigned processes and safe computing habits, it could be safe enough. Now if you test (unknown/suspicious) stuff , it may not be enough without at least some kind of virtualization apps.
If you don't mind, if you have a link to complete the registry tweak, I would love to check it out. By the way, thank you for the reply.
Just create a reg file via a text editor and load it in registry base by clicking on it. Code: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ValidateAdminCodeSignatures"=dword:00000001 i remember @Windows_Security made a thread about it with screenshots.
No, I use all of the above and more in a layered security approach. The standard user account and limiting privilege are fundamental but that foundation is supplemented by other protections. The basic principle is that read/write and execute permissions are mutually exclusive for non administrators and only the local administrator may install new software or execute anything that is not already in the Windows or Program files directories which requires a full logon to the administrator account. I set up SRP and Applocker with the same restrictions in addition to the ACLs in a layered redundant approach. Applocker is great in the editions that support it because it can create signatures for all of the installed software and verify it on execution in addition to the folder allow/deny rules.
okay, thanks my mother of 82 stil uses an XP pro. She does not want to learn new OS. I have set up a standard user account with write access holes closed in Windows by ACL and SRP. Have done the same with the user folders SRP deny execute and ACL deny execute for Everyone. On top of that I have Spyshelter free with HIPS only (in silent mode) as only third party security. Works well, when I look at Spyshelter logs, nothing has ever passes the combo of SUA + ACL +SRP
Yes, SUA+ACL+SRP can be set really tight. I just cant get myself to set up SUA profile, so I try to secure my Admin account as much as possible using SRP and ACL.
I use SUA when doing standard daily tasks that does not require admin rights. I switch to PA when I need to do admin tasks.
I always use a Standard User Account for all daily chores and only log in on my PA account when I know I need to do admin duties. I don't want the split token present in my daily account. Additionally I have UAC on max and block unsigned executables from elevating. Oh, I care a lot about restricting user privileges on every PC I set up. It has saved me from so many worries over the years.