Standard User vs Protected Admin (W7): Installing

Discussion in 'other security issues & news' started by CGuard, Feb 24, 2013.

Thread Status:
Not open for further replies.
  1. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Hi all,

    I have been wondering (still to find a definite answer...) is there any difference* between installing something, that requires elevation, from a SU account and installing the same something from a PA account?

    *security-wise, i mean/permissions, ownership etc
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    The only difference I can come up with is how the UAC prompt is addressed. Under an SU account, the password is required. Under a PA account, only clicking on the "Yes" button is required, although with Pro and higher versions I believe one can set it up in Group policy to require a password for the administrator.

    This is an important consideration if you allow others to use the computer. Giving them only SU access means you are in control of what can be installed - just keep the password to yourself, whereas giving them PA access with only Yes/No UAC answers allows them to install programs.
     
  3. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    First of all, thank you for your input, wat0114.

    I guess i should have been more clear.

    I am planning to set up a SUA, as my web-surfing account, on a freshly installed W7 system. What would be the most (security-) wise thing to do regarding installing 3rd-party software:

    Installing as a SU (and elevating whenever required) or as a PA (full UAC)?

    Is there any difference in the permissions granted to created objects, between the 2 approaches?

    Does the owner of the created objects differ, in these approaches? ("taking away ownership of things" is still vague to me/as my signature suggest, i am still learning...)
     
  4. Yakuman

    Yakuman Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    75
    I think it's best to keep your SUA and right-click "run as" Admin whenever installing or updating software, even when there is no elevated UAC prompt. The reason is because some old applications and games may not ask for privileges, resulting in an incomplete install and/or have reduced functionality and it may not be apparent. It's better to develop this habit to not forget and be safe than sorry. Besides, it may be more time consuming or annoying to have to log out and into an Protected Administrator account just to end up with the same results.

    I once had similar questions, just not phrased as well as you did. I suggest reading the Windows 7 guide from http://www.tweakguides.com/TGTC.html, starting from page 149-151 (user account types and scenarios) and 163-172 (UAC and ownership / permissions). That PDF contains almost every single facet of Windows 7 and then some. I found it very invaluable.

    Some relevant quotes from the TGTC guide:
    "In practice a normal Protected Administrator and Standard account both run with the same type of privileges, the only difference is that the Protected Administrator does not need to enter a password to confirm UAC prompt, whereas the Standard user does."

    "Importantly, because of File System and Registry Virtualization, if you install an application under a Standard User Account and/or don't accept an elevation prompt from UAC, your settings for particular applications may be stored under your local profile. If you then switch to another User Account, or run that same application with full Administrator privileges later on, your settings may be appear to have been lost or reset to the defaults as the program switches to using another set of folders or another area of the Registry for its saved settings."
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    No difference.

    No difference again; whether you elevate from a SUA or from the PA account, you are still running as administrator. Administrator will have same rights in either case
     
Loading...
Thread Status:
Not open for further replies.