[Win10] Standard User Account or not?

Discussion in 'other software & services' started by Umbra, Apr 26, 2016.

  1. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    I just want to know other people opinion about it. Why do you prefer using SUA (Standard User Account) or PA (Protected Admin account) over the other.

    i guess the comparison criteria are usability, compatibility, security ; but feel free to add others.
     
  2. Andytay70

    Andytay70 Registered Member

    Joined:
    Sep 20, 2015
    Posts:
    12
    I guess its all down to privacy concerns.
    I prefer to use a standard account as i have no need to backup my settings and Apps to my Onedrive.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    Seems nobody care of this topic ^^
     
  4. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Perhaps because Win 10 users are forced to deal with more serious issues on their machines, as seen in other threads related to Win 10. :)

    Anyway, as for me, I have more accounts on my machine but all with the admin rights. In fact I use the workgroup account.
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I always create and use Standard user accounts on every PC I am involved with, including work, friends and family. Keeps them (and me) from doing something without really thinking about it. At work, no one is allowed to have Admin credentials at all for any reason. For friends and family (where it's not my PC), they get the Admin password for their own use, but are instructed to always ask questions before using it.

    For Win 7 (and maybe Vista but I have limited exposure to it) and higher, running as Standard seems to cause almost no negative issues and the benefits of limiting Admin related issues are pretty much gone. I'm no Linux person at all but this has been the model there forever and it seems to work well there too...
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    In Windows 10, of course. I use limited accounts in all OSes that support them and any version of Windows should be run from a limited account unless you are using software that absolutely needs administrative privilege. Most apps these days work fine under a standard account and such things as using .ini or .xml files in the program files directory for app configuration are not as common as they once were.

    My Windows 10 installations are mostly upgrades and the upgrade preserved the ACL settings which are tighter than the default MS ACLs.
     
  7. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    As far your opinion goes, do you think a Standard User Account is enough, without the need of other protection(s) - Examples: Antivirus, Sandboxing, etc.?
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    @MisterB,
    Care to eleborate on the tight ACL settings. Guess you might have combined standard user with a deny execute and or remove write access for standard user to enforce SRP like protection, so would be interested your ACL tweak
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    If you add the registry tweak to prevent execution of unsigned processes and safe computing habits, it could be safe enough. Now if you test (unknown/suspicious) stuff , it may not be enough without at least some kind of virtualization apps.
     
  10. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    If you don't mind, if you have a link to complete the registry tweak, I would love to check it out.

    By the way, thank you for the reply.
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    Just create a reg file via a text editor and load it in registry base by clicking on it.

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001
    i remember @Windows_Security made a thread about it with screenshots.
     
  12. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    Thank you very much, I greatly appreciate your help.

    Have a good day!
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    you are welcome

    you can test it by trying to execute any unsigned portable apps.
     
  14. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    I assume it's working, because I got this error while trying to execute...

    Error.png
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    yes this message is the expected one ;)
     
  16. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,806
    Thank you very much for helping me out, I appreciate it :thumb:
     
  17. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    No, I use all of the above and more in a layered security approach. The standard user account and limiting privilege are fundamental but that foundation is supplemented by other protections.

    The basic principle is that read/write and execute permissions are mutually exclusive for non administrators and only the local administrator may install new software or execute anything that is not already in the Windows or Program files directories which requires a full logon to the administrator account. I set up SRP and Applocker with the same restrictions in addition to the ACLs in a layered redundant approach. Applocker is great in the editions that support it because it can create signatures for all of the installed software and verify it on execution in addition to the folder allow/deny rules.
     
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    okay, thanks my mother of 82 stil uses an XP pro. She does not want to learn new OS. I have set up a standard user account with write access holes closed in Windows by ACL and SRP. Have done the same with the user folders SRP deny execute and ACL deny execute for Everyone. On top of that I have Spyshelter free with HIPS only (in silent mode) as only third party security. Works well, when I look at Spyshelter logs, nothing has ever passes the combo of SUA + ACL +SRP
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    Yes, SUA+ACL+SRP can be set really tight. I just cant get myself to set up SUA profile, so I try to secure my Admin account as much as possible using SRP and ACL.
     
  20. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    I use SUA when doing standard daily tasks that does not require admin rights. I switch to PA when I need to do admin tasks.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    I don't get it, why did you specify Win 10, are other Windows version not interesting?
     
  22. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    i put Win10 because i use it; but other version are not forbidden ^^
     
  23. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,646
    Location:
    NSW, Australia
    Admin account. I prefer not having to type a password frequently.
     
  24. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    220
    I always use a Standard User Account for all daily chores and only log in on my PA account when I know I need to do admin duties.

    I don't want the split token present in my daily account.

    Additionally I have UAC on max and block unsigned executables from elevating.

    Oh, I care a lot about restricting user privileges on every PC I set up.
    It has saved me from so many worries over the years.
     
Loading...