Friday, February 6, 2015

Windows Computer Security -- Using a standard user account

By default Windows sets up the initial user account with full admin privileges. This makes it very easy for the user and for malware / spyware / adware publishers to install new programs on your computer. A study reported that of all the security patches issued by Microsoft in 2013, 92% of the vulnerability exploits would have been blocked by use a of standard user account.

Here is the process I have used successfully on 11 Windows 7 computers to convert an existing admin user account to a standard account:

Create a new admin account:
  • Log in to your existing user account that has admin privileges
  • Go to Control Panel, User Accounts
  • Click Manage another account
  • Click Create a new account
  • Enter a name for the new account (e.g. Admin)
  • Click the Administrator button
  • Click Create Account
  • Click on the new account icon
  • Click Create a password
  • Enter password (different from normal user password) in the two boxes
  • Click the button Create password
  • Return to desktop and log out of your normal user account
Downgrade normal user account to standard:
  • Log in to your newly created admin account
  • Go to Control Panel, User Accounts
  • Click Manage another account
  • Click on the normal user icon
  • Click Change the account type
  • Click Standard user
  • Click the button Change Account type
  • Return to desktop and log out of your admin account
Log in to your normal account and resume use

If you attempt to install a new program or an upgrade (other than Microsoft updates), you will be prompted to enter the password for an admin account. Pay close attention! If this appears for a program you don't recognize or did not choose to install, it may be malware attempting to install.

On rare occasions (in my experience) a program may need to be installed or updated when logged into an admin account. In most, but not all cases, you may be able to simply right-click on the program file and select "Run as administrator". 

Updates 3/27/15: 
  • One example of a program that must be run from a logged-in admin account is Evernote. When I am using the program from my standard account and it announces an update available, it tells me to ask my administrator to install the update. It does not make the update available to install by my standard account.
  • Many programs allow me to install updates by simply entering my admin password when the UAC pop-up box appears. In some cases the update downloads go to my admin user's download folder rather than to my standard user download folder.

I believe that the same or very similar steps would apply to Windows 8 computers.

Also see these three rules for online security published by Brian Krebs.