Is a Separate Administrator Account Necessary in Windows 7?
I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?
windows-7 uac
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
add a comment |
I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?
windows-7 uac
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
add a comment |
I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?
windows-7 uac
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?
windows-7 uac
windows-7 uac
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
asked Jul 16 '12 at 20:32
Shivam Sarodia
13316
13316
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.
The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).
With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.
Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.
Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
add a comment |
Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.
In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
add a comment |
For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f449718%2fis-a-separate-administrator-account-necessary-in-windows-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.
The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).
With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.
Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.
Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
add a comment |
Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.
The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).
With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.
Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.
Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
add a comment |
Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.
The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).
With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.
Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.
Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.
The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).
With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.
Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.
Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
answered Jul 16 '12 at 20:47
allquixotic
30.5k694126
30.5k694126
add a comment |
add a comment |
Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.
In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
add a comment |
Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.
In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
add a comment |
Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.
In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.
Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.
In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.
answered Jul 16 '12 at 20:38
user3463
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
add a comment |
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
– sourcejedi
Nov 1 '16 at 12:04
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
– Michael Scott
Dec 14 at 21:17
add a comment |
For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
add a comment |
For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
add a comment |
For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
answered Jul 16 '12 at 20:40
Darth Android
34.1k47599
34.1k47599
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f449718%2fis-a-separate-administrator-account-necessary-in-windows-7%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
