Monday, February 17, 2020

Windows 10 Administrative Accounts

How To:  Build a Windows 10 Administrative Account - demote your normal account to a "loser account."

Steps to convert your normal, daily Windows 10 User Account to a "Standard Account"  (a non-administrative account, a non-elevated account).  This helps prevent Malware from installing and protects the machine from inadvertent changes from other family members.

Use the administrative credentials for system-wide changes.  Use your "loser" account for day-to-day work.  This follows best practice at Microsoft, at most corporations, and at schools.  I use this technique on all of my computers, even for my own account!  I would especially do this on children's computers.

When malware installs, Windows prompts for permission using a UAC prompt (commonly called the Nag), asking for permission to install the software.  Viruses present themselves by enticing the victim with a game or some other program of interest.  Most people see the UAC nag screen and click "Allow," without thinking.   You've probably done this yourself.  In other words, you have given the virus permission to install, not realizing the payload.

This article replaces an older Windows 7 article:  Secure PCs from Offspring.

Administrator vs Standard Users

With a non-administrative account, attempts to install software, or to change internal Windows settings are challenged with a user-id and password ("credentials").  This slows-down the automatic "ok."  If they does not know the administrative password, they cannot make the change without assistance (my children, my parents).  This essentially locks the PC from most changes.

The Setup

Follow these steps to enable an Administrative account.

Important:  Before doing these steps, a new Administrator account must be built before converting your existing account to a "loser" account.  (More than one administrator's account can be created, but this is not needed.)

1. Build an Administrator Account:

Using your current (presumably) Administrator Account (your normal login-credentials)

a.   In the Start Menu's Search box, search for "Control Panel"
      Open "User Accounts"
      Select "Manage another Account"

Click for larger view
b.  Click "Add a user account"

c.  at "How will this person sign-in"

    ! Do not enter an email address

    Instead, click "Sign in without a Microsoft account (not recommended)"
       - But this is recommended. 
         The local account will never be used outside this machine.

d.  At the second prompt, again select "Local Account"

e.  Set the User-Name to "Administrator"  (recommended, not required)
     Set the password and password hint.

If this is your personal machine, consider setting the password to the same password used for your normal login - one less thing to remember.  It goes without saying, don't forget this password

f.   Click the new Administrator account.
     Click "Change the account type"

      Change the Account Type from "Standard" user to an "Administrator User"

2.  Logout / Login to the new Administrator account:

a. Click Start, (Shutdown: submenu); "Log off"

b. Login as Administrator (note a new choice is available)
    This builds the Administrator's profile.

3.  Change the original (child's) account:

While logged in as the Administrator,

a.  Start, Search, "Control Panel",
     Open User Accounts,
     "Manage another account"

b.  Select the (future) non-admin account (your account, the child's account)

c. "Change the account type";
Set to Standard User.
Close and save changes.

In other words, demote yourself to a "loser" account.

d.  Logout as Admin. 
Re-login as your normal account.

You will be running as a "Standard" (non-administrative, non-elevated account).  All programs will run normally, but updates and system changes require credentials.

Administrative credentials are now required before installing software or viruses and will always prompt for UAC permission.  If you have a UAC prompt (and it will now always ask for an account-name and password), hesitate -- decide if the install is safe or not.  Wise people will not tell the children or non-computer-literate parents the administrative password. 

Windows system updates will run as-before (and will install on their normal schedule with their normal system account).  Application installers will prompt for permission before updating.  This is a good thing. 

The Administrator account is also accessible here: 
From the Start Menu, click the People-icon.

On a closing note: Having a backdoor administrative account -- even if it is different than your own personal administrative account, is useful for cleaning simpler viruses which may have only infected the current user.  A backdoor account can help clean-up the mess.  This account is useful if the current user's account becomes corrupted.


Related Articles:
Raspberry Pi-Hole - A DNS SinkHole for security