Do you use a Standard User Account (SUA)?

Do you use Standard User Account?

  • Yes

    Votes: 33 37.5%
  • No

    Votes: 55 62.5%

  • Total voters
    88

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I have not voted. A year ago, I mostly used 'no elevation' SUA, because my daily work required a little admin work. Now, I spend much time on programming, testing installators, changing Windows settings, and working with Windows Registry. So, I have to use Admin account.
Anyway, I still like and strongly recommend SUA to everyone who does not perform many admin tasks.:)

Edit.
It is hard to replace the security of 'no elevation SUA' with security on Admin account. So, I adopted SPS (Simple Paranoid Security) = Hardened Windows 10 built-in Security + Shadow Defender (on boot).
 
Last edited:

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You seriously saying that?


That was the point of SUA ....:rolleyes:
@Umbra, please link us to the article that was posted on MT about a month ago about this very subject, and explain what point I misunderstood, or what point in the article you disagree with.

Also, and this might be a little harder for you to do, but I really think you should respond to MT posters with a little common respect. If you are a moderator and a staff member, please behave accordingly.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
That is why it is not possible to have SUA without Admin.:)
Here's an example. I have two input languages: English and Hebrew. If I switch to SUA, Windows automatically gives me two versions of Hebrew keyboard, making it very frustrating to switch between languages, because I have three input methods to juggle. I can only stop this stupid Windows behavior if I am working in an admin account. As soon as I switch to SUA, the unwanted Hebrew input method comes right back.
 
5

509322

Average Joe generally doesn't use SUA because:

1. Most don't even know such a thing exists; and
2. If they do use it for any length of time, then they more often than not consider its restrictions an inconvenience

Anyone who does not need to use an Admin account in daily computing should use a SUA instead
 
D

Deleted member 178

@Umbra, please link us to the article that was posted on MT about a month ago about this very subject, and explain what point I misunderstood, or what point in the article you disagree with.
i don't have time to search it.

1- Usual malware doesn't "read" your admin account password ! They don't have small eyes over your shoulder then sudden say "got its password ! i can elevate myself" .... (Malware that can grab grab logon password are another topic.) .
2- You are concerned by an issue you clearly doesn't fully comprehend. You were saying that on SUA you are concerned by a malware "reading" the admin password to elevate itself.
For that , they use Privilege Escalation to get higher privileges via various methods, mostly code injection (i.e: the malware inject itself into un-elevated Explorer process , hook "SHELL32!AicLaunchAdminProcess " and wait a program to be elevated by the users) .
3- Finally , why would you be concerned about SUA? because a malware is escalating from it? No reason to be, because if you are on admin account, there is not even need of escalation, the malware already has the proper privileges to do its job,without the need of privilege escalation.

So SUA is safer than admin, why? because using an admin account as daily account is helping the malware to infect you.
Also, on SUA to be victim of privileges escalation, you had the malware or a remote attacker got in already. Which is your fault.

Also, and this might be a little harder for you to do, but I really think you should respond to MT posters with a little common respect. If you are a moderator and a staff member, please behave accordingly.
Sorry to hurt your ego, but since you aren't a total noob and you like to give technical advices to beginner members, i will be harder on you than any other "classic" members, especially when your statements are (wanted ot not) unclear, undocumented and misleading, nothing to do with respect or not. You did this several times before, you stated things believing it is factual instead of researching beforehand. Each time i (or someone) had to correct you.

So when you state something technical, be clear , research it, give links if possible, and most of all understand the subject you are stating.
 
Last edited by a moderator:

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I use SUA. But I honestly think that if you have Windows 10 Pro and you tweak your Group policy settings to limit the power of your admin account and you have UAC to max you are like halfway there.

I actually found that using SUA is better. Using my admin account, some things are being elevated that honestly don't need elevation and because the child process inherits the permissions of the parent, you get a chain of programs that run as admin for no good reason. I can restrict the power of my SUA further than an admin. Honestly when I'm admin I can override whatever I like whenever I like and that had me worried that it could be used to exploit. That gave me trust issues so I finally decided to split the powers and it's surprisingly easy, just like Linux. It actually feels like nothing changed except that when I open a program as admin, it will use the configuration in the AppData folder of the admin account which is strange. Microsoft should have created the option to run a program with admin privileges instead of running a program as the Administrator account with all the bells and whistles.
 

Duotone

Level 10
Verified
Well-known
Mar 17, 2016
457
Yes and No...

Got SUA on my desktop to monitor childs computer usage, yet I still let them use the admin account cause I gave too much time restriction. However on my laptop I'm a bit lazy to create one, maybe I will but when I have extra time or when I reinstall Win 10 CU.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
i don't have time for that.

1- Usual malware doesn't "read" your admin account ! They don't have small eyes over your shoulder then sudden say "got its password ! i can elevate myself" .... (Malware that can grab grab logon password are another topic.) .
2- You are concerned by an issue you clearly doesn't fully comprehend. You were saying that on SUA you are concerned by a malware "reading" the admin password to elevate itself.
For that , they use Privilege Escalation to get higher privileges via various methods mostly code injection (the malware inject itself into un-elevated Explorer process , hook "SHELL32!AicLaunchAdminProcess " and wait a program to be elevated by the users) .
3- Finally , why would you be concerned about SUA? because a malware is escalating from it? No reason to be, because if you are on admin account, there is not even need of escalation, the malware already has the proper privileges to do its job,without the need of privilege escalation.

So SUA is safer than admin, why? because using an admin account as daily account is helping the malware to infect you.
Also, on SUA to be victim of privileges escalation, you had the malware or a remote attacker got in already.


Sorry to hurt your ego, but since you aren't a total noob and you like to give technical advices to beginner members, i will be harder on you than any other "classic" members, especially when your statements are (wanted ot not) unclear, undocumented and misleading, nothing to do with respect or not. You did this several times before, you stated things believing it is factual instead of researching beforehand. Each time i (or someone) had to correct you.
As for the factual point, I think you got me wrong. I meant like this:
1 I am in SUA.
2 I unknowingly execute a malware file.
3 It is loaded in memory, but cannot perform the attack, because it lacks permissions.
4 While still in SUA, I enter my admin password, in order to run my macrium reflect backup job.
5 Bang! the malware got elevated permissions, and pawns my computer.

Is this right?

As for the respect issue: I usually read articles and posts carefully before responding, and if I don't understand a point, I often engage in long discussions with other forum members who know more, until I get it. Once I get the point, I do share it with others.
So if I post something you disagree with, go right ahead and disagree, but with a little common decency, please.

EDIT: My request is that you show common decency to all MT posters, not just me. It is a general issue.
 
Last edited:
  • Like
Reactions: Andy Ful
5

509322

As for the factual point, I think you got me wrong. I meant like this:
1 I am in SUA.
2 I unknowingly execute a malware file.
3 It is loaded in memory, but cannot perform the attack, because it lacks permissions.
4 While still in SUA, I enter my admin password, in order to run my macrium reflect backup job.
5 Bang! the malware got elevated permissions, and pawns my computer.

Is this right?

As for the respect issue: I usually read articles and posts carefully before responding, and if I don't understand a point, I often engage in long discussions with other forum members who know more, until I get it. Once I get the point, I do share it with others.
So if I post something you disagree with, go right ahead and disagree, but with a little common decency, please.

EDIT: My request is that you show common decency to all MT posters, not just me. It is a general issue.

Who said that ?

No. It doesn't work like that. You can test easily for yourself. Install Process Explorer or Hacker in a SUA, make sure you show the permissions and integrity columns. Execute something that requires elevated privileges and enter the Admin password. Pay attention to the permissions column in Process Explorer\Hacker. Upon entering the Admin password and elevating the process requesting it, Admin privileges are not granted to all other processes.

The person you need to ask is fixer because he knows those Windows internals inside-and-out because of the way ReHIPS works.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Who said that ?

No. It doesn't work like that. You can test easily for yourself. Install Process Explorer or Hacker in a SUA, make sure you show the permissions and integrity columns. Execute something that requires elevated privileges and enter the Admin password. Pay attention to the permissions column in Process Explorer\Hacker. Upon entering the Admin password and elevating the process requesting it, Admin privileges are not granted to all other processes.

The person you need to ask is fixer because he knows those Windows internals inside-and-out because of the way ReHIPS works.
Okay, I finally found it.
There is a thread that discusses the split-token issue with SUA. Please explain the issue in plain terms, so that all (even me) can understand.
Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities
 
5

509322

Okay, I finally found it.
There is a thread that discusses the split-token issue with SUA. Please explain the issue in plain terms, so that all (even me) can understand.
Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

In a nutshell, it is a Proof-of-Concept (PoC) UAC exploit.

The author states it is possible, but does not give any concrete, practical test scenarios that can be easily replicated.

A split-token Administrator account is an Admin account and not a SUA.
 
Last edited by a moderator:

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
In a nutshell, it is a Proof-of-Concept (PoC) UAC exploit.

A split-token Administrator account is an Admin account and not a SUA.
Okay, so what is the risk with entering the admin password, when you are in SUA?
 
5

509322

Okay, so what is the risk with entering the admin password, when you are in SUA?

I'd say you have a better chance of hitting the worldwide lotto for $1 billion U.S. than your system being miserably infected.


The author's own words in Part 3:

"Admittedly just having the token isn't necessarily exploitable, but attacks only get better, would you be willing to take the bet that it's not exploitable?"
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I'd say you have a better chance of hitting the worldwide lotto for $1 billion U.S. than your system being miserably infected.
I wouldn't mind hitting the lotto, but basically, all that discussion about the risk, on the thread I linked to, was extreme paranoia?
 
5

509322

I wouldn't mind hitting the lotto, but basically, all that discussion about the risk, on the thread I linked to, was extreme paranoia?

Here's more of the author's words in Part 3:

"Or just don't get malware on your machine in the first place ;-) About the safest way of using Windows is to run as a normal user and use Fast User Switching to login to a new session with a separate administrator account. The price of Fast User Switching is the friction of hitting CTRL+ALT-DEL, then selecting Switch User, then typing in a password. Perhaps though that friction has additional benefits."

In other words, don't use UAC to elevate in SUA. Now, how likely is it that a security soft geek's SUA is going to have malware on it in the first place ? What - less than 1\10th of 1 % probability ?

On W10 the PoC is even more difficult the author explains and requires a real rigmarole to exploit.

Extreme paranoia (about such things as nuclear war and make-believe malware) on the security forums - whoever heard of such a thing ?
 
  • Like
Reactions: shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top