Status
Not open for further replies.
V

viel

Hello!

Is it safe if I use the Admin account? I only have one account on my PC and that is the Admin one.
I also have UAC at max if that makes a difference :p

If I make a new account that isn't admin and use that, will I need to enter the password everytime I need to download something? Will the second account that isn't admin also be linked to my Microsoft account?

Thanks! :D

PS: Is it safe if I link my microsoft account to my PC account?
Thanks again :p
 

brod56

Level 15
Verified
It is safe if you know what you're doing, but SUA is far better for regular usage.
In a standard user account, software who demands admin privileges is not allowed to do so, unless there is a vulnerability.
Please head to this video to see how the ransomware was stopped in the first case, and delayed in the second one when using a standard user account.
You can find some more detailed info here and all over the web.
 
And when using a *nix based system (linux, unix... including mac osx), you should never ever work as an admin user, aka root. The main reason why there is less virus on Linux, contrary to windows is not because there is less people using it (in fact, it is way more valuable to target linux, as its main user is $$$ company, 99% of server run linux, so way more profitable to get into a server that into random joe computer), but more because how the user / admin (aka root account) work. When a normal user account try to execute a program, the program is very limited in what it can do to the computer. Except if there is a major security flaw that allow privilege escalation, the apps cannot do absolutely nothing harmful (like a total sandbox, the apps is limited to the user directory. Normally, each service run as its own user to even enforce more the security). And on linux, 99.9999% of apps should be run as normal user. Mac osx is the same concept, except that the root / normal user separation is less clear. It is more easy for apps to get privilege escalation.

On windows, even if you are a regular (or admin user) and execute the apps, the apps still got way too much privilege (and privilege escalation is pretty easy to do on windows). But still, if you use a normal user (no admin privilege), and then don't run apps as admin, keep UAC on, even if the program get more privilege to a Linux user liking (like me), it is still more secure. The virus may still do some key logging, or encrypt YOUR PERSONAL FILE (c:/user/YOUR_USER_FOLDER), or to some extent program file repertory, but at least, other user on the same machine should be safe, again to some extent, depending if there is shared file / config between apps and user. At least, the /system32 folder and /windows folder should be keep safe, but again, to some extent, considering that on windows privilege escalation can be done easily. But normally, most privilege escalation attack type should be spotted by almost any BB or maybe even some HIPS (not sure if HIPS tough), even free Avast and Comodo. As for your personal file that may be at risk, using some sandbox, and only make one folder available to the apps should make it safe. For example, if you are using some cracked software like Photoshop, then you sandbox it, and allow only access to a project folder. Then you may scan the project folder each time you want to retrieve some project, and copy the project elsewhere. Same for browser Download folder for example. Linux privilege layout is like a Windows + Sandbox feature by default running as normal user, except without using virtualization technology as a sandbox environment would do.

This is why in school and big enterprise, windows is more secure ; as it run a directory service (active directory), aka a domain in windows jargon, they have way more fine grain control over user privilege. Not as secure as Linux + ACL, but way more safe than windows with normal user. So in a windows domain, user account is "almost" as restricted as on "linux", but ONLY if directory service is correctly configured to enforce security policy. But then there is still problem of privilege escalation, thus they still need some antivirus WITH A proactive protection.

So, if we exclude the abnormal number of way of escalation privilege on windows (thus the need of a proactive protection), the problem with windows is user / apps privilege policy. On Linux, everything is heavily restricted, on windows, its the other way. One reason is by design ; since windows is run by random Joe, they want it to be friendly, and not require from random Joe every time he want to do something to play with privilege and policy, it just need to work. Thus, instead of restricting everything, they are more open, so most apps run without much trouble, with UAC kicking in from time to time, and an apps or two giving a pop-out for admin privilege. But the policy is not so strict it, so random Joe with no technical skill can use the computer easily without having to mess with policy.

This is how some security apps work. For example, Appguard and ReHIPS, except if I am wrong (but from what I read from their webpage), is a security solution that simply enforce apps policy at run-time, and from some windows API, check if the apps respect or not its policy. Since policy are set, apps is limited. And if it try to do anything outside what the policy allow it to do, 2 thing happen ; since policy are set, it fail to do what it want. And from windows API, Appguard and ReHIPS detect it and then kill the process. This is the reason they require no update, and take almost no cpu, but they are still secure against any kind of threat. The threat is just totally contained by policy, and then monitored against those policy. No need of scan, no need of artificial intelligence or machine learning algorithm, just an oldschool rulebook the apps must follow, with a police officer that check if the apps respect the rulebook. Simple, but yet VERY efficient ; secure and lightweight. But still, i am not 100% sure of what I said here. Someone more with more knowledge about Appguard and ReHIPS may need to confirm this.
 
Last edited:
5

509322

Hello!

Is it safe if I use the Admin account? I only have one account on my PC and that is the Admin one.
I also have UAC at max if that makes a difference :p

If I make a new account that isn't admin and use that, will I need to enter the password everytime I need to download something? Will the second account that isn't admin also be linked to my Microsoft account?

Thanks! :D

PS: Is it safe if I link my microsoft account to my PC account?
Thanks again :p

1. From only a security perspective using the Admin account full-time is widely not recommended.

2. You can download stuff without entering a password. When you need to do something with elevated (Admin) privileges you will be prompted to enter the
Admin password.

3. You can connect any Windows account to your Microsoft account.

4. From a security perspective there is not much direct risk when using your Microsoft account to login and use Windows. From a privacy perspective there
are arguments against it.

If you do a bit of searching online about Guest versus Admin account and risks of using a Microsoft account you will find a lot of infos.

On the whole security-wise, you are better served by using the Guest account.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Someone here posted an article a couple months ago, saying that if you are in Standard User Account, and you enter the admin password to perform an action, you are actually giving privileges to everything that is running in the background, including malware that is sitting there and waiting for elevated privileges.
So if you want to use Standard User Account properly, then every time you need to perform an action requiring password, you need to switch to your admin account.
 
V

viel

Thanks for the help guys!

I don't install much anymore, I only play games.etc I go on my emails.etc on my Macintosh.
So I will stick with Admin.
Thanks again :D
 

shmu26

Level 85
Verified
Trusted
Content Creator
Thanks for the help guys!

I don't install much anymore, I only play games.etc I go on my emails.etc on my Macintosh.
So I will stick with Admin.
Thanks again :D
On the contrary, if you don't install much, then you can successfully switch to standard user account. It protects you from the unexpected, not from installations that you knowingly initiated.
People who install all the time will not gain very much from standard user account, and will quickly become frustrated, too.
 
V

viel

On the contrary, if you don't install much, then you can successfully switch to standard user account. It protects you from the unexpected, not from installations that you knowingly initiated.
People who install all the time will not gain very much from standard user account, and will quickly become frustrated, too.
But I do a lot of scans and change settings a lot so it will be a PAIN right?
 
V

viel

Right. You can make it less painful by using the 4 digit pin, instead of the full password, but yes, it's a pain.
But if I have a Standard account and try to change something they ask for the password right? or do I have to switch to Admin to change something.. :/
 

shmu26

Level 85
Verified
Trusted
Content Creator
But if I have a Standard account and try to change something they ask for the password right? or do I have to switch to Admin to change something.. :/
If you want to change something, they ask for either the admin password or the admin pin. You are not forced to switch accounts, you just answer the prompt and get on with your business.
 
V

viel

If you want to change something, they ask for either the admin password or the admin pin. You are not forced to switch accounts, you just answer the prompt and get on with your business.
What are some good security settings if I have a Standard account?
 
V

viel

Someone here posted an article a couple months ago, saying that if you are in Standard User Account, and you enter the admin password to perform an action, you are actually giving privileges to everything that is running in the background, including malware that is sitting there and waiting for elevated privileges.
So if you want to use Standard User Account properly, then every time you need to perform an action requiring password, you need to switch to your admin account.
Going back to what you said here.. this means I should not use the SUA?
 
V

viel

If you want to change something, they ask for either the admin password or the admin pin. You are not forced to switch accounts, you just answer the prompt and get on with your business.
Do you use an admin account?
 

shmu26

Level 85
Verified
Trusted
Content Creator
Going back to what you said here.. this means I should not use the SUA?
Well, I would say like this: if you ran something unknown or suspicious, and you didn't reboot yet, then don't enter the admin password, even if you are in SUA.

Regarding good security settings for SUA, better ask @Umbra or @Andy Ful about that.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Do you use an admin account?
Yes, I use admin account. I usually run a default deny security setup, so that is enough for me. I am not a true paranoid. Productivity is more important to me than paranoia.
 
V

viel

Yes, I use admin account. I usually run a default deny security setup, so that is enough for me. I am not a true paranoid. Productivity is more important to me than paranoia.
What is Default deny?
 

shmu26

Level 85
Verified
Trusted
Content Creator
What is Default deny?
It is the opposite of a traditional AV, which blocks only the known baddies, thus it is default/allow. Default/deny means any executable that is not whitelisted, you will get a prompt for it, or it will be blocked, depending on your settings.
VoodooShield is default deny, for example. So is Comodo, when properly configured.
 
D

Deleted member 178

Admin Account safe? no way ! gimme a break...
Those saying it is has no clues about basic security principles...they just toy and stockpile security softs expecting what they could achieve just by knowing the basics....
And when they get pawned, they miserably come here crying and say "this security soft suxx, i got infected"
Then i will just reply "told you so"...
 
Status
Not open for further replies.