Q&A Is using Windows as admin security risk?!

empleat

Level 1
Mar 23, 2020
22
Hello,

i wonder if using Windows on administrator account long-term is security risk. You can add local account to administrator group and then launch programs as admin. However password is saved on a disk! Otherwise you have to enter password each time you want to launch a program, or at startup, which is annoying as hell! Bitdefender says this is only small security risk. I wanted to ask, is it big deal to use use administrator account long-term, or using local account with program, which adds it to an administrator group and allows you launch specified programs, without entering password each time?!

Thanks!
 

geminis3

Level 18
Verified
Sep 10, 2015
856
Indeed, most UAC bypasses only work when the user is logged in as admin so running a standard account will protect against those kind of attacks. When using a standard account you must enter your administrator user password each time you run something as admin.

I prefer to use a standard account on my personal device for extra security.
 

empleat

Level 1
Mar 23, 2020
22
Indeed, most UAC bypasses only work when the user is logged in as admin so running a standard account will protect against those kind of attacks. When using a standard account you must enter your administrator user password each time you run something as admin.

I prefer to use a standard account on my personal device for extra security.
Hahaha, that's annoying as hell if you have a lot of programs at startup, or you need to restart pc for something and do something and then have popups. Even like 3 programs is a lot! How long should my password be min, so i can enter it fast? Ty!
 

plat1098

Level 24
Verified
Sep 13, 2018
1,383
I agree: if you're the sole user of your device and your threat model is low to minimal, having to constantly approve everything and/or enter passwords can get mighty tedious.

I have a script blocker (that supposedly blocks "tricks" frequently used in UAC bypasses) and hopefully that reduces the risk a bit further. (NVTOSArmor--still is in testing stage)

So I use an Administrator acct for the convenience. But the security advantages of a Standard account are understood.
 

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,231
Bitdefender says this is only small security risk. I wanted to ask, is it big deal to use use administrator account long-term, or using local account with program, which adds it to an administrator group and allows you launch specified programs, without entering password each time?!
Why Bitdefender saying that as first they want you to purchase Anti-Virus by Bitdefender ;)

From my point of view, all depends on the user, NO risk for advanced users who know what is dangerous to avoid ending up to be infected, but standard user are a different story as those people are sometimes just being "happy clicker" and don't know anything for safe habits on own devices nor while browsing on the web...
 

geminis3

Level 18
Verified
Sep 10, 2015
856
Hahaha, that's annoying as hell if you have a lot of programs at startup, or you need to restart pc for something and do something and then have popups. Even like 3 programs is a lot! How long should my password be min, so i can enter it fast? Ty!
There's something wrong on your Windows install if you have autostart programs that require administrator permissions
 

MacDefender

Level 14
Verified
Oct 13, 2019
688
It's not as bad as running as root on Linux/FreeBSD, and not as bad as running as Admin on Windows 2000 and below, but it's still more risk. In addition to UAC bypass techniques, we have seen time after time that malware will use interesting techniques to either evade or steal files and those "just work" on an Admin account but are not allowed as a standard user.
 
F

ForgottenSeer 89360

It's not as bad as running as root on Linux/FreeBSD, and not as bad as running as Admin on Windows 2000 and below, but it's still more risk. In addition to UAC bypass techniques, we have seen time after time that malware will use interesting techniques to either evade or steal files and those "just work" on an Admin account but are not allowed as a standard user.
Many threats I’ve tested, mostly stealers and RATs have privilege escalation techniques and also bypass permission settings. On my malware testing PC I have 2 accounts, SUA and admin. I was able to bypass UAC and read, as well as write files from my admin account as well.
I have revoked all sorts of access permissions of %userprofile% folder.

Regardless of that, SUA is still a lot more secure way to operate and is highly recommended.
 
Last edited by a moderator:

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
If Bitdefender realy say this, I wouldn't trust them.

Anyway using a admin account (with UAC maximum) is good for most user. Also e.g. ransomware don't need adminrights so that doesn't matter.
Hardening the system is more important. Take a look at Andy's tool(s) and compare that with secure browser like Edge.
 

geminis3

Level 18
Verified
Sep 10, 2015
856
If Bitdefender realy say this, I wouldn't trust them.

Anyway using a admin account (with UAC maximum) is good for most user. Also e.g. ransomware don't need adminrights so that doesn't matter.
Hardening the system is more important. Take a look at Andy's tool(s) and compare that with secure browser like Edge.
Consumer Bitdefender products are slowly becoming scareware, they create random files and flag them as malware to scare the user and probably convince them to buy their most expensive subscription / "expert malware removal" service.
 

MacDefender

Level 14
Verified
Oct 13, 2019
688
Now that is something I have not tested, as I always keep UAC on the default level (one bellow highest). I will test that.
Maybe UAC will help there, but I recall looking at mapping DOS devices as a way that some ransomware escapes CFA, and a lot of the key operations (like mapping a DOS device over an existing drive letter) only work if you're an administrator: DefineDosDeviceW function (fileapi.h) - Win32 apps | Microsoft Docs

The latter is super evil because a lot of AVs didn't realize that drive letter based paths can mean different things on a per-process basis, and it's super easy to use the wrong Windows API that works most of the time except in this corner case where you put a DOS drive letter on top of an existing drive.
 
F

ForgottenSeer 89360

Where does it show it? I have never seen this in Bitdefender. Is it one of those vulnerability scan that many AV offers like the Bitdefender, Kaspersky and some others?
Bitdefender vulnerability scan doesn’t check for admin account at all, it only checks the password. You must have a “strong password” and it checks some common settings malware affect. It also checks 5-6 programs for updates, mainly browsers and PDF readers.
Most probably this is coming from Bitdefender staff.
 
Last edited by a moderator:

SeriousHoax

Level 36
Verified
Mar 16, 2019
2,581
The vulnerability scan doesn’t check for admin account at all, it only checks the password. You must have a “strong password” and it checks some common settings malware affect. It also checks 5-6 programs for updates, mainly browsers and PDF readers.
Ow ok, that's alright.
Most probably this is coming from Bitdefender staff.
Hmm, maybe. That's not the product's fault then.
 

oldschool

Level 59
Verified
Mar 29, 2018
4,868
Hahaha, that's annoying as hell if you have a lot of programs at startup, or you need to restart pc for something and do something and then have popups. Even like 3 programs is a lot! How long should my password be min, so i can enter it fast? Ty!
@McMcbrad is correct: "Regardless of that, SUA is still a lot more secure way to operate and is highly recommended."

You should only need to enter password if you're installing something or need to run it as admininstrator, not for starting programs.

I use SUA and it's not annoying. Of course, all of this depends on the number and kind of apps on your system.
 
Top