Advice Request Is using Windows as admin security risk?!

Please provide comments and solutions that are helpful to the author of this topic.

empleat

Level 1
Thread author
Mar 23, 2020
27
Hello,

i wonder if using Windows on administrator account long-term is security risk. You can add local account to administrator group and then launch programs as admin. However password is saved on a disk! Otherwise you have to enter password each time you want to launch a program, or at startup, which is annoying as hell! Bitdefender says this is only small security risk. I wanted to ask, is it big deal to use use administrator account long-term, or using local account with program, which adds it to an administrator group and allows you launch specified programs, without entering password each time?!

Thanks!
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
Indeed, most UAC bypasses only work when the user is logged in as admin so running a standard account will protect against those kind of attacks. When using a standard account you must enter your administrator user password each time you run something as admin.

I prefer to use a standard account on my personal device for extra security.
 

empleat

Level 1
Thread author
Mar 23, 2020
27
Indeed, most UAC bypasses only work when the user is logged in as admin so running a standard account will protect against those kind of attacks. When using a standard account you must enter your administrator user password each time you run something as admin.

I prefer to use a standard account on my personal device for extra security.
Hahaha, that's annoying as hell if you have a lot of programs at startup, or you need to restart pc for something and do something and then have popups. Even like 3 programs is a lot! How long should my password be min, so i can enter it fast? Ty!
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I agree: if you're the sole user of your device and your threat model is low to minimal, having to constantly approve everything and/or enter passwords can get mighty tedious.

I have a script blocker (that supposedly blocks "tricks" frequently used in UAC bypasses) and hopefully that reduces the risk a bit further. (NVTOSArmor--still is in testing stage)

So I use an Administrator acct for the convenience. But the security advantages of a Standard account are understood.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Bitdefender says this is only small security risk. I wanted to ask, is it big deal to use use administrator account long-term, or using local account with program, which adds it to an administrator group and allows you launch specified programs, without entering password each time?!
Why Bitdefender saying that as first they want you to purchase Anti-Virus by Bitdefender ;)

From my point of view, all depends on the user, NO risk for advanced users who know what is dangerous to avoid ending up to be infected, but standard user are a different story as those people are sometimes just being "happy clicker" and don't know anything for safe habits on own devices nor while browsing on the web...
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
Hahaha, that's annoying as hell if you have a lot of programs at startup, or you need to restart pc for something and do something and then have popups. Even like 3 programs is a lot! How long should my password be min, so i can enter it fast? Ty!
There's something wrong on your Windows install if you have autostart programs that require administrator permissions
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
It's not as bad as running as root on Linux/FreeBSD, and not as bad as running as Admin on Windows 2000 and below, but it's still more risk. In addition to UAC bypass techniques, we have seen time after time that malware will use interesting techniques to either evade or steal files and those "just work" on an Admin account but are not allowed as a standard user.
 
F

ForgottenSeer 89360

It's not as bad as running as root on Linux/FreeBSD, and not as bad as running as Admin on Windows 2000 and below, but it's still more risk. In addition to UAC bypass techniques, we have seen time after time that malware will use interesting techniques to either evade or steal files and those "just work" on an Admin account but are not allowed as a standard user.
Many threats I’ve tested, mostly stealers and RATs have privilege escalation techniques and also bypass permission settings. On my malware testing PC I have 2 accounts, SUA and admin. I was able to bypass UAC and read, as well as write files from my admin account as well.
I have revoked all sorts of access permissions of %userprofile% folder.

Regardless of that, SUA is still a lot more secure way to operate and is highly recommended.
 
Last edited by a moderator:
F

ForgottenSeer 85179

If Bitdefender realy say this, I wouldn't trust them.

Anyway using a admin account (with UAC maximum) is good for most user. Also e.g. ransomware don't need adminrights so that doesn't matter.
Hardening the system is more important. Take a look at Andy's tool(s) and compare that with secure browser like Edge.
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
If Bitdefender realy say this, I wouldn't trust them.

Anyway using a admin account (with UAC maximum) is good for most user. Also e.g. ransomware don't need adminrights so that doesn't matter.
Hardening the system is more important. Take a look at Andy's tool(s) and compare that with secure browser like Edge.
Consumer Bitdefender products are slowly becoming scareware, they create random files and flag them as malware to scare the user and probably convince them to buy their most expensive subscription / "expert malware removal" service.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Now that is something I have not tested, as I always keep UAC on the default level (one bellow highest). I will test that.
Maybe UAC will help there, but I recall looking at mapping DOS devices as a way that some ransomware escapes CFA, and a lot of the key operations (like mapping a DOS device over an existing drive letter) only work if you're an administrator: DefineDosDeviceW function (fileapi.h) - Win32 apps | Microsoft Docs

The latter is super evil because a lot of AVs didn't realize that drive letter based paths can mean different things on a per-process basis, and it's super easy to use the wrong Windows API that works most of the time except in this corner case where you put a DOS drive letter on top of an existing drive.
 
F

ForgottenSeer 89360

Where does it show it? I have never seen this in Bitdefender. Is it one of those vulnerability scan that many AV offers like the Bitdefender, Kaspersky and some others?
Bitdefender vulnerability scan doesn’t check for admin account at all, it only checks the password. You must have a “strong password” and it checks some common settings malware affect. It also checks 5-6 programs for updates, mainly browsers and PDF readers.
Most probably this is coming from Bitdefender staff.
 
Last edited by a moderator:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
The vulnerability scan doesn’t check for admin account at all, it only checks the password. You must have a “strong password” and it checks some common settings malware affect. It also checks 5-6 programs for updates, mainly browsers and PDF readers.
Ow ok, that's alright.
Most probably this is coming from Bitdefender staff.
Hmm, maybe. That's not the product's fault then.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Hahaha, that's annoying as hell if you have a lot of programs at startup, or you need to restart pc for something and do something and then have popups. Even like 3 programs is a lot! How long should my password be min, so i can enter it fast? Ty!
@McMcbrad is correct: "Regardless of that, SUA is still a lot more secure way to operate and is highly recommended."

You should only need to enter password if you're installing something or need to run it as admininstrator, not for starting programs.

I use SUA and it's not annoying. Of course, all of this depends on the number and kind of apps on your system.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top