Guide | How To User Access Control: Standard User vs Protected Administrator

The associated guide may contain user-generated or external content.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Topic: User Account Control: Standard User versus Protected Administrator Accounts - PETRI.COM

Introduced in Windows Vista, User Account Control (UAC) is an umbrella term for a collection of technologies — including registry and file virtualization, integrity levels, and elevation prompts — making it easier to use Windows with less privileges. In this article, I’ll explain why using a standard user account is more secure than a UAC Protected Administrator.
  • UAC is not a security boundary
  • Bypass UAC using DLL hijacking techniques
  • IT staff and privileged credentials
  • Exposing domain administrator credentials
CONTINUE READING
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Its a simple reason here where you don't need to rely so much on Windows built in features; as third party programs designed to maximize everything so UAC is easily defeated when a user interaction decide to allow it.

Still the first step for the configuration setup is user awareness + knowledge that applicable for the risk level either Standard Account or protected administrator.
 

Martin_C

Level 1
Verified
Mar 10, 2015
36
This topic sadly always causes so much confusion.

It's sad because this is a topic that everybody needs to understand.
Everything they do on their PC and all further security measures build on top of this.

Get the basics wrong, and people will be trying to build a tower on sand - it will not last when the storm hits.

There are two main things to understand :

UAC are NOT a security boundary.

Standard User Account (a limited user account) on the other hand ARE a security boundary.


End users only read the first line and do not understand the second.

It has over the years been extremely difficult to get users to understand this.

To break everything down :

A limited rights user account has always been the primary security that guards the system from the user.
This has been the case on ALL OSs since the dawn of computing.

Unfortunately Microsoft made a very bad decision many years ago and gave their default user account administrative rights.

This unfortunate decision backfired and produced a flood of sloppy programmers who was never taught discipline and they thought it was ok to mess around in the kernel and to write code that accessed system areas at will.
Nobody cared that programming at the time was done wrong, since all users where all set up with admin rights.

When Microsoft realized their mistake, they had a tough choice to make.

They could do it the safe, but hard way - make the default user account a limited user in their upcoming OS and thereby making everyday computing A LOT safer but at the same time they would break every program written by those sloppy programmers.

Realizing the support nightmare this would be, they came up with UAC instead.

UAC are a middle road. It virtualizes those system areas that the sloppy programmers accessed but should have stayed clear of and it gives end-users a easy way of shifting between users without having to log out of limited account and into admin account and vice versa.

This is as said a middle road.
It's safer then the old full-admin account, but not as safe as a limited account (now called Standard Account in Windows)

UAC was meant to hold hands on all those sloppy programmers until they learned proper programming and it was a way of making sure that the end-user would not be driven mad with logging in and out of accounts constantly during these years.

The end goal is and has always been, to get Windows end-users moved over to the safe limited account.

But it is a slow process.

Now, completely unrelated to all this, then in the same years as all this took place then we began to see HIPS solutions entering end-users PCs in certain segments.

HIPS produced prompts.
UAC produced prompts.
Both happened when users started a program.

This is where things began to go wrong, regarding the understanding of the underlying mechanisms.

We began to see a lot a posts and blogs from people that didn't understand the difference.

They thought HIPS and UAC where related and came up with all kind of ridiculous claims due to this misunderstanding.

Some of these misunderstandings are still being posted to this very day.

The difference are :

UAC are the best possible middle ground in protecting system areas from user space, while still preserving compatibility with programs done by sloppy programmers.
And UAC has become a lot tougher over the years, especially if set on max on WIN10.

The ultimate protection of system areas are when using your PC from a limited account in your daily work (now called Standard Account in Windows), while keeping the admin account password protected.

This is IT security 101 - protect system areas and keep the strongest boundary between system area and user space.

This is what any user should do.

HIPS has nothing to do with the above. HIPS will never be able to perform the safeguarding mentioned above.
HIPS are just a supplement to the above, where you can monitor and regulate what execute and interact from user space.

A limited account (Standard Account) are the fundament in system security.

HIPS are a added supplement. Something you can add if micromanaging user space is your cup of tea.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
I do understand and agree about using a standard account as much as possible instead of the administrator account as with knowledge it's always been extremely easy to elevate any higher needed access but what about the guest account? I'm curious and from one point of view I wouldn't be surprised if the guest account is something that's really not much considered or even at all in general from the malicious code creators part because people simply almost never activate/use guest accounts or perhaps I'm wrong?
 
  • Like
Reactions: shukla44
D

Deleted member 178

If you have enough knowledge of what you are doing , standard or admin accounts are same.

Standard is more beneficial to average users.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top