Serious Discussion What Are the Advantages of Standard Account Over Administrator Account?

[lokamoka820]

As the sole user of my device, what are the advantages of using a standard account instead of an administrator account? I mean, when I receive a notification requiring administrator privileges, I can enter the administrator password on the standard account just like accepting the UAC prompt with an administrator account. Are there any other differences?

 

[oldschool]

SUA is more secure. Restricts modification of critical systems that require admin rights (principle of least privilege), preventing or limiting damage from malware. Roughly 80% malware fails on SUA. You can search MT for additional details as to why. There are many threads and posts about this.
Why you should be on a Standard user account
Why you should be on a Standard user account

 

[DDE_Server]

As a best practice, use the least privilege required for each task and only elevate to higher privileges (Run as Administrator or privilege escalation) when absolutely necessary—for example, when installing or uninstalling software.


I maintain two accounts whose usernames differ only by an underscore: one is a standard user and the other is an administrator. I’ve applied the Microsoft baseline so that running as administrator is blocked for standard sessions. When I need administrative rights for specific tasks, I switch to the admin account, complete the task, then sign out.


Most applications provide full or nearly full functionality under a standard user account; only certain operations (such as upgrading the software) require admin privileges. Restricting privilege escalation this way reduces the attack surface: if malware runs under the standard account it’s less likely to perform privileged actions, which helps contain incidents and limit potential damage.

 

[DDE_Server]

Micorost Baseline is good as a start without breaking the system (you can consider it as a minimum hardening baseline). You can get the Microsoft toolkit and apply it using local group policies.

You can get it from Microsoft's official website here: Security baselines guide

Note: Take a backup before trying, as you may need to revert the changes if you do not like them

 

[SeriousHoax]

Against malware it can be useful in certain cases where malware can silently bypass UAC to gain admin privilege. A standard account should help in such cases as even if can bypass UAC it still won't have the required privileges to do the malicious action.
With that said, I never used a standard account. It would make me feel like someone has tied me to a chair to prevent me from using my own PC.

 

[oldschool]

With that said, I never used a standard account. It would make me feel like someone has tied me to a chair to prevent me from using my own PC.

Your case is understandable, but It simply depends on how one uses their machine. I rarely install new programs, especially since I've quit sampling AVs after horrible withdrawal symptoms due to MT Security Syndrome. @DDE_Server emphasizes the benefits of using SUA, but most MT members could use an AA securely. As @Andy Ful has said, one may continue to drink alcohol to excess, smoke cigarettes, etc., but it is best to refrain from such behavior for health reasons.

 

[lokamoka820]

How can malware silently bypass UAC to gain administrator privileges?

 

[Victor M]

UAC bypass can happen. It is shown here using the attack tool Metasploit : Bypassing UAC on Windows Using Metasploit - A Complete Guide for Cybersecurity Professionals . Know that Metasploit comes with the Linux distro Kali. All you have to do is install Kali and it gives you a whole bunch of hacking tools. MS sometimes fix bypasses. But they have also said the UAC is Not a security barrier - only separate accounts is a security barrier.

Therefore I use a standard acc as daily driver. And I explicitly disable the Secondary Logon service - so that attackers cannot leap from the standard acc to the admin acc. I have also disabled the password credential mech using MS approved method, so only PINs are accepted credentials. PINs cannot be used by a off box attack - to use a PIN they have to be at the machine. Also I have set in group policy / local policy that UAC are simply not shown for standard accounts. So no bypass is possible.

 

[Khushal]

How can malware silently bypass UAC to gain administrator privileges?

There are multiple exploits to bypass UAC. The most common one which i find in the wild is using CMSTP.
The most common UAC bypass exploit involving CMSTP leverages the Microsoft Connection Manager Profile Installer (CMSTP.exe), a legitimate Windows binary used to install connection profiles, typically VPNs. Attackers use specially crafted malicious INF files containing arbitrary commands that CMSTP installs silently without prompting the user. Since CMSTP.exe is Microsoft-signed and a trusted system file, this method effectively bypasses UAC prompts and often also bypasses antivirus detection. The exploit abuses COM objects linked to CMSTP, which allows the execution of elevated code under the context of this trusted binary.

CMSTP accepts INF files as inputs, and adversaries craft these INF files to perform privilege escalation by silently running malicious code. This method has been used by ransomware groups like LockBit 3.0 and BlackCat, among others. The technique is classified under the MITRE ATT&CK framework as System Binary Proxy Execution (T1218.003) and is considered a popular privilege escalation and defense evasion mechanism.

 

[Victor M]

Yes cmstp is a known LoLBin.

 

[rashmi]

As @Andy Ful has said, one may continue to drink alcohol to excess, smoke cigarettes, etc., but it is best to refrain from such behavior for health reasons.

Criticizing alcohol … it's the one flawless invention humans have ever crafted!

 

[rashmi]

I never used a standard account.

I've never been a fan of the standard account—switching, and overall usage is too much of a hassle for me!

 

[Miravi]

I recently switched over to a SUA for the first time in a good while. We'll see if I continue to find it worthwhile, but every manageable security layer counts. It's just like a more secure UAC where I'm hassled by entering a password.

 

[Sorrento]

I don't use a standard account & haven't for years despite all the disadvantages I read about it- Really is too much trouble, unlikely to change that stance now.

 

[ForgottenSeer 94738]

I don't use a standard account either. It's too complicated for me.

 

[Parkinsond]

The most common UAC bypass exploit involving CMSTP leverages the Microsoft Connection Manager Profile Installer (CMSTP.exe)

Can run by itself or the user must run it to later bypass UAC?

 

[Khushal]

How can malware silently bypass UAC to gain administrator privileges?

Can run by itself or the user must run it to later bypass UAC?

no the user has to execute the exe first, then it bypasses uac and does its thing.

 

[Sorrento]

I don't trust UAC either: We used a similar system in an extremely heavy industry system where a user just had to press a button to OK XYZ (possibility of death) - it was found eventually after several near misses that a habit formed where the user did it without thinking therefore it quickly became useless, in the end two users had to converse as to whether XYZ was OK, this still was not perfect - UAC is the similar, users happily press OK when repetitively done regardless of the question, I've seen it done so many times, it is human nature esp. when the user has no idea what the prompt actually means, although experianced users still do it. It becomes a habit, a bad habit, from my point of view UAC doesn't do much if it did there would be no infections.

 

[Parkinsond]

no the user has to execute the exe first, then it bypasses uac and does its thing.

So UAC does not matter; if you are executing a file manually, it is logic to select ok if prompted by UAC.

 

[Lintianyun Luo]

if you want to convenient, you can use admin account, i dont kown what about other countries like US or europe, but in china all users will use admin account, includ me