1

I am setting up a relatives computer using Windows 10. I am going to create them a 'standard user' account which I will encourage them to use as their every day account.

Standard User Account

In addition to that I will create a password protected 'administrator account' that they can use when and should they need to make changes to the computer requiring admin privileges (for example installing software). My hope is that this setup will increase their safety while browsing the internet, and provides a little more safety buffer when it comes to them doing stupid stuff (like clicking on links in emails). I realize privilege escalation exploits exist, but at least if an adversary/attack tries to run malicious scripts under the current users privileges, that attack vector will be limited.

Is my reasoning sound? I realize they still wont be 'safe' but the goal is to simply make their computer experience 'safer'. Will this do it? Is there a better (yet simple) approach?

n00b
  • 445
  • 2
  • 13

4 Answers4

2

Just the simple answer: they are a "safer" user

However this is still vulnerable to exploits, so while they are safer, they are not fool proof safe. After all viruses exists even for Linux and Mac and those are much more restrictive on their users.

Scope of exploits on normal users

With a normal user, most exploits will only affect that user. This means their data and data of any service that reveals information to them is at risk. However there are certain malware that can happen that will escalate the issue to administrative levels of privilege, at which point the entire system is compromised anyways.

You should still create them as a normal user for this reason

More types of viruses only really work if the person installs them somehow. A regular user doesn't have permission to install them so as long as that is the case, you are considered safer.

No matter what, super bugs will exist!

Really the best way to keep your system safe however is to use good habits:

  • Don't visit fishy sites or sites with a bunch of download ads
  • Don't download files from sources you don't trust
  • Don't go to websites that you don't trust
  • Don't install programs from untrusted sources
  • Make sure you are running up to date anti virus and anti malware software

A safe computer is a happy computer

Community
  • 1
Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
1

Simple answer, yes he is safer but not "safe". If an attacker who has delivered a payload to the machine whether from an iframe or a redirect, the machine is owned and there is little to nothing you can do about it. The problem is not that it would help with some attacks, but it would make little difference in a vast majority of them.

I would say on an at-home computer that I don't use for work purposes at all, that having a separate admin account is over the line of usability vs security in my mind. I reinstall from an image of what I consider "needed" software at home a few times a year and I keep no personal information on it. I do however, have a "work" laptop that has a separate admin user/pass that does have information I want to keep out of the hands of miscreants and I do take much greater care of security measures on that machine.

The questions, as always, is security vs usability. Is banking done on the PC? Social Security #'s? Company info? etc... Once those questions are answered you can arrive at the best answer for the situation.

GingerBeard
  • 627
  • 1
  • 5
  • 13
0

Using a regular user account instead of an Administrator user account is certainly a good idea from a security perspective. It adds one more layer limiting what something can do on your system but I'm not sure it will work in your situation.

I'm assuming your relative isn't the most technically savvy because you are setting up the computer for them and because you are worried about protecting them from stuff. The problem is if you give them the admin password you have no assurances they won't just type it in any time anything causes the prompt to appear. If they do, then you haven't bought yourself anything. If on the other hand you don't give them the password then you or someone else would need to intervene every time something needed admin permissions.

I've got my wife setup as a regular user on Windows 10 and it hasn't been a problem but I can easily take care of anything that needs admin permissions for her. Are you willing and able to do that for your relative? I assume you aren't because you were planning to give them the password.

Evan Steinbrenner
  • 393
  • 1
  • 7
0

Yes, its more secure as it removes several vectors of attack that would be available if the compromised account was running with admin privileges.

Its probably the single most important step in securing windows after keeping windows updated with security patching.

So yes, convert to a standard account, create a separate admin account and then continue to address security risks as they pertain to your needs.

John Smith
  • 1
  • 1