Since I switched to Windows 7 about 3 years ago, and now using Windows 8.1, I have become familiar with the concept of User Account Control and used my PC the following way: a standard account which I use for every day work and the built-in Administrator account activated and used only to elevate processes when they request so, or to ”Run as administrator” applications when I need to.
However, recently after reading more about User Account Control, I started wondering if my way of working is good? Or should I use an administrator account for every day work, since an administrator account is not elevated until requested by apps, or until I request so via the ”Run as administrator” option? I am asking this because I read somewhere that the built-in Administrator account is a true administrator, by which I mean UAC doesn’t pop up when logged in within it, and I am scared of not having problems when potential malicious software come into scene. I have to mention that I do not use it on a daily basis, just when I need to elevate some apps. I barely log in into it 10 times a year…
So, how’s better? Thanks for your answers! And Happy New Year, of course!
P.S. I asked this a year ago (:P) and I think I should reiterate it: is an administrator account as safe these days as a standard account coupled with the built-in Administrator account when needed?
is an administrator account as safe these days as a standard account
coupled with the built-in Administrator account when needed?
In short: Still no.
The longer answer…
UAC is not a security feature
Back in the days of Windows XP and previous versions of Windows, it was quite difficult to practice the Principle of Least Privilege, not least in a corporate environment. The principle implied that you would do all your day-to-day tasks using a standard user account. Any tasks requiring admin privileges would be executed using a separate account with admin rights (given that the user had a legitimate need for it).
But Windows XP wasn’t designed with this in mind, and there were many quirks and limitations, when running as a standard user – even if you also had access to an admin account. As a standard user, you were not able to click on the systray clock to show the neat month calendar, you couldn’t change network settings and the “run as” function didn’t work for everything (especially Windows Explorer, and thus also Scheduled Tasks, Printers and other shell folders, if memory serves me right).
Of course there were workarounds for a lot of these deficiencies, but it took a lot of time to discover, document and, well, work around them.
Security is a balance between, well, security and convenience. UAC was introduced with Windows Vista, primarily to detect when admin rights were needed, and to automatically prompt you to authenticate with an(other) account, with admin rights. This made practicing the Principle of Least Privilege a lot easier.
As a side-effect, performing tasks requiring admin rights, while logged in with an admin account, gives you a chance to actually confirm that you want to exercise these rights. UAC prompts when installing software seem reasonable, whereas when opening a normal webpage doesn’t.
However, it turns out most users don’t use separate accounts and quite a few day-to-day tasks require admin rights (adjusting settings for clock, network, power plan etc.), and would thus trigger an UAC prompt in Vista. This slew of prompts causes most users to
a) Blindly accept any UAC prompts, with no attention to what was actually requiring elevation, or
b) Disable UAC confirmation entirely
With Windows 7, Microsoft made several Windows executables auto-elevate permissions, so if you you’re using an admin account, some actions are automatically executed with elevated (admin) rights. This made UAC seem a lot less obtrusive.
UAC auto-elevation can be exploited
So, in Windows 7 there’s a built-in mechanism for auto-elevating rights. If this mechanism can be exploited, by an application running with standard user rights, then UAC (which was not designed to be a security mechanism), can be circumvented and you can end up running applications with admin rights, though you haven’t been prompted to confirm it.
Turns out UAC auto-elevation can in fact be exploited by injecting code, as proven by Leo Davidson (Windows 7 UAC whitelist: Code-injection Issue (and more)) and discussed and demonstrated by Long Zheng (UAC in Windows 7 still broken, Microsoft won’t/can’t fix code-injection vulnerability).
Seen from a security perspective, it still makes sense to use separate accounts for day-to-day work and anything requiring admin rights. This is the only way to be (reasonably) sure, that no applications run with admin rights, without your explicit authorization.
That said, it’s a balance between convenience and security. As pointed out by @GeminiDomino, you could also fill all ports with epoxy, as used by the military. You could also run your computer “air gapped”, like Bruce Schneier, so that it never directly connects to any network.
In the end it comes down to if you’re OK with having to explicitly authenticate when performing admin tasks or not.
The most secure? Disconnect the network and monitor, fill all the ports with epoxy, and disassemble the hard drive, scattering the parts through the dungeons of Hyrule.
Seriously, though, your concerns are well-founded, in my experience. Not just because of malware and other naughty software, but because you are, in the end, human. In the context of a limited user, you can make mistakes that do a great deal of damage, of course. As an administrator, you can do all of that damage, and much more.
Running day-to-day as admin can be very tempting, especially when dealing with certain software packages that don’t seem to like to cooperate with “Run as Administrator” in their updates (I’m looking at you, VirtualBox…), but since your title says “secure”, I’m going to say that it’s better to deal with those as they occasionally come up, like you do now. Good instincts.
Happy new year!