How To Eliminate 94% of Windows Vulnerabilities Easily - Comments Page 2

This is useful advice, but not for the main reason you stated. Malware creators figured out a long time ago how to elevate privileges, so that even a restricted user account is just as vulnerable to malware as an administrator. It's still a good idea for most users to have limited privileges, but don't be misled into thinking this is 93 or 94 percent protection against infection by malware.

@Joseph Hayes-- Many must run Windows XP for legacy software and other reasons. Yet, they do so with only marginal loss of security, compared to later Windows versions, because the latest ransomware and other issues are pointed at poor user security measures, not Microsoft's attempt to fortify and armor-plate later versions of Windows.

In fact, except for lower-tier exploits which continue to ding XP installations easily, XP users are now such a minority of individual users, they no longer interest professionals going after big game like corporate websites.

You will be safer than you fear if you adopt the sound practices suggested for user accounts in this Bob Rankin article. Meanwhile, find a good, general purpose security layer like Avast, or another reputable provider-- there are many worthy applications which still address XP, bless 'em all. And above all, keep your financial and personal information away from internet-facing XP machines, if you can--- a "best practice" that probably should apply to every other Windows machine, as well.

The easiest and safest way to change all this in Windows 10 is to create another account that is an administrator account as described above.
Then change your old account to a standard account. You can do this through the control panel (also "Settings", but more difficult). Do a Windows-R and enter "Control Panel". Go to "User Accounts". It will bring up the link "Manage another account".
That should list both accounts. Make sure the new one is admin, and change your old one to standard.
This way you don't have to move you profile over. You just have to put whatever you want to in your new admin account (that you only use when necessary).

In Let’s Create your account

If you select “I don’t have this person’s sign-in information”
then you have to Get a new email address and inform your family, friends, Doctors, Banking, Social Security (I'm 83), Subscriptions and other important people in your life > then you also have to create a new password
Can’t you just change the administrator account too a STANDARD account without all this extra stuff

the other choices are
a- “If you already use a Microsoft Service, go back to sign in with that account”
Won’t that get me back to square one?

b- “Add a user without a Microsoft account”

I tried adding someone else and I got this error message in red "We Cannot connect to Microsoft family right now, so your family on this device might not be up to date". What the heck does that mean? Actually I am the only one on MY computer, so what does my family have to do with anything. But I do love your articles. Thanks

I used to do this , but I just gotten lazy. I will start a new user id with standard settings and get doing it again :)

On my new windows 10 laptop, I set up just my own user account, which naturally had to be administrator since there is no other admin enabled on the system (yet).

I have three questions about this:

1. Anytime I launch a program that requires admin permissions (or access certain system settings), I get a pop-up that reminds me that an admin is required. (I just have to click OK and then it proceeds.) My question is this: Does the roadblock that this popup presents for me effectively also prevent malware from executing (provided I don't click OK myself to approve something that I shouldn't)? Obviously, it stops even me (an administrator)and waits for am approving click, so I would hope that malware will encounter the same checkpoint but fail to get past it.

2. If I were a standard level user but clicked "run as admininistrator" to install something when needed, how do I ensure that the program will later be accessible by a user other than the admin? It seems that installations very rarely present the option to select whether the program is for "everyone" using the computer or just the current user.

3. Does the built-in administrator account (the one you can enable in the BIOs or perhaps through command line) operate any differently with respect to all the above compared to a mere user account that has been set to admin level? For example, can the built-in admin be switched to by password without having to completely log in (and then log out to drop back to the other level user?

All these questions and comments show that Microsoft has done a very poor job in that respect. Security is in simplicity. If working under non-admin is so important (and I tend to believe it is), then it should be obvious and easy to do so.

Microsoft first made all user accounts admin by default, then berated its users for working under admin.

Suppose you give in, recognise you've been a bad boy all along, and try to reverse your allegedly lousy habits. You then encounter of whole range of problems due a) to the way Microsoft has implemented user rights in Windows, b) to the way it explains that already imperfect technology, c) to the way software publishers often don't take into account the case of one user having two accounts and normally working under non-admin.

One typical consequence of the latter is : you are a good boy and always work under non-admin ; you install a piece of software from non-admin, elevating your rights as needed by typing your password ; you agree for a shortcut to be installed on the desktop ; you try to launch the software, but the shortcut is nowhere to be seen on the desktop. Why ? because the installer put it on the admin account's desktop.

A relevant report for Windows 7 users (security setup is different for Windows 10, unsure how much for this case) is available here: https://answers.microsoft.com/en-us/windows/forum/windows_7-security/is-it-true-that-i-should-not-use-an-administrator/67c4da2a-f9d3-42ea-b669-92b7316320dc?msgId=7a9dfb67-4640-4017-b952-34d691e3d1ed

The important points are:

1. The privileges of Standard users, Guest users & non-elevated Admin users [Protected administrators] are the same.
2. The extra privileges of elevated Admin users [Elevated administrators], the Built-In Admin user [in its default condition] & the elevated Built-In Admin user are the same.

"Protected administrators" are the default admin accounts most users use before the "administrator permission" required to perform an action dialog box is accepted. After the acceptance, it becomes an "Elevated administrator". A basic user also becomes an "Elevated administrator" when the security dialog box is accepted (although now a password has to be entered).

It would be interesting to see why Avecto reaches the alternate conclusion.

Makes me want install Linux.Used it on my old desktop and liked it very much. Once I got it set up the way I liked I never had to worry about all this Windows crap. :-)

I have been using a separate administrator account since Windows Vista. It is very simple. I do not use that account for almost anything - it has minimal programs on the desktop. I rarely even go this account. When I want to install a program in my standard account, I am told I need administrator privileges, and a box is provided to put in the administrator password. I know what I am trying to do, so I give it permission. My spouse does not have a separate account, so when she wants to install a program, it simply says it needs administrator privileges, and do I want to proceed - no password. She only has pictures, email, and word processing, so security is not a big issue - she also has continuous backups to protect against ransomware.

Most settings are not relevant for my administrator account because I seldom use it. I just turned everything off at the outset and do not fiddle with them.

I am glad to know that Bob has done the work to show the value of this approach. I thought it was a good idea, but had no evidence. Thanks Bob.

When I create this new account, what is the easiest way to get access to my other email accounts and browser favorites etc. that I always used under the admin account?
Thanks

Thanks for this - I had not realized it was quite that bad, and have finally set up a non-admin account for myself. But: can you tell me how to reproduce my desktop for the new account without having to click on every program, &c., and set up an icon ? That would be very kind - if it is possible. (I think I can just about cope with adding things to the taskbar)

Sorry about above post - my browser only showed the first two comments for some reason, and I see that my query has already been raised, along with a lot of other more pertinent ones. The suggestion of changing one's existing Admin account to Standard (and setting up a new ~Admin account for when necessary) would answer my initial query.

It would be a good idea, perhaps, to start a new post to clarify what,if any differences there are between Microsoft Admin and standard (user-created) Admin. But the point made about malware being able to elevate itself sounds a serious one, which would make the whole thing a waste of time. As so often, Micros**t really don't seem to have thought this through.

I know when I first set up Win 10 I didn't have this info and I went through all kinds of *?!!* to get a normal account without making it into a MS account. Didn't really want a new hotmail account since I already have 2. Also didn't want to change my service provider email over. Man, they make it hard. I wish I had this article then as it makes it sound very easy. It was a pain just checking to see what type of account I have. Just had to make sure though.

@ A.R.Duncan-Jones

"Differences between Microsoft Admin and standard (user-created) Admin"

User-created admin is like non-admin : under normal operation, you don't have admin rights. The difference occurs when the UAC warning opens, and ask for the permission to elevate rights (in order to install a program, for instance).

In order to clear the UAC warning, you just need to click OK. Whereas under your non-admin account, you would have to type your password.

Microsoft embedded Admin account is totally UAC free, so there's no protection whatsoever.

Very apparent that Bob's post, intended to be helpful of course, when implemented, simply creates a host of unintended consequences.
Frankly I have no stomach to face this added complexity so for me things will remain just as they are.
Bob, please its plain you did not really explore this fully & your suggestions will noy suit the ordinary everyday PC user.
It's 2017, we all expect to get our work done without having to make up for MS omissions, which become disgracefully more apparent year by year.

When one, the only user of a home computer, has long been using the admin account as the working account, switching to a newly created standard account is not so simple. All setup, customization, and files created by admin are not available to the new user.
The effort to restore everything in the new standard account would be huge. Not worth it, I hope.