Close

Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1

    Default OT: Keep Windows 10 Admin account separate?

    When I set up my new Windows 10 system, I heeded all the security warnings across the interwebs about how important it is that your day-to-day working user account not have admin privileges. As a result, I spend a lot more time than I would like entering either the admin password or PIN to accomplish stuff. It's a PITA.

    Could use some input on how you smart folks are dealing with this dilemma, so I can be smart like you.
    Dave "it aint the heat, it's the humidity" Labrecque
    Becket, Massachusetts

  2. #2
    Join Date
    Jul 2006
    Location
    SF Bay Area
    Posts
    1,509

    Default Re: OT: Keep Windows 10 Admin account separate?

    Quote Originally Posted by Dave Labrecque View Post
    When I set up my new Windows 10 system, I heeded all the security warnings across the interwebs about how important it is that your day-to-day working user account not have admin privileges. As a result, I spend a lot more time than I would like entering either the admin password or PIN to accomplish stuff. It's a PITA.

    Could use some input on how you smart folks are dealing with this dilemma, so I can be smart like you.
    We spend a lot of time entering passwords to accomplish stuff, or login to the admin account when you need to admin type stuff.

    Once a system is setup there really shouldn't be a lot of reasons to need to run as administrator. When do you need to do software updates or installations or other admin type stuff you do that by logging into the administrator account.

    If the system is isolated and fundamentally doesn't touch the internet you can probably use an administrator account for your working account but don't surf the Internet or open random emails, etc.
    Last edited by cgrafx; 02-25-2021 at 01:09 PM.
    ---------------------------------------
    Philip G.

  3. #3
    Join Date
    Oct 2009
    Location
    Maple Ridge, BC Canada
    Posts
    3,517
    Blog Entries
    1

    Default Re: OT: Keep Windows 10 Admin account separate?

    Good day,

    This IS interesting!

    Every system that is sold at a consumer level - is sold with the default user - "User", with admin rights.

    Every system that I have worked on since 1992 has been using admin rights for every user and for the most part - I have never, ever had any real issues whatsoever.
    • Also, as the father of seven, I have never had any issues with their systems as well.

    And though I would agree with Philip's reasoning in principle, I sincerely do not believe that assigning users to "Standard" rights is at all practical.

    So, Dave, I would suggest that you simply leave the main account with admin rights.

    Just my $2.00 worth!

  4. #4
    Join Date
    Jul 2006
    Location
    SF Bay Area
    Posts
    1,509

    Default Re: OT: Keep Windows 10 Admin account separate?

    Quote Originally Posted by mr_es335 View Post
    Good day,

    This IS interesting!
    Every system that is sold at a consumer level - is sold with the default user - "User", with admin rights.
    Do you have any idea how many millions of systems are compromised with malware for exactly this reason. The first thing anybody that does any IT does on a new machine is properly setup user and admin accounts.

    Every WiFi router is also sold with the same default password to, but you don't leave those unsecured do you?

    Administrator privileges exist for a reason.

    What exactly is impractical with using standard user rights.

    you configure a system, grant access to those things that need it and then lock down the system as much as is practical. Which means not running your day to day operations as Admin.

    That way when you click on a drive by website or email or other payload, it at least can't install itself automatically without you giving it permission to do so.

    It also prevents inexperienced users from installing **** that they don't understand the risks of.

    Running everything as Admin is asking for trouble.

    Please note that in a lot of cases you would not know that your system has been compromised as a lot of time and effort has gone into make malware undetectable.
    Last edited by cgrafx; 02-25-2021 at 07:14 PM.
    ---------------------------------------
    Philip G.

  5. #5
    Join Date
    Oct 2009
    Location
    Maple Ridge, BC Canada
    Posts
    3,517
    Blog Entries
    1

    Default Re: OT: Keep Windows 10 Admin account separate?

    Philip,

    I do understand what you are saying..but you and I have had our differences before...and though I do have a high regard for you...there are just "things" that I simply disagree with you on...and this is one of them. Can we not "agree to disagree"?

    I have gone the "more secure route" and in every situation, I have regretted that decision.

    However, and this is an important however, in a very recent conversation with one of the largest ISP's in our area, he attributes over 95% of computer related issues to the fault of the "end user" - one of them being exceeding the allowable hosted email storage. They give 10GB - the client ends up using 100GB. The ISP contacts the client, and the client, because of a lack of an understanding of "e-things" - ends up getting very angry with their current ISP. I know - 'caude I was there! This is NOT a user-rights issue - this is simply an user-ignorance issue - and one that local rights would not in resolve.

    Tell me Philip, would less rights protect someone from getting the "Emotet Botnet?

    Philip, as you, I take my work very, very seriously, and I would never jeopardize my clients in any manner whatsoever!

    Dave, I still say that you should just go back to being an Admin.

  6. #6
    Join Date
    Jul 2006
    Location
    SF Bay Area
    Posts
    1,509

    Default Re: OT: Keep Windows 10 Admin account separate?

    Quote Originally Posted by mr_es335 View Post
    Philip,

    I do understand what you are saying..but you and I have had our differences before...and though I do have a high regard for you...there are just "things" that I simply disagree with you on...and this is one of them. Can we not "agree to disagree"?

    I have gone the "more secure route" and in every situation, I have regretted that decision.

    However, and this is an important however, in a very recent conversation with one of the largest ISP's in our area, he attributes over 95% of computer related issues to the fault of the "end user" - one of them being exceeding the allowable hosted email storage. They give 10GB - the client ends up using 100GB. The ISP contacts the client, and the client, because of a lack of an understanding of "e-things" - ends up getting very angry with their current ISP. I know - 'caude I was there! This is NOT a user-rights issue - this is simply an user-ignorance issue - and one that local rights would not in resolve.

    Tell me Philip, would less rights protect someone from getting the "Emotet Botnet?

    Philip, as you, I take my work very, very seriously, and I would never jeopardize my clients in any manner whatsoever!

    Dave, I still say that you should just go back to being an Admin.
    This isn't one of these questions of a disagreement about something that fundamentally is a question of personal taste.

    Your recommending a general security policy that is fundamentally dangerous and your basing that decision on a flawed logic that because a computer is shipped with no security settings in place it justifies leaving that security setting wide open.

    There are legitimate reasons to run a computer as admin, but you would be hard pressed to find any IT admin or security expert that would make that recommendation carte blanche.

    Just because this policy won't protect you from all malware, doesn't make it ill-advised. Thats the equivalent of saying don't wear a mask because it won't 100% protect you and others around from spreading Covid.

    Your anecdote about email storage capacity doesn't have anything to do with this discussion or malware infected computers.

    As for the original question, if the computer in question is kept fairly isolated and your careful about how the system is used then by all means run the system as Admin.
    ---------------------------------------
    Philip G.

  7. #7

    Default Re: OT: Keep Windows 10 Admin account separate?

    My recommendation is not to use the studio machine on the internet. This causes a bit of extra work with flash drives and scans... and I get it that it is not a practical solution for many people. But as far as reliability and predictability is concerned, the benefits outweigh the liabilities. Get it tuned up and forget it. Also not having patches and updates adjusting all the optimization we like for audio is huge - go ahead and be admin, it's fine...

    I use an old machine with linux for interacting with the mad world, or as at the moment, my wife's 10 year old mac air. Both of these platforms are inherently more secure - but probably not nearly as much as the machine that is never plugged into the net.

  8. #8
    Join Date
    Oct 2009
    Location
    Maple Ridge, BC Canada
    Posts
    3,517
    Blog Entries
    1

    Default Re: OT: Keep Windows 10 Admin account separate?

    Philip,

    In all honesty, you and I will have to "agree to disagree" on this point.

    Though I might agree with you - in principle, that such is fundamentally a question of personal taste - there is more involved that just personal taste...practicality being one of them.

    Dave asked a simple question, and it is our responsibility to respond to that question - thus giving Dave various "pros and cons" with which he can then use for his own particular needs and requirements.

    "As for the original question, if the computer in question is kept fairly isolated and your careful about how the system is used then by all means run the system as Admin"...agreed!

  9. #9

    Default Re: OT: Keep Windows 10 Admin account separate?

    Quote Originally Posted by mr_es335 View Post
    Philip,

    In all honesty, you and I will have to "agree to disagree" on this point.

    Though I might agree with you - in principle, that such is fundamentally a question of personal taste - there is more involved that just personal taste...practicality being one of them.

    Dave asked a simple question, and it is our responsibility to respond to that question - thus giving Dave various "pros and cons" with which he can then use for his own particular needs and requirements.

    "As for the original question, if the computer in question is kept fairly isolated and your careful about how the system is used then by all means run the system as Admin"...agreed!
    What have I wrought?

    Dell--I think you misread Philip's last post. He was saying that the question is not one of personal taste.

    I appreciate both of your viewpoints. It's interesting that two such deeply knowledgeable guys could disagree so fundamentally on this.

    If I were to continue playing it safe (aka "overkill" in Dell's estimation), I wonder if there are any ways to enhance my user experience. I.e., reduce the number of passwords and PINs that I'm asked for.

    Philip--an earlier reply from you seemed to imply that it shouldn't be that often that I'm asked for that stuff. I can only say that I have a few programs set to run as admin in order to function at the full potential. Among them are SAWStudio, Everything (the search utility), Macrium Reflect. I do a lot of restarting of SAW, so the admin credentials thing is more frequent for me than you may be thinking. But there are also file management tasks that require it. Or system stuff like Device Manager, the registry, or Services that need admin access in order to actually make changes. Anyway, the bottom line for me is that it is indeed often enough to be a pain.

    JMH--It's my one main computer, so keeping it offline isn't an option. FWIW, I'm on LTSC, so updates/patches aren't a thing.

    It's interesting, though that no one's commiserating with me on this. Again, I have to wonder if I'm doing something "wrong" that's making it more of a pain than it needs to be. Or if I'm overlooking some tweak that will assuage my irritation.

    One more thought: with anti-virus and anti-malware, fire wall, etc., why is this even a concern?
    Last edited by Dave Labrecque; 02-26-2021 at 08:52 AM.
    Dave "it aint the heat, it's the humidity" Labrecque
    Becket, Massachusetts

  10. #10
    Join Date
    Jul 2006
    Location
    SF Bay Area
    Posts
    1,509

    Default Re: OT: Keep Windows 10 Admin account separate?

    Quote Originally Posted by Dave Labrecque View Post
    What have I wrought?

    Dell--I think you misread Philip's last post. He was saying that the question is not one of personal taste.

    I appreciate both of your viewpoints. It's interesting that two such deeply knowledgeable guys could disagree so fundamentally on this.

    If I were to continue playing it safe (aka "overkill" in Dell's estimation), I wonder if there are any ways to enhance my user experience. I.e., reduce the number of passwords and PINs that I'm asked for.

    Philip--an earlier reply from you seemed to imply that it shouldn't be that often that I'm asked for that stuff. I can only say that I have a few programs set to run as admin in order to function at the full potential. Among them are SAWStudio, Everything (the search utility), Macrium Reflect. I do a lot of restarting of SAW, so the admin credentials thing is more frequent for me than you may be thinking. But there are also file management tasks that require it. Or system stuff like Device Manager, the registry, or Services that need admin access in order to actually make changes. Anyway, the bottom line for me is that it is indeed often enough to be a pain.

    JMH--It's my one main computer, so keeping it offline isn't an option. FWIW, I'm on LTSC, so updates/patches aren't a thing.

    It's interesting, though that no one's commiserating with me on this. Again, I have to wonder if I'm doing something "wrong" that's making it more of a pain than it needs to be. Or if I'm overlooking some tweak that will assuage my irritation.

    One more thought: with anti-virus and anti-malware, fire wall, etc., why is this even a concern?
    With a utility like Process Lasoo, you don't have the run SAWStudio directly as admin and it will elevate the privileges automatically so you don't see it.

    Macrium Reflect gets setup and configured from your admin account. If its set to run scheduled backups those should run even when your not logged in.

    Search works fine without admin privileges (unless you trying to find something system level, but that should be done when your logged into the admin account)

    What are you doing that requires so many restarts of SAW or changes to the device manager? Generally you'd configure the system and then for the most part leave it alone until you need to do updates.

    As for why this matters even with firewalls and anti-malware...

    simple example... if your running as adminstrator, all applications now have administrator privileges. So you navigate to compromised website. Your web browser without you doing anything downloads a rouge payload and now has the ability to install itself with admin privileges without you taking any action. It all happens in the background with no notices or warnings.

    This can also happen with email. You click what appears to be a legitimate link inside your email and it downloads the malware payload. Since your running as admin, the payload is also running as admin.

    These are not hypothetical scenarios, this is the current state of the internet.

    Firewalls and Antimalware help, but they are not perfect and are under constant attack and always playing catchup. You don't want to needlessly make it easier to have your system compromised.
    ---------------------------------------
    Philip G.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •