Is a Separate Administrator Account Necessary in Windows 7?












5














I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?










share|improve this question



























    5














    I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?










    share|improve this question

























      5












      5








      5


      2





      I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?










      share|improve this question













      I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?







      windows-7 uac






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jul 16 '12 at 20:32









      Shivam Sarodia

      13316




      13316






















          3 Answers
          3






          active

          oldest

          votes


















          5














          Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.



          The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).



          With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.



          Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.



          Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.






          share|improve this answer





























            1














            Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.



            In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.






            share|improve this answer





















            • Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
              – sourcejedi
              Nov 1 '16 at 12:04












            • The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
              – Michael Scott
              Dec 14 '18 at 21:17



















            0














            For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.






            share|improve this answer





















              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f449718%2fis-a-separate-administrator-account-necessary-in-windows-7%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              5














              Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.



              The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).



              With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.



              Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.



              Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.






              share|improve this answer


























                5














                Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.



                The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).



                With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.



                Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.



                Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.






                share|improve this answer
























                  5












                  5








                  5






                  Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.



                  The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).



                  With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.



                  Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.



                  Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.






                  share|improve this answer












                  Running as Administrator (the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.



                  The main thing UAC does is that it changes the Session ID of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).



                  With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.



                  Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:UsersYouDocuments, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.



                  Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jul 16 '12 at 20:47









                  allquixotic

                  30.5k694126




                  30.5k694126

























                      1














                      Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.



                      In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.






                      share|improve this answer





















                      • Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
                        – sourcejedi
                        Nov 1 '16 at 12:04












                      • The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
                        – Michael Scott
                        Dec 14 '18 at 21:17
















                      1














                      Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.



                      In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.






                      share|improve this answer





















                      • Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
                        – sourcejedi
                        Nov 1 '16 at 12:04












                      • The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
                        – Michael Scott
                        Dec 14 '18 at 21:17














                      1












                      1








                      1






                      Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.



                      In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.






                      share|improve this answer












                      Yes it is safe to use your normal user, that's what UAC was invented for. All elevated commands will prompt you.



                      In some cases, which you should be aware of (domain admins, the Administrator user, or if UAC has been disabled in some way) may not prompt for UAC.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Jul 16 '12 at 20:38







                      user3463



















                      • Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
                        – sourcejedi
                        Nov 1 '16 at 12:04












                      • The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
                        – Michael Scott
                        Dec 14 '18 at 21:17


















                      • Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
                        – sourcejedi
                        Nov 1 '16 at 12:04












                      • The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
                        – Michael Scott
                        Dec 14 '18 at 21:17
















                      Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
                      – sourcejedi
                      Nov 1 '16 at 12:04






                      Some commands will not prompt you by design and malware can trivially bypass UAC using this. The default UAC setting is considered "not a security layer" blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 instead it's a "security feature" to force software authors to avoid requiring Admin privs all the time.
                      – sourcejedi
                      Nov 1 '16 at 12:04














                      The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
                      – Michael Scott
                      Dec 14 '18 at 21:17




                      The question wasn't "Is it safe to use my normal user account".......it was "Is it safe to use my Administrator account".
                      – Michael Scott
                      Dec 14 '18 at 21:17











                      0














                      For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.






                      share|improve this answer


























                        0














                        For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.






                        share|improve this answer
























                          0












                          0








                          0






                          For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.






                          share|improve this answer












                          For your average user, yes. The dual-privileges setup is exactly what UAC is designed to replicate, just with a single account instead of two. Just make sure the UAC alert level is set appropriately for when you want privilege separation to come into effect.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Jul 16 '12 at 20:40









                          Darth Android

                          34.1k47599




                          34.1k47599






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.





                              Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                              Please pay close attention to the following guidance:


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f449718%2fis-a-separate-administrator-account-necessary-in-windows-7%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Plaza Victoria

                              Puebla de Zaragoza

                              Musa