|
There are isolated problems with current patches, but they are well-known and documented on this site. |
ISSUE 20.17 • 2023-04-24 Look for our BONUS issue on Monday, May 1, 2023! ON SECURITY By Susan Bradley Microsoft doesn’t want you to use a local admin
[See the full post at: The problem with local administrator accounts]
Susan Bradley Patch Lady/Prudent patcher
Recently, Microsoft launched a new offensive in its attempt to thwart our love of absolute control over our own machines — by bullying us into making a choice it prefers but that we might not.
But we all know where this is going – one day you simply need to use a Microsoft account. And just as with smartphones, there will be things to ‘jail-break’ your Windows.
As for setting up Windows on business machines – I create a new (local) user account, install Windows, add the machine to the domain and then delete that account. As the admin-account is disabled by default, you don’t need things like LAPS. Now this WILL get you in trouble if for some reason the pc gets disconnected from AD. Then you have to hack the local admin account or reinstall Windows.
Having a visual clue of the administrator status would have prevented unknowingly running with admin privileges.
This is very easily done using something like an AutoHotkey script run from logon (e.g. a registry ‘Run’ key or a startup folder).
For example:
; Icons by Axialis (https://www.axialis.com/) #SingleInstance On If !A_IsAdmin = 1 Menu, Tray, Icon, C:\_MY\Resources\User-Warn.ico ; use a valid icon file name else Menu, Tray, Icon, C:\_MY\Resources\User-OK.ico ; use a valid icon file name Return Esc::ExitApp
This will show an icon in the Notification Area:
Which of the two icons it shows will depend on the status of the signed-in account. If you sign out then sign in with a differently-privileged account then the icon will change accordingly.
The 2 icons I used are from the free Axialis-Web-Mini-1-Ico pack but you can use any images you want (provided they are valid icons, e.g. ICO, CUR, ANI, EXE, DLL, CPL, SCR and other filetypes that contain icon resources… just ensure you provide a valid filepath to the icon resource.)
Hope this helps…
Another more obvious way to signal yourself is to have a desktop background image you only use for the administrator account. https://support.microsoft.com/en-us/windows/change-your-desktop-background-image-175618be-4cf1-c159-2785-ec2238b433a8
I just have the default Windows E logo installed when I set up the admin acct. My user account has rotating photos loaded by John’s Background Switcher.
Hey Y’all,
FWIW: I’m GUILTY! Yes I run with an ADMIN account. But…
The way I use my machines I would be constantly logging in and out as I use a lot of programs which require Administrative access. I just can’t see changing the way I’ve been operating for decades, w/o a Virus I might add.
That said, if I was running a business NOBODY would be using a Admin account except the Administrators and then only when doing Administrator things!
If your build process includes deploying legacy laps, don’t do it from now on. Anything with the new 10/11 code as the new LAPS code built in.
If you have laps already installed, it won’t stop functioning as a result of the April updates.
Susan Bradley Patch Lady/Prudent patcher
I first learned about separating the administrator account and the user account about 15 years ago from the book Microsoft Windows XP Inside Out. That subject was also covered in the subsequent similar book for Windows 7. It’s a lot more work because each account requires some customization, but having the administrator account and user account separated provides peace of mind that I find well worth the effort. See attached screenshot.
I don’t consider it suffering at all.
Susan Bradley Patch Lady/Prudent patcher
You don’t change it in the shortcut but rather in the properties of the Task Scheduler task.
Even though @Rush2112 says it’s way over his head, I’m gonna try to paddle my way through.
I have some questions about what happens on my Win10/Pro 22H2 laptop after following Susan’s instructions. The questions are about accounts/account names, passwords, and a local, standard account that already exists.
BACKGROUND:
1)
Right now, in the Navigation Pane, in the section for Desktop, there is a folder that has my first name and my last name on it. See the blue arrow in the attached Navigation-Pane.jpg
–This Firstname Lastname (i.e., Name #1) shows up above the log-in field, when I power up and and use Password #1 to sign in. It was first created when I started using the laptop.
–It was was set up as a Microsoft Account. The password to log-in to the laptop is the same password that I use to log-in to my Microsoft Account.
–When I right-click on it in the Navigation Pane, there is no Properties option.
–This blue-arrowed folder shows up under Settings|Accounts|Your info, and it says ‘Administrator’. See Settings-Accounts-Your info.jpg
2)
Further down in the Navigation Pane, under OS (C:)\Users, there is a folder with my first name only (Name #2). See the red arrow in Navigation-Pane.jpg
–This name does NOT ever show up in the log-in field on the laptop, but,it too, seems to have been created when I first started using the laptop.
–When I right-click on it in the Navigation Pane, there IS a Properties option. See Properties.jpg for the Properties of the firstname folder (Name #2).
–This red-arrowed folder does not show up anywhere in Settings|Accounts.
–Is the red-arrowed folder Administrative, too (since it seems to be the same as the blue-arrowed folder since the contents of the two folders are the same)?
3)
Recently, I set up another account as a local, standard account. This is the one marked by the green arrow in Navigation-Pane.jpg. I sign into that one with Password #2. It has Name #3 (firstname2), associated with it.
— When I right-click on it in the Navigation Pane, there IS a Properties option. See Properties.jpg for the Properties of the firstname2 folder (Name #3).
–It shows up in Settings|Accounts|Family & other users with Name #3 (firstname2).
–When I check it there, it says that it’s a local account. See Settings-Accounts-Family-Other users.jpg
It doesn’t say anything about “administration”, so I presume that it is a standard account (i.e., not-administrative=no administrative rights).
MY QUESTIONS:
4)
The curious thing for me is that the subfolders listed under the blue-arrowed folder and subfolders under the red-arrowed folder are exactly the same.
a) Why do the same folder contents show up in two different places?
b) Is the red-arrowed folder Administrative, too? I ask because the contents of the two folders are the same and the blue-arrowed folder is “Administrator”, so I am thinking that the red-arrowed folder is also “Administrator”.
5)
So, let’s say that I follow Susan’s instructions, first adding a new account under Family and Other users | Other users as a user without a Microsoft Account and give this new account administrator rights. Will it have its own name (i.e., Name #4)? Will it have its own password (i.e., Password #3)? Will it be the account that I sign into when the laptop boots up? The old folder was connected to a Microsoft Account. The new one is being created without a Microsoft Account. What happens with the old administrative account, which was a Microsoft Account?
6) Then, let’s say I go to the next step in Susan’s instructions, logging out and logging back in to this new Administrative account that I just created. If I understand the directions, it is allowed to find the old administrative account and change the old account type to ‘Standard User’. And even though the type has been changed, can I log into this old administrative account (which is now standard)? Will it still have the Firstname Lastname designation (Name #1) it had before? Will I still use the password #1 that it had before? Will it still be a Microsoft Account? (I don’t think it will be since it was newly set up without a Microsoft account, but maybe it’s possible that when the account type was changed, it changed to standard account, but remained a Microsoft account??) So, do I still have an account that is connected to a Microsoft Account?
7) So what about the local account that I recently set up (the one marked by a green arrow)? Will the new administrative account display it as a local account under Settings | Family and Other Users | Others, even though it was originally set up under the old, administrative account?
I think this approach by MS is silly…but then that is coming from someone who is likely the worst of the bunch. I run as the built-in Super-Administrator(-500 SID) account with Group Policy set to UAC: Admin Approval mode for the built-in admin as DISABLED.
I started down this path because, like some of the other older people here, I hated UAC when it first arrived.
I have taken many steps to mitigate possible issues including using AppLocker to control where even that Super-Administraor account can launch things from (to help keep me in line while drunk or just being stupid)
In addition ALL internet facing apps, and some non-internet facing apps are run as a ‘standard user’. I try to avoid allowing services/drivers from said apps where possible.
Group Policy is set to Auto-Deny ‘standard users’ requesting elevated rights.
AppLocker only lets each of these standard users launch ‘specific path\apps.exe’ or ‘hashes’ or ‘from specific locations\*’ depending on the amount of control I want over each…this means no LoL bins outside of said programs path can be used by default at most. (One major exception being dllhost.exe)
I create shortcuts which in turn use bat files, in a particular location that Standard Users cannot read, much less write to alongside a neutered version of psecex to avoid having to manually answer a password prompt via runas each time I launch one while also ensuring it can’t be used remotely
Setting things up this way has allowed me to alter NTFS file permissions in a greatly expanded way. I can restrict them from reading things I don’t think they need to be able to access by default even if windows would normally allow it by removing user read permissions. (Not saying I have covered all the bases here, particularlly with .dlls) I have also battened down the hatches via registry permissions and service permissions removing many User read rights.
Much of the above is handled by lgpo infs which I have set to auto-run when an update is detected upon login (via Group Policy) because sometimes those permissions are ‘reverted to default’ during an update. I only use offline updates from the windows catalog alongside UWF while not enabling servicing mode so any update requires me to disable UWF then reboot then install the update which is normally followed by another reboot then i re-enable UWF and reboot again…blah blah blah
I’ve also enabled ‘LaunchProtected’ for many svchost instances (though I’ve had to un-protect a few over the years as MS changes/updates things)
Even after all the above I found a few potential security/privacy issues left between even that software which can only run under a standard user account.
Said ‘standard users’ can still read/write/terminate processes not under their control (run as another standard user[Medium Integrity], eg those NOT ‘Run as Admin'[High Integrity or SYSTEM] including those started by your administrator accounts logged in as Medium Integrity). This may sound like a strange nitpick as High or System Integrities can still interact with each others of the same or lesser integrities but I’m of the mind that my browser doesn’t need access to my doucment apps unless I deign it!
So I now use a kernel level driver to control which processes an app can access and have it set to block anything not covered in a rule by default. It took a while to collect enough rules [and lots of testing in VMs] to make this viable for MY daily usage patterns as it also blocks windows processes including svchost by default.
In addition, if one app running under medium integrity was to be exploited, it could in turn be used to monitor the keystrokes of another standard user. The same still applies for High Integrity to High Integrity or below and again with System to anything below its integrity level as mentioned above for the memory access….but why is this allowed for Medium Integrity?
So now I also use HitmanPro.Alert (On top of the Windows Anti-Exploit rules) with profiles that enable Anti-Keylogging where possible.
I’m not one for security through obscurity but that’s all I’ll mention here as it’s really all that I think is applicable for this topic.
Of course this means that if something slips through my current setup I am well and truly fudged but I suspect that if I had to contend with the UAC prompts to ‘Run as Admin’ multiple times each day I’d start to auto-click stuff without actually reading it so this just works better for me.
All that being said I think my daily usage of the Super-Administrator account has allowed me to both avoid UAC prompts and even enabled me to improve security/privacy in some cases. My rules are still the weak link, much like those that are fine with the UAC prompts are the weak link on their end. In that aspect nothing has changed even with my more convoluted setup ~ it simply lets me do it my way instead of Microsofts and I’m much happier for it.
I’ll test it out again this weekend and report back. We’re supposed to be 90+ this weekend so I’ll be inside in the A/C
Susan Bradley Patch Lady/Prudent patcher
I think some people commenting here are missing the point: even if you haven’t had any problems to date without requiring an administrator login, that doesn’t mean this extra layer of protection to make it more difficult for ransomware or other malware to be installed on your system without your consent isn’t a really good idea.
I just followed Susan’s advice and switched two Win 10 PCs I use at home to a local user account (previously my administrator account) that I’ll use all the time and a new administrator account that is password protected.
The big difference, if you do this, is that you will need to login as the administrator every time you install new software (and for many apps, any time you update previously-installed software) on your local user account. So it’s a good idea to use a new unique password you can easily remember, can type quickly, but still would be hard to guess. On some occasion when booting up (I already encountered this), you may need to log in as administrator and enter your administrator password when you do not have ready access on that PC to any password manager you use or stored password database you could copy and paste from; if so having to type in a password manager’s randomly-generated 20-cbaracter secure password would be a nuisance.
The only app/program I have that needs an administrator login to open is Macrium Reflect, which makes good sense anyway. But Macrium automatically runs scheduled backups without reentering the administrator password, which is what users would want.
Another more obvious way to signal yourself is to have a desktop background image you only use for the administrator account.
You misunderstand my issue. I already have a different backgrounds for Admin user and Me user. What I wish for is to have a visual clue when I am running Me with the account elevated to administrator instead of the normal standard.
The tip about adding an icon in the Notification area is intriguing although I prefer to keep it shrunk as small as possible.
Now that’s interesting. There may be more going on with this local admin thing than we think. I think Chinese OS only?
Susan Bradley Patch Lady/Prudent patcher
Very interesting. I checked out your link but I haven’t seen that notice yet. I also did the March and April updates, and yes I have a local account.
Edition Windows 11 Pro
Version 22H2
Installed on 10/19/2022
OS build 22621.2283
Very interesting. I checked out your link but I haven’t seen that notice yet. I also did the March and April updates, and yes I have a local account.
I checked out the link,too. It says that it applies to certain editions of Windows 10 and 11 (and not Pro/Home editions), i.e.
We are aware that the notice is shown to users who log on to a device that is running Enterprise or Education versions of Windows 10 or Windows 11 by using a local user account.
It also says that it applies to Microsoft products that are specifically available in China, which seems to be saying, for example, that Windows 10 or Office purchased in China is not the same as Windows 10 or Office purchased in the U.S.
Another more obvious way to signal yourself is to have a desktop background image you only use for the administrator account.
Another excellent idea which I had forgotten about, despite it staring me in the face.
I’ve been using BgInfo for years on all my devices to provide a bitmap with useful information to my desktop:
Hope this helps…
I had forgotten about BgInfo which surprises me considering it was on all of the office PCs and I’ve only been retired for 2.5 years. Thank you for the reminder.
Edit: I am happy with my customized BgInfo result. I think this is the answer for me.
But we all know where this is going – one day you simply need to use a Microsoft account.
And that’s what Microsoft telemetry will confirm… the number of Windows users who ‘sign in’ to Windows using a local account or not.
I assume Microsoft will ‘up its ante’ to force users to sign in with an MSA, step by step. I guess it’s up to us all to push back against that encroaching enforcement and all that it entails.
How much do you want to completely lose the desktop market, Satya?
References? Supporting data?
I only have info I’ve personally gathered from dealing with clients. It’s older geeks that want the non Microsoft account. Businesses typically are on a domain, or using some sort of Microsoft account. Which is why this annoys me, given how hard it is to have a local account on a Windows 11 home, this is overreach.
I get it that admin is a big thing for businesses, but I think they should knock it off for home users.
Susan Bradley Patch Lady/Prudent patcher
You have to have at least ONE Admin account in the OS. Usually it’s the account created at first install of the OS. In my opinion, it’s best to leave that one alone because it the the owner of the initial installs. Just don’t use it.
If you need another Standard account, create one using the Admin account. If you want a Standard account to look like the Admin account, go through the Settings App while in the Admin account and make a listing of all the settings. Then use the list to make the Standard account look the same. It’s a PITA of a job! 🙂
Most Windows home users already sign in with a Microsoft account.
Because they know no different or are not allowed at OOBE.
It’s not a genuine choice, just a vile strong-arm tactic.
In a presentation given some days ago by Microsoft’s David Weston
He said that Microsoft is to migrate away from users with admin rights in favor of users with standard rights (4:40)
I haven’t done a clean install since Windows 7 Ultimate (with the singular exception of when I setup my NAS). I have four Retail Windows 10/11 Pro licenses. In setting up a clean install I did the following:
Once the installation routine gets to the account name, I use the name “Admin”, knowing that this first account will be a member of the administrators group. I setup a password for this account and finish the setup routine. I DO NOT install anything during this setup phase. I go no farther than choosing an avatar for the Admin account, and in 10/11, create a PIN.
Once Windows has fully loaded and ready for use, I open User Accounts and create a Standard user account. This is my “bbearren” account. From this account, I do my personalizations, install my programs/apps acknowledging UAC when necessary, and get this account setup to my liking.
In my experience, very few programs/apps actually require that one be signed in as a member of the administrators group in order to be installed. By far, acknowledging the UAC is the only invocation of Admin privileges necessary to do everything one wants to do on the Windows platform.
My Admin account is a bare bones desktop, no email access, sparse of icons. I choose a unique background for this account. With that unique background and a sparse desktop, it’s easy to tell when I’m signed into my Admin account, which I do from time to time for some maintenance that requires being signed into an account in the administrators group.
I never have to make settings transfers or anything of the sort in order to get full use of my Standard user account, since I don’t create any settings in the Admin account during the installation of Windows.
Some folks just make things harder than they need to be, it would appear.
Here is some information that might be important:
The difference between Copy/Paste (make a Copy) and Cut/Paste (Move):
In NTFS file permissions are contained in each file – Files you created under your ID (documents, downloads, pictures, etc) belong to you. Same for files with other IDs.
If you Copy/Paste a file from one place to another, it makes a copy where it’s pasted and it takes on the permissions of the destination. If you Cut/Paste a file from one place to another, it moves the file to where it’s pasted but the permissions from the source location are not changed. So depending on sharing options, you may (or may not) be able to view/change/save the moved file.
Copy/Paste makes a duplicate.
Cut/Paste moves something.
Drag/Drop (on the same drive) moves something.
Drag/Drop (to a different drive) makes a copy.
The only benefit I know of is that login requires entering a 4 digit number rather than typing in a password. If you have a keyboard with a number pad, getting numlock to be enabled at that point can be a challenge.
To do it (Win 10), select “Settings” from a Windows orb right-click, select Accounts, click “Sign-in Options” in left pane, then click “Windows Hello PIN”. I don’t know what “Windows Hello” refers to but I use a local account so have stayed away from this. I have a finger scanner on my HP laptop so that is my preferred login method.
What is the reason for creating a PIN
It’s to simplify acknowledging UAC when selecting Run as administrator. It can be more than four numbers; four is the minimum.
Hey Y’all,
Alex posted a video link which is well worth listening to, even though very technical, and very germane to this thread.
From Susan’s article:
“Most of you probably use a Microsoft account to log in to your PC, but I know quite a few of you still prefer the ultimate control a local administrator account brings. You prefer it because it does not demand logging in via the cloud and may not even require a password.
For someone who doesn’t travel, always has their PC at hand, and doesn’t save passwords in browsers, I don’t think this is a horrible thing to do. Risk is not absolute. Sometimes there are other factors important to you that make the absence of a password an acceptable risk.”
This is me. Have always used a local account since I learned how to do it at Ask Woody when I set up my first Windows7 OS.
I also never sign in. Used this work around:
https://www.youtube.com/watch?v=jXQ7Aj5uBe4
I also use an Administrator account. I have always done that too. I didn’t know that was bad. I am afraid I will just make a mess and possibly sign myself out and not get back in if I mess with what I have.
I am not getting badges. But I am getting Notifications to sign in to my Microsoft Account. I just flick them away. I don’t know how to turn them off without turning off all Notifications.
I use Microsoft Office Home and Business 2019. I am not signed in to my Microsoft Account for that either and all the aps work just fine without signing in.
I have one desktop computer. It lives in my house. All my files live there inside it. (I have backups on an external hard drive and some flash drives backing up the backups) I don’t want my stuff in the cloud. I have no other devices to share info with.
I do not understand most of this thread. My life is simple and I am going to keep it that way as long as I can.
HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.3324
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2308(Build 16731.20170 C2R)
We have always used a local account and an Administrator account all the way back to Windows 98? I forget the number but its been a long time. We do not get notifications to sign in though, maybe its because we don’t use MS office or anything else.
We use Firefox, OpenOffice, AVG Free, Malware bytes Free plus a few more free programs from File-hippo.
No passwords are saved, they are all in my head. lol The cloud scares the wits out of me especially when it also could get hacked.
Edition Windows 11 Pro
Version 22H2
Installed on 10/19/2022
OS build 22621.2283
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
