ADVERTISEMENT

Free Up Space on Your iPhone with a Free Licensed Copy of DearMob Running out of space on your iPhone due to excess photos and videos? Don’t worry. Try DearMob iPhone Manager to transfer them to your computer and make room for essential files and apps: Ultra-fast to transfer photos, videos, music, apps, etc. between iPhone & computer Back up and restore iPhone/iPad, and encrypt your data with a password Add non-iTunes music, manage music library, and create iPhone ringtones Convert iOS-unfriendly formats such as MKV to MP4/MOV, HEIC to JPG Manage data wirelessly or via USB-connection without the risk of data loss With DearMob iPhone Manager, you can enjoy a clutter-free experience and free up space on your iPhone. So grab your free licensed copy now and take control of your iPhone’s storage.

ON SECURITY

By Susan Bradley

Microsoft doesn’t want you to use a local administrator account, whether in a consumer or a business edition of Windows.

But depending upon which sort of user you are, the company is taking two different approaches to “encourage” you to stop using local accounts.

Be aware that if the account you use with your computer on a day-to-day basis is configured with administrator rights, you are putting your machine and your data at risk. It doesn’t matter whether you are a home user, a work-at-home user logging into a more secure environment, or a work user — an administrator has access to everything on your computer, from the operating system to the data. Attackers love to piggyback on that right and install anything or encrypt everything, as is the case with ransomware.

The goal in keeping yourself safe is making your machine a bit more hardened than the machine down the block. Make it so that an attacker gives up on you — and goes elsewhere.

In business, this is even more true. Attackers are trying their hardest to target you with phishing attacks. Upon my most recent cyber-insurance renewal, the underwriter explicitly required us to have:

Multi-factor authentication protection on all network administrator accounts and any other user accounts with elevated permissions within your network.

At the end of this article, I’ll go into more detail about what I’ve done to meet this requirement.

Recently, Microsoft launched a new offensive in its attempt to thwart our love of absolute control over our own machines — by bullying us into making a choice it prefers but that we might not. I’m talking about, of course, the local administrator account. Most of you probably use a Microsoft account to log in to your PC, but I know quite a few of you still prefer the ultimate control a local administrator account brings. You prefer it because it does not demand logging in via the cloud and may not even require a password.

For someone who doesn’t travel, always has their PC at hand, and doesn’t save passwords in browsers, I don’t think this is a horrible thing to do. Risk is not absolute. Sometimes there are other factors important to you that make the absence of a password an acceptable risk.

In a recent blog post, Microsoft described (in the Insiders Preview for Windows 11 build 23435) a new “badging” mechanism on the Start menu. I’d call it a “badgering” scheme. Microsoft characterizes it thusly:

We are continuing the exploration of badging on the Start menu with several new treatments for users logging in with local user accounts to highlight the benefits of signing in with a Microsoft account.

In Figure 1, you can see how this might work.

Figure 1. Windows 11 badging of the local administrator account Source: Microsoft.com.

The messages in these Insiders tests, which might be hard to see in this smaller image, read “Sign in to your Microsoft account,” “Use Microsoft 365 for free,” “Keep your account safer,” and “Access your files from anywhere.” A Get started button is provided. Looks like an ad to me.

I call it bullying. And misguided. That’s especially true due to the hoops you must jump through to get a local account in the first place. I’ve described it several times in recent months — using the bogus email account no@thankyou.com to bypass Microsoft’s efforts to force you to use a Microsoft account. If you’re someone who has done this, I assume you’ve done it for a good reason. It’s not Microsoft’s place to interfere with the way you’ve chosen to run your own PC, including your decision to operate offline. I may live on the Internet 18 hours per day, but you’re not me.

I can describe at least one very good reason for avoiding a Microsoft account — security research. It’s a situation in which a pristine testing environment is necessary and for which it should be possible to create virtual machines without using a Microsoft account and getting the cloud involved.

Needless to say, I’m hoping that Microsoft will do one or the other — back down from this badgering and bullying, or provide the option “Don’t show this to me again” so the pop-up goes away. “Don’t show” is not a new thing; it’s been used elsewhere in the Microsoft environment, so why not use it here, too?

Rather than urging you to use a Microsoft account, Microsoft should be urging anyone still using an account with administrator rights as their daily, primary account to instead use one with fewer rights. If administrator rights are needed for some purpose, it’s a simple matter to log out and back in. Therefore, I continue to recommend that every home computer have two accounts — one with administrator rights, and the other with ordinary user rights.

If I already have a user account set up on a computer, and it’s been there for a while — meaning that there are files in the documents and downloads folders and applications already installed — I will then set up a second account that will be my administrator account.

Head to Windows 10 Settings | Accounts | Family and other users | Other Users and click  Add someone else to this PC. If the person doesn’t have an email (for an administrator account, they typically will not), click I don’t have this person’s sign-in information, then Add a user without a Microsoft Account. Enter the information required, after which you will return to the Other users panel. Click on the added user and click the button Change account type. Give the new account administrator rights. (See Figure 2.)

Figure 2. The dialog to change account type in Windows Settings

Log out and then log back in with your newly created administrator account. Go back into Settings, navigate to the Other users panel, click your original account, click Change account type, and convert the account from administrator to user. Log out and back in with your original account.

Now for the fun part. Check every application you use to see whether any of them has trouble running without administrator rights. You may be surprised — most will probably run. That doesn’t mean you won’t have outliers. For example, Intuit QuickBooks was notorious for demanding administrator rights. The workaround was to change the permissions for just the folders and registry keys that the software wanted to use, but this was just lazy programming on the part of the company, which could have handled the matter itself. Most software does the right thing today, but there still may be some older software that balks.

For you über-geeks, a tool called LUA Buglight can isolate and identify the folders and registry keys that need greater permissions for older software to run. You can also press WinKey, type the name (or portion of the name) of the app you want to run, and click Run as administrator to launch it.

I’ll admit that this might not always be sufficient. If you have too many apps that are locked in to administrator rights, continuing to use an administrator account to run them may be the only practical option available — as long as you understand and accept the risks involved.

For many years, those of us in businesses who set up laptops or desktops would set up the PC’s first account with the same username and password. The first account would default to administrator rights. Subsequently, we could walk up to any PC in the company and instantly access an account with full administrator rights. Today, of course, we recognize how vulnerable a solution this is — but it sure was convenient, and a big timesaver.

Enter the Local Administrator Password Solution (LAPS) toolkit (download). This solution set up random local-administrator passwords and stored them in Active Directory. You would then use a command to expose the password to the administrator should you need that password for servicing the computer. There were even tools, such as OVERLAPS from Int64 Software, to add a Web interface to expose the passwords to the administrator in a GUI. The price was installing the software on every PC in your business.

The April updates include this LAPS ability. The good news is that you no longer need to install LAPS. The bad news is that the newly included LAPS cannot coexist with the old version. Here’s what Microsoft had to say in its recent blog post By popular demand: Windows LAPS available now!:

Note: We have verified a reported legacy LAPS interop bug in the above April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break. Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue. You can work around this issue by either: a) uninstalling legacy LAPS, or b) deleting all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.

In short:

If you still need the legacy LAPS admin UI, you can install by using the following command:

This installs only the LAPS UI, which is used to obtain the legacy LAPS passwords from Active Directory. It will not install the CSE (client-side extension, the part you no longer need). If you still want to use the legacy LAPS app, ensure that you uncheck AdmPwd GPO extension, PowerShell module, and GPO Editor templates. Check only the Fat client UI option (Figure 3).

Figure 3. The LAPS installation dialog

In new deployments where the April 2023 update is installed with Windows LAPS built in, the Windows LAPS is happy to read your legacy GPO and act in a legacy “emulation mode.” This is why you have lots of time to plan migration to a new policy. The most important thing right now is to stop installing legacy LAPS CSE on new builds that have April 2023 Cumulative Update installed. Existing machines with LAPS already installed are fine — no action needed. You will need to plan a later migration with a new policy if you want. Coming in the future will be integration with Azure Active Directory, as well as integration into Intune.

If you noticed, the one Server SKU that is still supported — but not included in that list of operating systems with native support for LAPS — is Windows Server 2016. For that platform, you will still need to use the legacy installation. If you have only older servers, you will have different features available to you. If you want to have password encryption, you must have a 2016 domain-functional level; then, in order to use the DSRM password backup feature, you will need Server 2019.

Note you can see only the most recent password via the new LAPS tab in the Active Directory Users and Computers module. If you want to see any of the older passwords, use the following command in PowerShell:

Microsoft didn’t feel that reviewing older passwords was an action that many administrators would do, so it didn’t build that experience into ADUC.

Microsoft anticipates that the fix for the legacy/new interoperability will be in the forthcoming April preview for Windows 11 and then in the May releases for all other versions. As long as you plan for this slight hiccup, I honestly don’t see this side effect as a blocking issue for deploying the April updates (once I give the go-ahead, of course). Just be aware to pick one method or the other for deployment at this time.

I see this as a sign that testing with older operating systems wasn’t done well at all. Overall, Microsoft’s changes in this respect are a good thing, because security is strengthened and the risk of ransomware attacks is reduced.

Many businesses are starting to be regulated by our cyber-insurance requirements for more secure settings. As mentioned earlier, my underwriter indicated that multifactor authentication was not optional. Fortunately, I already deployed appropriate authentication methods. For example, my users need administrator rights on occasion to install updates to certain business software, but not to run that software. (Note that Windows updates do not require administrator access to install; typically, this is only for line-of-business applications.)

I found that the best and easiest solution was deploying Cisco’s product, Duo. I use it to force an authentication prompt when installing updates for certain software and for authenticating remote access to our network. My state requires that we reimburse our users for the cost of using such solutions on their personal phones, unless we provide them with a business phone.

I was prepared when the underwriter sent us the “prequalification” checklist: I was able to say “Yes, we do that.” I anticipate that in the coming years, many of us will be pushed into tighter security for our networks (and, no doubt, our entire computing environments) by our insurance companies.

Resources

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.