Using A Standard Windows User Account For Better Security

A standard user account can help protect kids (and adults!) from a number of common computer threats and problems. It prevents the global installation of unwanted or malicious software and blocks changes to important system settings that could otherwise mess up the whole computer – for all users.

A standard user account is also a necessary step if using the free OpenDNS Family Shield to block pornography (or else kids can easily bypass the Shield).

Standard User Account – XP, Vista and Windows 7 have two types of user account – a standard (limited) account and an administrator account. A standard user account can use most of the capabilities of the computer, but permission from an administrator is required to make changes (intentional or not) that affect other users or the security of the computer.

When a user is logged into Windows with a standard account, they can run existing programs, browse the net, use email and do most of the other things that an administrator can do.

However they can’t install or uninstall software and hardware, delete files that are required for the computer to work, or change settings on the computer that affect other users (e.g. change security/network settings). If they try to make such changes, Windows will ask them for the password of an administrator account as shown below:

user account control

At this point kids can ask you to type in the password and you can vet the change and make sure it is appropriate.

Security Reasons To Use a Standard Account

Blocking changes to system wide settings and programs which affect other users helps protect against malware – a virus that can only infect one user account is much easier to remove than one which infects all users and runs riot through core Windows system files.

Research from BeyondTrust last year reviewed the 256 security vulnerabilities in Windows that were fixed by Microsoft in 2010. The report found that using a standard account would provide better protection from the exploitation of:

  • 75 percent of Critical Windows 7 vulnerabilities reported by Microsoft to date
  • 100 percent of Microsoft Office vulnerabilities reported in 2010
  • 100 percent of Internet Explorer and IE 8 vulnerabilities in 2010
  • 64 percent of all Microsoft vulnerabilities reported in 2010

The results prove that using a standard account is still an excellent way to reduce the risks of malware and exploitation by hackers.

How To Change An Account To A Standard (Limited) User

To change an administrator account to a standard (limited) user account, see the following guides from Microsoft:

  • W7 (same for Vista) – guide. Note that most home computers will be in a workgroup.
  • XP – guide.

How To Create A New Standard (Limited) User Account

Alternatively, create a new standard user account by following these guides:

  • W7 (same for Vista) – guide. It will be a standard user by default.
  • XP – click Start \ Control Panel \ User Accounts \ Create A New Account, type a name for the new account and press Next then select ‘Limited’ and press ‘Create Account’.

What About User Account Control?

Vista and Windows 7 have an extra security feature called User Account Control (UAC) – even administrator users are prompted for permission when a task requires administrative rights (e.g. installing software).

Unfortunately many people found UAC intrusive and disabled it whilst others became so used to seeing it that they would just accept the prompt every time…

Even when UAC is used properly, an administrator account with UAC enabled is not as secure as a standard user account – malware has long been able to bypass UAC completely.

Conclusion

A standard Windows user account offers many security benefits compared to a full administrator account – this makes it perfect for browsing the web, using email and downloading files.

It’s also ideal for making a computer more ‘kid-proof’ – protecting them (and other users from them) – just don’t let them know your administrator password…