I have been doing research over the last days to find the best way to set up secure user accounts in Windows 7. I learned some new things about UAC (user account control) and AAM (admin approval mode), but there are still some questions left. Following, I will present what I know about this matter(or at least what I think that I know), followed by my remaining questions.
First, the system in question is a single user PC with the user will be having access to admin rights. Most often it is advised to create an admin account and a separate user. But reading up on how UAC and AAM work, there seems to be few to no security benefits to this approach - at least for the intended setting.
When logging into an admin account, two access tokens are created - one with restricted rights and one with admin rights. In general, the admin will always use the same restricted rights as a standard user. Only when he wants to perform an action for which these rights are not sufficient, the system asks him to confirm his actions. Onl then will his rights be elevated to admin rights and only for this task alone. This behaviour is similar to what a standard user would experience with 3 particular differences, that lead people to state that working with an admin account is less secure:
- The admin user will only see a confirmation dialog, he has to click on, while the standard user will have to enter a password to elevate his rights. But this can be changed for the admin user to be required to enter a password as well [in registry or policy editor].
- Several actions (e.g. starting some trusted Microsoft applications) do not provoke the confirmation dialog when logged in as admin user. Again, this can be changed for the admin user as well [in normal user settings].
- Finally, and most importantly, separate admin and user accounts have separate areas for their files, registry entries, etc. . Thus, if something malicious is introduced while working with restricted rights (e.g. an executable in a temp directory, changed file associations, etc.), it will be located in a different context when the standard user requests and receives elevated rights and not in the same context as when an admin user requests elevated rights.
The first two issues are actually non-issues as they can be set up to work exactly the same for a standard user and for an admin user. It is the third issue that got me thinking. Does this really make a setup with separate admin and user account more secure than a single admin account? As soon as elevated rights are granted, everything stored in any userspace is accessible and executable. Thus, even when a standard user requests elevated rights and receives them and is now working in the context of the admin account, malicious code from his original context can be accessed and executed without further warnings.
So, to bring me back to my questions: In the presented setting is using a single admin account as secure as using a separate admin and user account, provided you change the notification level to maximum and require a password to get elevated rights? The only difference between both setups would be the separated file areas/registry entries. But as far as I can tell, this would not bring any more security. Or am I wrong in my assumption?