Windows 7: Benefits of a standard user account with UAC active in a single user setting?

Question

I have been doing research over the last days to find the best way to set up secure user accounts in Windows 7. I learned some new things about UAC (user account control) and AAM (admin approval mode), but there are still some questions left. Following, I will present what I know about this matter(or at least what I think that I know), followed by my remaining questions.

First, the system in question is a single user PC with the user will be having access to admin rights. Most often it is advised to create an admin account and a separate user. But reading up on how UAC and AAM work, there seems to be few to no security benefits to this approach - at least for the intended setting.

When logging into an admin account, two access tokens are created - one with restricted rights and one with admin rights. In general, the admin will always use the same restricted rights as a standard user. Only when he wants to perform an action for which these rights are not sufficient, the system asks him to confirm his actions. Onl then will his rights be elevated to admin rights and only for this task alone. This behaviour is similar to what a standard user would experience with 3 particular differences, that lead people to state that working with an admin account is less secure:

• The admin user will only see a confirmation dialog, he has to click on, while the standard user will have to enter a password to elevate his rights. But this can be changed for the admin user to be required to enter a password as well [in registry or policy editor].
• Several actions (e.g. starting some trusted Microsoft applications) do not provoke the confirmation dialog when logged in as admin user. Again, this can be changed for the admin user as well [in normal user settings].
• Finally, and most importantly, separate admin and user accounts have separate areas for their files, registry entries, etc. . Thus, if something malicious is introduced while working with restricted rights (e.g. an executable in a temp directory, changed file associations, etc.), it will be located in a different context when the standard user requests and receives elevated rights and not in the same context as when an admin user requests elevated rights.

The first two issues are actually non-issues as they can be set up to work exactly the same for a standard user and for an admin user. It is the third issue that got me thinking. Does this really make a setup with separate admin and user account more secure than a single admin account? As soon as elevated rights are granted, everything stored in any userspace is accessible and executable. Thus, even when a standard user requests elevated rights and receives them and is now working in the context of the admin account, malicious code from his original context can be accessed and executed without further warnings.

So, to bring me back to my questions: In the presented setting is using a single admin account as secure as using a separate admin and user account, provided you change the notification level to maximum and require a password to get elevated rights? The only difference between both setups would be the separated file areas/registry entries. But as far as I can tell, this would not bring any more security. Or am I wrong in my assumption?

Answer 1

Let me provide a simple explanation for the administrative rights in Windows. By default, when you setup your first User Account, it will be assigned under Administrators group. For the subsequent creation of User Account, Windows will recommend you to make it as Standard Users which means non-administrative rights.

For the first User Account, definitely it is running under Administrators group, but the different is all the apps are running like Standard Users which means if you don't need any administrative privileges for any apps either for executing, reading or writing, Windows won't provide administrative privileges for that action. This model is working like Standard Users which Microsoft changes their mind to control the usage of administrative privileges in Administrators groups account. In short, when the apps needs administrative permission, they have to ask first before they will get it. User will have the rights to decide themselves whether to allow or deny it.

For the second User Account, definitely it is running under Standard Users group which means the same, all the apps are running in non-administrative privileges. Just the main difference is, you are running as Standard Users. When you need administrative privileges, you need to have a user which is under Administrators group to approve the action for Standard Users. This is acted like "I borrow your administrative credentials to help me done the tasks". Besides that, let's assume that User Account Control (UAC) is turned off. When you are running as Standard Users, you won't have chances to borrow credentials from other Administrative accounts to approve any administrative actions as all the action will straight denied from getting administrative privileges. That's the difference.

For the malware part, let's make it simple. If you let the bad guys get into your computer, you're gone. If you allowed the malware to have the administrative privileges, it will having like there is no different on whether I am running as administrative privileges or standard users because I am already have the administrative rights. Even the strongest malware that tries to bypass User Account Control (UAC) also requires administrative rights, so do you know why the malware can be successfully installed on a computer? The answer will only be: Accidently allowed, blindly allowed or vulnerability in Windows.

Please don't treat Standard Users as the always-secure for computing security. This is just another layer of preventative measures that prevents the apps or malicious software from executing on your computer when they need administrative rights. We have to know what apps are running on our computers first before we give them administrative rights. Using antimalware apps to detect and remove the threats is also an essential to keep the computer safe from malware threats.

Answer 2

In my setup, UAC is set to always deny elevation for standard accounts; it doesn't ask for passwords, it just always deny. The difference between standard accounts and admin accounts with this setting is that there is no chance to make a mistake. And it is more work to make that piece of malware run: you have to copy it to public downloads, log in as an admin, and then, execute it.

That said, malware are smarter nowadays, and some do not require admin rights. A remote access trojan/tool (RAT) can see your screen, retrieve your documents, look at your photos, schedule a task to send all your new files to the attacker. All this works just fine within a standard account. Their aim is not to get admin rights over your PC. This line of attack is not addressed by the standard vs admin accounts separation. And you need extra protection.