Operating system security

Admin vs non-admin accounts in Windows 10

Kurt Ellzey
February 26, 2020 by
Kurt Ellzey

Coke versus Pepsi. Mac versus PC. Red versus Blue. There are some arguments that have been around for so long that the idea of one side or the other being 100% correct are slim to none. Each side has its strengths and weaknesses, along with particular use cases. If we try to use one particular option all the time, we may be all right most of the time. But there will always be situations where we come across one element that the other side excels at, and we either have to ask for assistance or find a workaround.

Admin versus non-admin accounts have been known to create bitter arguments in organizations: users want total control of their individual workstation while other people don't want the responsibility that an admin level account brings. Which one is correct? As we mentioned before, both sides have their strengths and uses, and we'll briefly go over some of those in the following article.

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Standard users

For the sake of keeping things simplified, we're going to refer to non-admin accounts as standard users. These arguments apply in situations for both local and domain users. 

When a user sits down at their workstation for the day, there are a few things that regularly happen: they check their email, start up regularly used programs, browse the web for a while and then get down to business. After a while, they're done for the day, close everything down and lock up.

For a large number of people, this is what they need of a daily driver account — the user that you're logged in with primarily throughout the day. Even in advanced cases, unless it's a part of the user's job they don't install applications, drivers and other system-level functions on a daily basis. This is especially true if the workstation is shared between users and they don't necessarily want someone else to mess with their locally saved data — standard users have access to most local data, but not necessarily system-critical areas or other user's profiles.

So why would we consider having active restrictions to be a good thing? Let's take a look at this from another point of view: the Death Star from the original “Star Wars.”

There is a classic scene in this movie where two Imperials are operating a console inside of a firing chamber for the Death Star. They have a very small walkway on which to stand, and that's about it: no protections at all from a drop-off or from the enormous amount of energy traveling down the chamber. 

These users have what they need to perform their daily functions, yes, but without restrictions such as shielding, safety rails or even just additional flooring, they could be placed in massive danger without ever doing anything but their routine operations.

The same concept can be applied to users running as admins all day every day. If a site the user goes to all of the time becomes compromised — and this happens frequently — an administrative-level user's account could be abused by malware to cause harm to the user's data and possibly much more. Of course this doesn't have to be just a website, but any vector can be used: emails, USB sticks and so on.

Running as a standard user can help prevent a good number of these issues from ever happening, and helps protect user, system and organization from potential threats.

Admin users

However there are always situations where you need the additional permissions that an administrator account has, as it is impossible to perform certain tasks in Windows without one. Administrators have near-total control of any given environment, whether they be local admins, domain admins or beyond. I say near-total, because there are certain system-level accounts that still can give Admins hassles when it comes to particular functions. 

However, even people that have administrator-level accounts don't necessarily use their maximum permission level accounts all the time — they switch to them as needed. At first, that sounds like it could be quite an annoyance, logging out of a standard user to only log in with an administrator and back again. Although that certainly would work, there are considerably faster ways to access elevated permissions but still retain safety on a regular basis. 

Let's say, for example, that a user is starting to receive information that requires a newer version of Microsoft Office than is currently installed on the local workstation. The user may be able to get around this for a while by using a standalone viewer for these files that does not need to be installed. As time goes on, however, they need to start editing these files and sending them back, thus requiring a new version of Office to be installed.

When this happens, they can either contact someone with administrative-level access and have them log on as an administrator-level user, or they can simply use a “Run As” command to temporarily run the installer as an administrator without having to have the current user logoff.

There are a couple of different ways to access this functionality. First, we'll take a look at an installer for Office.

The tiny Shield icon on the installer shows us that this program will trigger UAC — User Account Control — and ask for elevated permissions to run properly. We'll want to be careful with this, since certain installers act very differently when run as a user or an admin. They may not necessarily show anything different during the installation, but then the program doesn't actually function when complete. 

When we right-click on this installer, it shows us the function “Run as administrator” with the shield icon. While sometimes this will be enough, there is another function that may be better for us.

When you hold down shift and right-click on the installer, you'll see another function available: “Run as different user.”

“Run as different user” will grant us some additional permissions when using accounts like Domain Admins, especially if this involves accessing network shares.

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Conclusion

As we mentioned before, both sides of the coin have their uses along with strengths and weaknesses respectively. Administrative accounts must be used, but they don't have to be used all the time. 

Microsoft has gotten tremendously better about what permission levels are required for daily operations over the years and will likely continue to improve in the future. It is up to all of us to help keep ourselves and or organizations more protected without needless risks.

Sources

Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.