When to use Admin vs User Accounts

Question

I have asked these questions elsewhere and did not get straight answers.

Is it best to be logged into a User account for normal activity?  Web browsing, using office software, playing games, watching videos etc?  This used to be the recommendation from Windows pros in the distant past.  Running under Admin is supposed to make you more vulnerable to malware.  But Windows security has improved over time, and the built-in Windows Defender has also become more effective.  So, in 2020, still best to stay on a User account most of the time?

Another question, is it best to do app installs, driver updates, and Windows OS updates while logged into an Admin account?  This is not something I have seen advised.  But over the past several years I had experiences of installing items on a User account and then the programs did not work properly.  For instance, just today I did a driver update while logged into a User account.  Later, when I checked device manager on an Admin account, the driver had NOT been updated and there were error messages.  Windows certainly allows you to install these items while logged into a User account, it simply requires the Admin password to complete.

Answer 1

Since the beginning of PCs, one of the important design principles for operating systems has been the principle of least privileges. (You can Google that phrase for more information.) It means that user accounts (among other things) should have no more than the minimum permissions needed to accomplish their role. This is done to limit the damage from a successful attack.

Computers and their users need to be protected against attack because they routinely deal with other computers and other users whom they cannot see or trust. Even if you are the only person who will ever use your computer, even if you live in a cave in an undisclosed location where nobody can find you, as soon as you connect to the internet, your computer becomes connected to thousands of computers that are in turn connected to thousands of computers, any of which can be operated by attackers who are actively gunning for your computer. Only the naive deny this unfortunate fact of computer-dom.

The principle of least privileges is why we do not do our day-to-day computing from an Administrators account. If you are a Standard user, and your account gets hacked, the most an attacker can do is to rifle through your personal files, which is not a worthwhile use of an attacker's time. If attackers are looking for bank account numbers, credit card information, Social Security Numbers, and the like, they can easily and cheaply find thousands of people's records on the dark web. They are unlikely to waste their time on your user account.

But if you're using an Administrators account that gets hacked ... that's the grand prize. Now the attacker has an entire computer to work with, and with that computer they can do tremendous damage, not only to your computer - for example, by using it to mine bitcoin, or torrent stolen content - but to other computers too, by using your computer to attack other computers.

If you're using a Users account, and you need to elevate your privileges temporarily, to install software, let's say, you can easily 'Run as' the installer, which means to run the installer as if you were an Administrators account. That gives you elevated permissions for that transaction only after which you revert to a Users permissions. And that's the safe way to use a computer.

Answer 2

Yes, it makes a huge difference, which I will explain below. But first, some fundamentals:

A Windows PC actually has more than a dozen user accounts, but most people are only familiar with two: Administrators and Users.

Those names are in the plural because they are shorthand for 'member of the Administrators group; and 'member of the Users group.' To a computer, you are not an individual; you are a member of a group. All the rules of the group apply to you. I mention this because many who post here unfortunately confuse Administrators with Administrator - without the 's.' Administrators - with the 's' - is a user group, while Administrator is a special purpose system account. Very different!

One more fundamental, and then done: Members of the Users group have been called by many names over time, because Microsoft has never been good with naming things. Members of the Users group have been called Standard users, Limited users, just plain 'users,' and whatever Microsoft decides to call them next month.

The essential difference between the various user groups is how much permissions they have on the computer. Permissions are also called privileges. (Nothing in a computer has only one name.) Administrators have more permissions than users. Another way to say this is that Administrators have elevated privileges compared to Users.

Administrators have permission to make configuration changes that affect the entire computer. Installing software is a well-known example of a privilege only available to Administrators. Users only have permission to make changes that affect their own user account.

Administrators have extensive access to the computer's capabilities that Users lack - which makes an Administrators account a hacker's cherished goal. And that's why we all need to have Users accounts, as I will elaborate upon in the next post.

Answer 3

Hi ProTech72s,

Thank you for letting us know about this inquiry.

I am glad to work with you and help you find an answer for these questions.

I understand that there are questions arising lately about what the best User to be use on Windows 10.

While it is true that Admin accounts are more vulnerable to Malware and other applications use by hackers, this is only true if the computer is already infected with malware and other viruses, because once the computer is infected they can have unlimited access to the computer compared to a standard user account.

However, lately hackers are really having a hard time to access a computer thanks to advance features of Anti-virus application today even Windows Security has already an advance features that would make it almost impossible for a hacker to get in on your computer.

So the question is when there is already a Windows Security and other third party anti virus application out there, then when would the computer become vulnerable to malware and other Spying applications use by hacker.

Well the answer to that question is when we allow them to access our computer.

This happens when we are not careful opening an email from unknown sources or even emails that are a replica of know companies and providing information on the link that they have send to us.

Another is when we provide any code that we receive on our computer to a caller even if they are claiming that they are a Microsoft employee, because I've been an Microsoft employee before and even we are not allowed to ask for any code the we send on the customers computer to have access to their computer.

Third is when we frequently visit unofficial websites and download anything on that website.

However if the application that you are downloading is from verified trusted site specially from Microsoft store there is no need to worry because on Microsoft Store all application has already been filtered for any possibility of containing data that would harm the security of our computer.

Thank you again for letting us know about this concern.

I know I have type many words there above, just read them on your most convenient time ProTech72s.

Please let me know on how I can provide further assistance to you.

Continue to have a safe and good day

Best Regards,

Anthony De Jesus

Independent Advisor

Answer 4

Please answer the following question:

Should apps, driver installs, and OS updates be done while logged into an Admin account?  Based on my experience, installing these items while logged in as a User account has led to many problems.

I believe that a clear and definite answer to this question would be beneficial to the Windows community.

Answer 5

I have a single account since I am the only user and have had no problems doing so.

It is the main administration account.