win7 seems to recommend using a user acct for everyday use versus admin acct. Is this really an issue on a properly protected computer?

use admin acct imo , especially if your going to be installing programs and changing system settings etc , although you can have a user acct with admin priveleges

yes lot better
also if good anti malware
some day 0 virus not found by antivirus - you cooked if malware has admin rights

admin right you need few - example install/uninstall - use admin account with password for that

people spend hours decide which antivirus they use
then they use admin account for browsing ....
these users are idiots

or set your admin account up properly

There is almost zero reason to work as Administrator or use an account defined as an administrator - with 7+. The idea of Right Click Run As used to be a "secret" but not so much anymore. The system will prompt you for credentials if it needs it.

"set your admin account up properly" please explain what you mean by this. A user account defined as an administrator does behave differently then working as Administrator if thats what you mean.

of course

i read back my original reply to this

i didnt mean use in the built admin account.

With UAC enabled it will still request your permission to do anything which requires elevated privileges

terribad advice imo

try reading my other posts ITT thanks

So the consensus is to do a user account that has admin right? Can this UAC thing just be turned off? I never upgraded my computer to Vista, but whenever i used one those dumb popups seemed incredibly annoying

UAC is one of the very few useful security features for windows. Turning it off is pretty much the worst you can do.

A security feature that annoys the user to the point that they ignore the pop ups or turn it off is not useful. Designing a security feature that begs to be turned off is pretty much the worst a designer could do.

This was true for Vista, but not for WIN7. UAC in WIN7 works pretty well and with it and with the rightclick-Run as Admin option, admin user accounts should never be used.

I can imagine people dislike limited user accounts in WinXP, because of the lack of the run as admin option, or in Vista where UAC is utterly annoying, but in WIN7 a normal user account is plain sailing and using admin accounts for daily use is idiotic.

A security feature that prevents me from close to 100% of all malware (user account without admin rights) and creates the effort of one extra click when I want to install new software and an right click after installing a new program.

the majority of users IMO do not know anything about UAC and will click "Yes" to any UAC prompt that pops up without reading it

^^^ this. I would go as far as calling the implementation of UAC in Vista buggy. In Win 7, pop-ups don't occur more frequently than requests for the root password do on Linux or OS X.

If the user is dumb and has the right to run as admin (or as root in Linux/OS X), every security solution will be flawed. I don't see your point here. You can also only do so much to protect dumb users from phishing scams or from "helping out" that Nigerian prince. The only way to achieve close to 100% security is a *completely* closed system (which, for example, doesn't feature writable storage).

Not sure about the percentages but the essence of this is so true: UAC provides tremendous security gains for the average user (which used to run as admin in XP).

Btw, if you're running Win 7, it is advisable that you go to the UAC settings and increase the scale to its max ("always notify"). Note the default is the second-highest setting.

How do you know if you are running as a user or admin in Win7?

I made it a little dramatic to make clear that disabling UAC is probably the worst you can do in win7. On the other side, I can't imagine any malware with usability for the creator that doesn't rely on kernel access and therefore admin rights.

-run

type "secpol.msc" / Local Policies / Security Options

You'll see the status of every Account.
Right clicking any entry will allow to change it's value and also gives an explanation what exactly this list entry is about.

//edit:

I guess a little more convenient:

Right click any folder / Properties / Security / edit on your user

You'll see all groups your account is in.

//edit2:

Probably easiest option:

Control Panel / User Accounts

In case someone reads this and wants to change the fact that the user he created with installing windows is probably an admin account, here are some tips how to do it.

1. create Non-Admin User via Control Panel / User Accounts

Go to: Manage another account / create new user

and create your new, safe account.

(2.) Activate the administrator account on your pc in case you know you want to operate as administrator for some reason. (If you don't know why you would do that, you probably don't need to do it)

Open the command prompt with elevated privileges by clicking:

Start orb / All Programs / Accessories / right-click Command Prompt and then select Run as administrator

Type "net user administrator /active:yes" and then press Enter.

3. To keep all your settings on the new account, including Email and Desktop:

Start / type "easy transfer" / and go trough the assistant from "Windows Easy Transfer"

You can customize exactly what files you want to keep for your new account.

Being pretty much safe to any kind of malware never has been that easy, seriously.

Having an Non-Admin windows account, using TrueCrypt and KeePass prevents you from every security risks, except a very very small group of people on this planet, seriously.

That's awesome, thanks Wellju.

Question: When you talk about using truecrypt, are you talking about just using that to protect the entire hard drive, or are there specific files that you would recommend putting in an encrypted file?

That's a good question and there's no general answer to it.
It's a fight between performance and security. When you got a last gen computer, Intels Core or AMDs Phenom, you wont notice any real performance loss.

Generally speaking, I don't see much sense in having your itunes library encrypted but I would like to have the system drive as hidden partition.

There are major advantages to it, although even if there are no known issues with it, I wouldn't suggest that solution to everyone, as you at least should know the very basics of a computer. Like how to change bios settings, install windows, create bootable disks and such.

If you're too lazy to set that up (will take you an hour, no work ever after that), you're better off if you at least encrypt your programs (so many security leaks in some of them), your personal folders (outlook saves it's data there-) and anything else that might contain sensitive data.

I would suggest to encrypt your windows and program partitions, but leave your storage as it is.

When I try to use easy transfer it prompts me for
-cable
-usb
or
-network
and doesn't seem to be obvious to just transfer user settings

Some of the programs that I've loaded on as admin aren't showing up in the non-admin users. How do I get them to show up?

Thanks!

In easy transfer, you just click on "An external drive or usb drive" and instead of giving him an external drive, you just specify a location on a different partition or wherever on your harddisk.


Not all programs are installed for all users, often you're asked if you want to install the software for all users, but not every installer is that sophisticated.

Usually you can run this program from any user tho, by just going to "Program Files" and start the application from there. It's most convenient when you right-click on the .exe -> send to -> desktop. Then you got a shortcut for it on your desktop.

Thanks for all the input wellju. I really do appreciate it.

But after screwing around with this for a while, I just figured out an easier way. Create another admin account, then switch the level on the current account to standard user. All settings seem to stay then.