How To Limit User Access In Windows 7

Does this site await plainly?

This site uses advanced css techniques

Windows 7 is now in Release Candidate condition (build 7100, May 2009), and many are trying this new operating system. Those who skipped past Vista from XP are finding a new experience and an entirely new security paradigm: User Account Control.

UAC was introduced with Vista and was widely maligned due to its in-your-faceness, and though information technology's calmed down some as Vista has been updated, it seems to accept really hit its stride in Windows 7. I like UAC a lot.

But even in its imperfect form, information technology was a good idea, attempting to brighten the terribly blurry line between administrative tasks and user tasks that has plagued Windows since the early days.

Much of this is due to the early consumer operating systems Win95, Win98, and WinME, which maintained no technical distinction between these roles: everybody was ever an ambassador, and software developers had no way of fifty-fifty thinking about a separation of roles.

But fifty-fifty with the more modern NT-based systems Windows 2000 and Windows XP, it was and so painful to really go your work done as a non-administrative user that near people just gave up and ran with an admin business relationship. This was about entirely due to poor habits past software developers: they themselves ran as admins, and simply wrote sloppy code that causeless everybody was i too.

Microsoft has been trying very hard to counter this everybody-is-an-admin mentality, and UAC was their attempt at compromise: if you're going to run as admin, at least we can make you enlightened of the office differences. This is what UAC is attempting to do.

User Account Control explained

User Account Command works by guarding access to administrative rights, and this involves elevations of privilege: when attempting to perform admin tasks, the operating system either auto-elevates to admin rights, or requests some kind of consent or credentials to exercise and then.

Windows vii recognizes three wide classes of users:

The built-in "Administrator" business relationship

This business relationship is special for a number of reasons, and is disabled by default in Vista and Windows 7. Because this account explicitly turns off some of import security features — such as IE Protected Manner, besides as UAC — it's a really bad idea to use Administrator for anything.

I strongly urge leaving the Administrator account disabled!

Keeping this account disabled (which means you won't be tempted to actually use it) will help go along you safer!

An business relationship with administrative rights

Though the user has the ability to drag to admin rights due to its membership in the local Administrators group, UAC interposes itself at fundamental times with prompts that confirm your intentions:

This is Prompt-for-Consent Fashion, and upon clicking [Yeah], it will elevate the job and run information technology as an administrator.

For performing administrative tasks, always utilise this kind of custom admin account instead of the built-in Ambassador.

Windows seven introduces a slider to the UAC settings that allows for changing the level of UAC prompts, including a setting to disable it entirely (admin-approval mode).

A standard/limited user

These accounts simply exercise not accept the power to perform administrative tasks directly, nor do they accept the ability to elevate with a mere confirmation: they instead crave credentials such as a countersign or a smartcard. This is requested via a prompt to the user:

This is informally known as Over-the-Shoulder Way (where somebody can lean over the user's shoulder to type a password and elevate an approved task).

I strongly believe in limited user accounts!

I've been doing so since XP Service Pack 2, including my laptop and main software-development workstation. It's been painful at times, but it's dramatically lowered the attack surface of my system and has contributed to my Windows machines never suffering a compromise.

Stepping into Windows vii, I of course wanted to run every bit a limited user, just because I didn't know how it worked (in Win7 or in Vista), I essentially locked myself out of my own machine (see below).

So after figuring information technology out (and reinstalling a couple of times), I created this Tech Tip to assistance a security-minded user to do the safe matter.

This newspaper presents two procedures: 1 for a offset-time install of the operating organisation, and i for retrofitting an already-installed arrangement where the main user is a custom admin.

Method one: New Os installation

A new install is the easiest to get right because there'southward no prior setup to work around, and the illustration uses two Windows accounts:

• SteveAdmin — the first business relationship created during installation, should be used solely for administrative tasks.
• Steve — the 2d account created as a standard user; this express account is used for day-to-day work.

The built-in Administrator will non exist used in any style, and will remain disabled.

Have these steps to ready Windows vii:

Install Windows 7, creating a initial user "SteveAdmin"

This should be the usual install-from-DVD process, and the initial parts take some time (and at least 1 reboot) before asking whatsoever questions related to setting upwardly of users.

When prompted, name the offset user SteveAdmin; it's automatically created as an administrative account.

If you choose to give the account a countersign, be sure to remember information technology: it will be required for all administrative duties on your machine.

Complete the Windows 7 installation

This includes configuring Automatic Updates, addition of required drivers, configuring the network, and the like.

This is all washed every bit the administrative user SteveAdmin.

Create a new account "Steve" equally a standard user

While logged in every bit SteveAdmin, navigate to the Control Panel:

• Click the Kickoff icon
• Click Control Console
• Click Add or remove user accounts under "User Accounts and Family Prophylactic"
• Click Create a new account underneath the list of electric current accounts
• Populate the dialog box with the new user proper name — Steve — and click the Standard User radio button.
• Click the [Create Business relationship] button to arrive and then

Assign a password to the new user "Steve" (if desired)

Once the account has been created, a listing of current users appears with the caption: "Choose the account you would like to modify". Click the icon for newly created Steve account, which should be listed as a Standard User.

Click Create a password, and enter a password (twice!), along with a password hint if yous like. Annotation that since you're changing the countersign for a dissimilar user than yourself (Steve versus SteveAdmin), it will present an ominous message:

Ominous message that can be disregarded:

If you lot do this, Steve will lose all EFS-encrypted files, personal certificates and stored password for Web sites or network resources.

Since this user was just freshly created, there is no private data to lose, so we tin ignore this message and go on.

Dismiss the Command Panel dialogs, log out, and log in as Steve

At this indicate, Steve is a standard user.

At present that we're a standard user, attempts to perform admin tasks are greeted with a UAC prompt for SteveAdmin'south password.

Method 2: Convert an already-installed admin user

This method is used if Windows 7 has been already set up, where the installer user (here: Steve) was automatically created with administrative rights. Though one could technically rename the business relationship to SteveAdmin and make a new Steve as a express user, this would play havoc with the user profiles, the desktop, and other personal configurations. It's possible to re-create profiles around, simply it's easier to just create a new admin account and demote this one.

These are the steps:

Create a new SteveAdmin user

Login equally Steve, who is still an administrative user, and navigate to the Control Panel to create a new user.

• Click Commencement icon, nav to Command Console
• Click Add or remove user accounts under "User Accounts and Family unit Safe"
• Click Create a new account underneath the list of current accounts
• Populate the dialog box with the new user proper noun — SteveAdmin — and click the Administrator radio button.
• Click the [Create Business relationship] button to make information technology and so

Now nosotros have a new SteveAdmin account — without a password all the same! — and this system now has two admin users.

Assign a password to the new user SteveAdmin (if desired)

Once the account has been created, a list of electric current users appears with the explanation: "Cull the account yous would like to change". Click the icon for the new SteveAdmin user, which should exist listed as an Administrator.

Click Create a countersign, and enter a countersign (twice!), along with a password hint if desired. Note that since you're irresolute the password for a different user than yourself (SteveAdmin versus your logged-in Steve account), it will present an ominous message:

Ominous message that can be overlooked:

If you practice this, SteveAdmin will lose all EFS-encrypted files, personal certificates and stored password for Spider web sites or network resource.

Since this user was only freshly created, there is no private data to lose, so we can ignore this message and go along.

This completes creation of the SteveAdmin account, leaving leaving two accounts on the machine with admin rights.

Practice non dismiss the dialog still! We'll be getting right into the next pace from here.

Demote the user "Steve"

With the SteveAdmin account in good shape, it's time to demote the original installation user Steve from an administrator to a standard user. Since nosotros're withal in the Control Panel, we can hands choice up where we left off:

• Click Manage another account
• Click the icon on the Steve account
• Click Change the business relationship type
• Click the Standard User radio button
• Click the Change Business relationship Type push
• Dismiss the control-panel dialogs

The side by side time user Steve logs in, he'll have strictly standard user powers.

Log out as "Steve", and so correct back in

Logging out destroys the session token that still has admin rights, and then the next login gets the new set of limited rights.

In one case logged in equally a limited user, attempts to perform admin tasks are greeted with a UAC prompt asking for credentials for the SteveAdmin user.

Disabling the Ambassador business relationship

At this point, one of the ii procedures has set upwards a limited user Steve and a proper authoritative account SteveAdmin, merely some users might have previously enabled the born Ambassador business relationship as well.

I believe this is a bad thought, and recommend that the account be disabled. This won't be required if yous've just installed Windows seven freshly, or if Ambassador does not announced on the login folio every bit an icon for a user who tin can login.

If you're not sure, the steps to check and disable are almost the same:

Open the "Manage Users" applet

Enabling and disabling accounts is non done in the same identify where you created a new user, so it requires navigating to a new place.

• Click the Start Icon
• Right-click on Estimator and select Manage
• Navigate as shown to Users
• Double-click on the Administrator icon.
• Insure that Account is disabled is checked (if it was already checked, you're done)
• Dismiss the dialog boxes

At this signal, the Administrator account is disabled and cannot be used to login or to approve UAC elevations. It's non necessary to change the account's password, as disabling the account overrides any countersign (even a bare one).

Picking a password

Curiously plenty, it's not always necessary to accept a password on an account. Since an account with a blank countersign cannot be accessed over the network, you can substantially reduce the attack surface of a auto this mode.

Only this requires that you have good control of concrete security over the machine: if there are users on the machine (or in the environment) who are not allowed to perform administrative duties, it would be a poor thought to accept a blank password because information technology would allow anybody to walk upward to the calculator and go to boondocks.

In addition, a laptop that leaves the business firm is probably not a good candidate for a bare countersign because physical security is seriously problematic.

For nigh abode users, information technology probably doesn't really matter that much how yous choose your password schemes, but if you accept whatsoever questions about this, please present your scenario to a trusted security adviser for guidance.

Exist Conscientious! Securing yourself out of your own machine

As noted before, I'd not set up Vista earlier, so were unaware that the Ambassador account was disabled past default. This atomic number 82 to an uncomfortable surprise after demoting the installation account Steve.

After configuring our machine, I'd gone into the Control Panel to downgrade the Steve account to a Standard User. I had unknowingly removed the just remaining admin account, so after logging out and back in (to allow the account alter to take effect in our session), the next UAC operation provided this prompt:

The careful reader will note there is no place to enter a password! , and to say that was maddening would be an understatement. Depending on your calculator's configuration, there may be an invitation to use a Smart Carte du jour, but that won't likely do much proficient on a computer that'due south not had smartcards configured.

It seems like a poor user experience even though technically information technology was my ain fault.

---

Special thanks to fellow MVP Susan Bradley and Microsoft smart guy Crispin Cowan, PhD for their invaluable assist with this newspaper.

First published: 2009/05/27 (blogged)

Source: http://unixwiz.net/techtips/win7-limited-user.html

Posted by: ramseythipper82.blogspot.com

Share this post