“Do not log in as an Administrator. ”
How long has that security best practice mantra been recited? How many times have you been reminded that malware attacks generally execute with the context and permissions of the currently logged in user, so you should generally log in as a standard user to minimize the potential damage from exploits?
But, Microsoft should put its money where its proverbial mouth is and just make that the default. Why? Well, I will explain why. Those who have the understanding and skill to safely function logged in as an Administrator also have the necessary understanding and skill to do what it takes to create a user account with administrative privileges and log in using it. However, the reverse is not true–your average user does not have the understanding and skill to realize they are logged in as an Administrator, nor do they have the understanding or skill to create a separate login that is just a standard user and log in using it.
Microsoft went half way by implementing the split token for Administrator privileges and requiring consent to elevate privileges with UAC when necessary. That helps protect even user accounts with Administrator privileges from being exploited, or from accidentally modifying crucial aspects of the Windows OS. But, the vast majority are not Windows gurus or security experts, and lack the fundamental knowledge it requires to determine whether a UAC prompt for privilege escalation is legitimate or not….so they just click “Allow” and go about their business.
The problem is that when you install WIndows as a home user, it just asks you for a name to assign to the user account, and by default it makes that user account an Administrator. If Microsoft doesn’t want average users to log in as Administrator, then it shouldn’t automatically make every user an Administrator.
Microsoft should modify the installation procedure for Windows 7–and for any future implementations of Windows. The installation process must create an Administrator account so that at least one account is available with unrestricted access to the system, but the installation process should clearly state that the Admin account is for special circumstances only, and should be used through the “Run As” process when necessary. But, the installation process should then require that the user create a username and password for a standard user account as well, and–most importantly–the standard user account should be the default account for logging in to Windows, and the Admin account should be hidden.
Any user that doesn’t have the understanding and skill to access the Admin account has no business accessing the Admin account anyway.