Vista - Standard user or administator account

I've been researching the benefits of standard user accounts vs administrator
accounts, I still do not see any reason for the average user to use a
standard account.

I CAN understand using it with youngsters and others who you do not want to
be able to install programs or access administrative functions.

But for a person who is the only user of a computer, what is the advantage
of a standard user account as far as security?

People often say it will afford a higher level of security against malware
installations. But a regular adminstrator account (not the hidden full
administrator account, that is a different story) will prevent the
installation of driveby malware because it requires the elevation prompt
before any installs. This will prevent malware installing itself without
your knowledge.

In the standard account compared to a regular administrator account, the
only difference I can see is that the standard account requires you to enter
the admin password when elevation is required. So that will block
unauthorized users, but it does not afford any additional protection (over an
admin account) from malware installations that happen without the user's
knowledge.

So it seems like if you are not worried about unauthorized users at the
keyboard, then why use a standard account? It seems the level of protection
from malware installation is the same with both.

Am I missing something here?

Thanks

Thanks for the reply.

I am not looking to set up accounts with the most power. I am wanting to
know if, when I am setting up computers for "regular users", is there any
reason to use the standard account when there is only one user? I am
referring to computers with no unauthorized users, no children. The only
security concern is protecting from malware installations. I do not see any
additional protection with the standard account compared to the regular admin
account. It seems like both types of accounts require elevation for the same
tasks, the only difference is the standard account also asks for an admin
password.

Thanks

"Mark L. Ferguson" wrote:

Good question.

Damage to files in one account does not necessarily mean damage to the other
account. The advantage of using a standard account v.s. straight
administrator account is that if a user damages files in the standard account
the user can always go back to the administrator account and set up a new
standard account. If the user damages files in the administrator account it’s
harder to fix the problem. Computers are imperfect and so are the users.
Users will eventually damage system files. It’s easier to overcome file
damage if it’s done in a standard account.


--
oscar

....Right click is your very good friend...


"Vince" wrote:

"Vince" <Vince@xxxxxx> wrote in message
news:8876783A-F2F6-4847-85A4-5D0852B74FF2@xxxxxxAdmin is locked down to Standard user, when not using the Full Admin token
and UAC prompt for Admin is *allow* or *disallow* when elevations to the
Admin Full rights token is required.

<http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml>
<http://technet.microsoft.com/en-us/library/cc709691.aspx>

There is no more Power User on Vista, as stated in the article.

<http://technet.microsoft.com/en-us/magazine/cc160882.aspx>

Thanks Oscar,

Interesting point, but I'm not sure that it makes a difference since there
is always the default Admin account to fall back on. Also I always use
imaging software to be sure I can restore a damaged OS.
My main concern with this question is security, protection against malware
installation.

Mr Arnold, not sure what your bottom line is here. Do you think standard
user has more protection than an admin user against malware installs?

Thanks
"Mr. Arnold" wrote:

"Vince" <Vince@xxxxxx> wrote in message
news:CF79E2A8-55A0-4430-87D4-8B951130A51C@xxxxxxBut only if you enable it first - it's disabled by default in Vista....

"Vince" <Vince@xxxxxx> wrote in message
news:CF79E2A8-55A0-4430-87D4-8B951130A51C@xxxxxxYou're not Admin. You are Standard user, until you get that prompt to
escalate privileges to the Admin full rights token if you are Admin on the
machine, which will be the Allow or Disallow prompt from UAC for Admin.

You're reverted back to Standard user again as an Admin once the escalated
right to Admin Full rights has completed for the task, and then you are not
Admin on Vista with Full Admin rights anymore.

You're reverted back to Standard user on Vista with a account named Admin
internally for a lack of better words.

If you are a Standard user on Vista with only the Standard user token, then
UAC prompts you for an Admin user-id and psw to escalate rights, instead of
the UAC prompt of Allow or Disallow, if you were Admin.

Either way you go with Admin or Standard user, you have to approve the
action. To me, that's the key is if you recognize the allow or disallow or
give the Admin user-id and psw, and the situation you're in at the time of
the prompt.

Standard rights are more restrictive in their permissions to do things over
all than Admin, which is it really comes down to what rights a Standard user
would have concerning NTFS permissions, because any user with Admin has all
rights with NTFS.

However, you should read the information in the link and decide for yourself
as to what type of an account you're going to use, just remember Admin on
Vista is a Standard user most of the time.

There is a hidden Admin account called Super User that has Full Admin Rights
all the time and never gets prompted by UAC.

Mr. Arnold wrote:But why does a power user/user account behave as an admin once you mess
with UAC? I had a power user/user account with UAC turned off. I could
not execute administrative tasks (it would tell me access denied). So
then I went in as admin and enabled UAC. Logged back in as power
user/user account (with UAC turned on) it would prompt me for admin
credentials which I provided one time for one action. Then I logged off
as user, logged back in as admin, disabled UAC, logged back in as power
user/user account and it lets me do any admin action I want (without the
UAC provide credentials prompt)!! I created a new user account with
only user permissions, and I can do any admin action I want (without the
UAC provide credentials prompt) under this account too! Is my standard
user token barched now?! I also tried going into secpol.msc and setting
'UAC:Behavior of the elevation prompt for standard users' to
'Automatically deny elevation requests' and there has been no change.
Can anyone explain this please?
--
kapibarra

I don't seem to be communicating my question correctly, since it is not
getting answered.
So I will re-phrase.
It seems to me that the only difference between a standard user and a
(regular) administrator is that when the need to elevate to admin privileges
comes, the administrator account only needs to click "Continue" while the
standard user has to enter an administrator username and password. Other
than that difference, it seems the two account types are the same, both
before the elevation of rights, and after the elevation of rights.
Can anyone confirm or deny this?
Thanks



"Mr. Arnold" wrote:

"Vince" <Vince@xxxxxx> wrote in message
newsF0D419E-2FD6-43BC-93B8-C82456C5A6D8@xxxxxx
One more time, Admin on Vista is *locked down* to be a Standard user. When
the Admin needs Full Admin rights on UAC, then the Admin is escalated to
Full Admin rights, and the user is an Admin for the task at hand. Once the
task has completed that required Full Admin rights as Admin, the Admin is
locked down to *Standard* user again.

So, yes what you're talking about with both accounts are *Standard* users is
correct.

That's what I have been telling you, and that is what those links I gave you
are telling you.