We recently reported about a proof-of-concept attack that could bypass a Windows system's User Account Control (UAC) and modify a PC without a trace.
UAC is an important Windows safeguard that prevents programs and processes from making unauthorized changes to your computer without approval from an administrator.
But did you know that aside from your regular administrator account, there's a hidden "elevated" administrator account that is automatically created when Windows 10 is installed? This elevated admin account can run programs and commands with full administrator rights at all times, totally bypassing the UAC prompt boxes.
Windows typically uses this account for internal system-wide changes such as upgrading a Windows 7 PC to Windows 10. This enables the installer to do its thing automatically without requiring approval from UAC prompts. Once the system is updated, this elevated admin account returns to its hidden state and is disabled.
This built-in "super" administrator account is hidden for obvious security reasons. Since it could run everything without restrictions, it could make system changes unhindered, without alerting a user with UAC prompts.
Although there are ways to enable this super admin account, it is not advisable.
It may sound convenient but it is actually a big security risk. Malware usually tries to mimic the user rights of the account that is logged into a computer so using a super elevated account can be disastrous. This built-in super admin account should remain hidden and disabled unless you are troubleshooting your PC and you have a pretty good idea of what you're doing.
The best practice is to leave the hidden account alone and just create a secondary admin account, aside from your main administrator account, for emergency purposes.
Also, if you have multiple users on the same PC, say, on a family computer, for example, create individual Standard User accounts for each user. Basically, the idea is to limit the number of administrator accounts that could log into a computer. One main administrator account and a backup administrator for emergencies should be enough.
If you are the administrator of the computer, it is even recommended that you create a Standard User account for yourself and use it for your everyday computing tasks. Using a standard account instead of your admin account will lessen the chances of malware taking a hold of your computer if you ever get hit while logged in.
Creating a local Standard User account
Here are the steps for creating Standard User accounts in Windows 10:
- Under your Administrator account, go to Settings either by clicking Settings on the Start Menu or by typing "Settings" on the search bar. You can also use the keyboard shortcut Windows key + I.
- Click on "Accounts."
- Select "Family & other users."
- You have two options, you could either sign-in with a Microsoft account or create an "Other users" account. Signing in with a Microsoft account provides you with more options, like assigning a family member as an Adult or Child. "Other users" will let you create a local account instead.
- Since we are creating a local standard user account, click on "Add someone else to this PC" under "Other users."
- You could provide an email address or phone number on the next page. For a local account, just choose "I don't have this person's sign-in information."
- The next window is optional too. You can skip the Microsoft account creation for now. Just click on "Add a user without a Microsoft account."
- Next, just assign a user name then create a password and a password hint, click Next and you are done! Note that the new user is automatically set as a Standard User.
Check out our tutorial video on the next page to see these steps in action.
Hopefully, these tips will create a safer Windows 10 experience for you and your family.