Recommended way to handle different user accounts

[hgj44d]

When I freshly install Windows 11 the created user account will be by default an administrator account. Using this account for everyday use is considered as bad for security reasons. If I understand correctly, the recommended way by most resources I found is to have 2 accounts:

1. User account for everyday use with standard user rights
2. Admin account for admin tasks, like executing your Harden Windows Security scripts

Could you @HotCakeX please ellaborate how exactly you recommend creating and using accounts, especially im combiantion with your scripts?

Some open questions I have in my mind:

• When I freshly install Windows do I use the by default created user account as my future admin account? Or do I change the account to a standard user and use the built-in and hidden Administrator account as my admin account? Or should I create a new admin account?
• Are there some best practices about the admin account? Like disabling or not using certain features etc.?
• Do I execute your scripts with an admin account and then creating a standard user account? Or do I have to create the standard user account first? Or doesn't it matter?

[HotCakeX]

Hi @hgj44d

Thanks for bringing this up, it's something that's been on my mind for a while too. I did some research about this topic after you posted it and here are the findings.

The best approach is the official one, so during OS installation, sign in using your MSA, log into Windows, set up everything and run the Harden Windows Security Module.

There is no difference in privileges between the built-in Administrator account and the Administrator account that you create first during Windows clean installation. The only difference is the lack of UAC prompts (by default) for built-in Administrator account, but when you run the PowerShell hardening script, it will activate the UAC prompts for the built-in Administrator account too.

Using built-in Administrator account is not recommended due to security reasons explained here.

In conclusion:

• If you want to use an Administrator account for day-to-day usage, then it's better to use the regular Administrator account that Windows creates first during OS installation.

• If you want to use a Standard account for day-to-day usage (as best practices suggest), then create another user account with Standard privileges and only switch to administrator account when you need to do administrative tasks.

Do I execute your scripts with an admin account and then creating a standard user account? Or do I have to create the standard user account first? Or doesn't it matter?

The script/module needs administrator privileges for 95% of the security measures to be applied, so run it once with an Admin account and then run it again, without administrator privileges, in Standard account(s). The order doesn't really matter but naturally you first have an Admin account and then a Standard account.

Related official resources:

• https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/enable-and-disable-the-built-in-administrator-account?view=windows-11
• https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
• https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file
• https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd

[hgj44d]

Fantastic answer! Really appreciate it. Thank you 👍

[lasofeli]

Sorry for commenting on an old thread, but I had a question that's related to this.

You mention in your guide that one's better off not using local administrator accounts. Windows though does not allow you to use the same Microsoft account more than once when making accounts on a computer.

It seems to me that if I want to use my MS account for day-to-day use, then I would need to have two of them: one for admin tasks and one for personal use. This solution though seems clunky to me. What do you think?

[HotCakeX]

Hi,
Yes, that's true,
It's far from perfect but work is being done towards a fundamental solution. Please see this talk from David Weston (VP of OS security and Enterprise at MSFT): https://youtu.be/8T6ClX-y2AE?si=Gl-XPULYCd2Is69L&t=1295

Until those changes become available to us, we have different options. You can use 2 MSA and connect them to an Admin and a Standard account. You can use one Admin connected to MSA and one local Standard account. You can carefully use Admin account for everything or you can use a mix of Windows Sandboxes and Hyper-V VMs for different sets of programs/tasks. They provide the best isolation and security.

I personally do that, both on super old hardware and modern non-gaming laptop. it's totally doable.