Practicing Least Privileged Usage on Windows at Home
So I rebuilt my computer about 4 months ago and I run Windows 10 for my primary desktop. When I did that I decided to also implement some security best practices. Namely not always running as an account with admin permissions. Here is my summary of that experience.
Configuration and Setup
Immediately after rebuilding I created a second account with standard user privileges, this is the primary account I planned to run. Installing most applications wasn’t to difficult it would just prompt for the admin password, which really it should be doing anytime you escalate privileges. Most programs upon install would ask for admin rights a few I can’t remember I had to right-click and “run as admin”. Then there were a number that I didn’t realize just install into my local user profile and didn’t require any prompts. Things like Discord, or Atom. There was also one application that I had to reinstall multiple times until I logged into my admin account and installed it from there. Not sure why I had that problem, I had tried all the above running, running it elevated didn’t care, just wanted an admin account for some reason. It would run the first time and then the next time I’d go to run it and Windows could not find the application anywhere on my computer.]
Day-to-day living as a non-admin user
There really isn’t much to say here, after initial setup apart from the one hiccup of a single application not wanting to work, I don’t really notice that I am not running as an admin. With actually one exception. Not being able to open computer manager or disk manager on Windows was a bit annoying. I am frequently building bootable flash drives for one reason or another and verifying which disk number I was working with was a bit of a pain. But I found a workaround, run a command prompt as admin, put in your password, then run compmgmt.msc
granted I had to google the command line the first few times, but at this point it rarely slows me down as I am jumping into an admin command prompt for any sort of disk work anyways. IE diskpart
Conclusion
While it took a little bit of initial effort to get everything setup, I think I prefer working this way. It gives me a little bit of peace of mind, knowing that I won’t pwn myself with my hak5 gadgets, like the bash bunny or the rubber ducky. Also that I am living like I teach and making sure that I am as secure as possible.