Home Computers and Administrative Accounts
February 24, 20201

Post

Dear Colleagues,

Over the past year, the transitioning of millions of people to a remote workforce has encouraged bad-actors to escalate phishing, business email compromise, and ransomware attacks. With this in mind, IITS would like to remind you to follow best practices for working securely while working remotely and draw your attention to the importance of logging onto home computers with a Standard user account rather than one with Administrative privileges.

By no fault of their own, the majority of home users continue to logon to their home computers using the default Administrative account that was initially created when they signed onto their new computer for the first time. That’s because vendors neglect to inform home users of the dangers of using privileged accounts for day-to-day activities, and do not encourage users to change account types.

Logging on with an Administrative account to engage in everyday tasks is inherently risky because it exposes a computer to compromise by way of drive-by-downloads (attacks that are downloaded with or without a user’s knowledge). When executed, malicious email attachments and malware from compromised websites use those privileges to install nefarious software that can:

  • Capture keystrokes, screenshots, and clipboard contents.
  • Steal passwords and personal information.
  • Encrypt and hold your data ransom.

To limit your exposure to these types of attacks, your home computer should consist of two separate account types: one local Administrative account, and one or more Standard User accounts.

  1. Administrative accounts have complete control over a system to allow system-level configuration and application installation. Ideally, administrative passwords should be different on every home computer; otherwise, if one computer is compromised, the same account can be used to compromise others.
  2. Standard User accounts are restricted to protect day-to-day activities like using applications, browsing the internet, and reading email. When global settings and applications need to be changed or installed, users simply enter administrative credentials into a secured prompt.

If you are already using two separate accounts as described above, then you have already taken a major step toward protecting your home computer and network. The following instructions are for those who are still using the original, default account that possesses administrative privileges.

Before you continue, please make sure that:

  1. Your computer and software are up to date with the latest patches; otherwise, your computer may be missing important security fixes that put it at further risk of being exploited.
  2. Every account follows password and passphrase best practices including a unique password/ passphrase for each.

Windows 10

Create a new Administrator account

  1. Select Start Settings > Accounts, then select Family & other users (older editions may display Other users
  2. Select Add someone else to this PC.
  3. Select I don’t have this person’s sign-in information, and on the next page, select Add a user without a Microsoft account.
  4. Enter a user name, password, password hint, or choose security questions, and then select Next.
  5. Verify that the new account type is an Administrator.

You may also watch a short video from Microsoft on creating accounts.

Convert your day-to-day account from Administrator to Standard User

  1. Select Start > Settings > Accounts, and then, under Family & other users, select the account owner name, then select Change account type.
  2. Under Account type, select Administrator, and then select OK.

macOS

Create a new Administrator account

  1. On your Mac, choose Apple menu > System Preferences, then click Users & Groups. If the Lock button at the bottom left is locked, click it and enter administrative credentials to make changes.
  2. Click the Add button below the list of users.
  3. Click the New Account pop-up menu, then choose Administrator.
  4. Enter a user name, password, password hint, and click Create User.
  5. Select the Allow user to administer this computer option.
  6. Then click on the Lock button again to save and lock the changes.

Convert your day-to-day account from Administrator to Standard User

  1. On your Mac, choose Apple menu > System Preferences, then click Users & Groups. If the Lock button at the bottom left is locked, click it and enter administrative credentials to make changes.
  2. Click on the account to demote, and un-select Allow user to administer this computer.
  3. Then click on the Lock button again to save and lock the changes.

 

In summary, to limit your exposure to attacks that take advantage of accounts using administrative privileges, home computers should contain two different account types:

  1. One or more Standard User accounts for day-to-day activities like browsing the internet, reading email, or playing games, and
  2. One Administrator account that is only used to enter credentials into a secured prompt to manage global changes and install applications.

 

If you have any questions regarding this advisory, please feel free to email the Office of Information Security.