Check Your Privilege on Windows 10

Just like the jinni in Aladdin, the default home user on Windows 10 has ultimate cosmic power.  I’ve been thinking about that in relation to ransomware and, frankly, any unwanted software.  Linux devices have a superuser, known as root, that is separate from the user accounts.  If you’re in a law firm, your IT may have taken care of this for you but home users can still take the same step.

I decided to reduce my own privileges and create a superuser administrator account on my Windows 10 to make it harder for unwanted software to install or do anything else on my PC.

User Account Settings

You should already have set Windows 10 to prompt you whenever you do something that (a) installs software and (b) makes changes to your system.  These prompts can become really irritating.  So it may be that you used to get prompted but now you don’t because you figured out how to turn the prompts off.  It’s worth the extra hassle (like using a password manager), especially if you (a) have private or confidential information on your machine or (b) can’t afford the downtime or lost business if all of your information is destroyed.

You can tweak these settings – I recommend setting them to their maximum – in the Control Panel.  Unfortunately, Windows 10 has two ways of configuring settings.  Settings, which you can access under the Windows Key, and Control Panel, which you probably can’t.  To get to the Control Panel, the easiest way I’ve found is to hit the Windows Key and click X.  A menu will pop up and you can select Control Panel.  Go to System and Security > Security and Maintenance > Change User Account Control settings.

Make sure your Windows 10 user account settings are the most secure.

The least intrusive is the lowest setting; you should set the slider HIGHER than that.  But I still didn’t like the idea that any piece of software I was using could do things behind the scenes without me being aware.  And because I was already using the software, it could take advantage of my elevated privileges.  That whole “ultimate cosmic power” issue.

Create a Dedicated Administrator User

Windows 10 makes it difficult to add a user that doesn’t have a Microsoft Office 365 or Live account.  But it does have an option for local accounts, so that’s what I created.  For this, I initially went to the Control Panel again but I didn’t see anything there to add a new user.  It appears to be ONLY under the Settings configuration app, although I could be wrong.

Click your Windows key and click the small gear or type SETTINGS to open the app.  Then select Accounts (the 5th icon).  You should now see a list of options, including one of either Family & Other people or just Other people.  What you see here depends on what version of Windows 10 you have.

A list of people who have access to this computer will be here.  There may not be any entries, so click on the grey square with a plus in it that says Add Someone Else to This PC.  The first screen asks for an e-mail, but a local account doesn’t need one.  Click the link for I don’t have this person’s sign-in information.  Then click Next.

The next screen will look almost identical.  It will ask you for an e-mail address that does not come from a Microsoft service.  But this time, at the bottom, click the link at the bottom that says Add a user without a Microsoft account.  Click NEXT and you’ll be at the account creation screen.

This is where you create the administrator account.  Give it a username that is different from your own account.  I used Root but Admin or something would be fine.

The password you put in here is probably one you want to remember – and I don’t mean that sardonically – but rather because you’re going to be asked to put it in regularly and so it should be something you don’t necessarily keep in your password manager.   For me, that meant using a numerical password that I don’t think is as strong as the passwords I use online, but since someone would need physical access to my PC to use the account, I’m balancing my password in favor of being able to remember it.

On Windows 10, you can create either a standard or administrator account.  Make your new account an administrator.  Then sign out of your personal account and log in to your new, administrator account.  Windows 10 has hidden the logout option, but if you hit the Windows key and X again, you’ll see, at the bottom, options to shutdown OR sign out.  So sign out.

Now, just log in to your new administrator account.  It will take 5 minutes or so for Windows to set up the account.  You’re going to change your ORIGINAL, personal account into a standard one.  You can actually do this from the Control Panel in either your own account or in your new, administrator account since both of them are administrators.

But – and I didn’t test this first – Windows is sometimes odd, and I was reluctant to reduce my personal account rights until I’d confirmed that the new account worked and had elevated privileges.  It would be terrible to make the change without logging in as the new user, and then finding out for some reason you can’t.

In any event, you’ll go to the Control Panel, and select User Accounts.  Look for the link to Manage Another Account.  If you are in your administrator account (which you should be if you’ve been following this far), see your personal account and your new account.  Click on your personal account, select Change the Account Type and toggle from Administrator to Standard.

That’s it.  When you log out and back in as yourself, everything will look the same.  But some of the settings menus will be slightly different and, when you attempt to do something that requires administrator privileges, you’ll get a different prompt.  Instead of just being offered a YES or NO option, you’ll be asked to put in a password for your computer’s administrator account.

This will slow you down.  Not only will it slow you down when you are in your operating system, but you will no longer be able to just automatically log in when your computer starts up in the morning.  It may be counter-intuitive, but this loss of productivity is exactly the sort of thing that can make you think twice before installing new software or clicking a YES button without being completely sure what is being installed or what other things are happening.

At least I know that, if my operating system requires me to have elevated privileges, it will set the same limitations on other activities that I might not execute myself.  It’s not 100% foolproof but it makes me feel that I’ve made it a bit harder.

David Whelan

I improve information access and lead information teams. My books on finding information and managing it and practicing law using cloud computing reflect my interest in information management, technology, law practice, and legal research. I've been a library director in Canada and the US, as well as directing the American Bar Association's Legal Technology Resource Center. I speak and write frequently on information, technology, law library, and law practice issues.