Whether you're setting up a computer for your family to use at home or to be used in a business, it's prudent to set it up securely. Doing so helps to protect each user's data from inadvertent deletions and changes as well as malicious damage and theft. When you set up your computer, consider these suggestions:
• Control who can log on. Create accounts only for users who need to use your computer's resources, either by logging on locally or over a network. Delete or tD
disable other accounts (except the built-in accounts created by Windows).
• Change all user accounts except one to standard accounts. You'll need one administrative account for installing programs, creating and managing accounts, and so on . All other accounts—including your own everyday account—can run with standard privileges. If you are the de facto administrator for a computer, we recommend that you create two accounts for yourself: a standard account that you normally use for logging on, and an administrator account that you can use for elevation when needed. (You might have noticed that some of this chapter's illustrations show an account named Ricola and another named RicolaAdmin; they are set up as an implementation of this suggestion.)
It's easy to set up accounts this way. If you're working with a freshly installed version of Windows 7 on which you haven't yet installed applications or made personalizations to the single account created during setup, use that account as your administrator account. (If you've already given it your name during setup, you might want to modify the name to indicate that it's your administrative account. See "Changing Account Settings" on page 556 for details .) Create a new standard account to use as your everyday account . (See "Creating a New User Account" on page 554.) Log off, and then log on with your standard account. Whenever Windows requires elevation, it displays the name of your administrator account; enter its password to gain administrator privileges.
Log on with your standard account all the time . Really.
Note that you'll rarely, if ever, need to log on using your administrator account. Instead, when Windows requires elevation while you're logged on with your standard account, you simply enter the password for your administrator account.
Certain programs won't run (or are not fully functional) if you launch them while logged on with a standard account. To get around obstacles like this, don't log off and then log on with your administrator account. In most cases, a better solution is to use the "run as administrator" feature. To do that, right-click the program's shortcut (on the Start menu or in Windows Explorer) and choose Run As Administrator. Alternatively, select the shortcut and press Ctrl+Shift+Enter. Windows then prompts for your administrator password .
A handful of programs won't work, even with this trick. (Device Manager is an example. If you start it from a shortcut in Control Panel while logged on as a standard user, it displays settings but doesn't let you change any settings. And its right-click menu doesn't include a Run As Administrator command .) You can usually run such recalcitrant programs by launching them from an elevated Command Prompt window. That is, run Command Prompt as an administrator (in the Start menu search box, type cmd, press Ctrl+Shift+Enter, and then enter your administrator password) and then enter the program's executable name at the command prompt. (For example, to run Device Manager as an administrator, in an elevated Command Prompt window type devmgmt.msc. Device Manager then runs with full functionality, exactly as if you had logged off and then logged on with your administrator account.) _J
If you've been using Windows for awhile and have already customized the administrator account created during setup as your own, you're better off keeping it as your everyday account. But you can still easily implement this suggested practice . While logged on with your administrator account, create a new administrator account, which will be the account you use when Windows requires elevation . Then change your current account to a standard account. (You must create the new administrator account before you demote your account, because Windows requires the existence of at least one administrator account.) Note that you don't lose your administrator privileges until you log off; the next time you log on with your (now standard) account, all your programs and personalizations remain exactly as before, but you now run with standard privileges .
• Be sure that all accounts are password protected. This is especially important for administrator accounts and for other accounts whose profiles contain important or sensitive documents . You might not want to set a password on your toddler's account, but all other accounts should be protected from the possibility that the tyke (or your cat) will accidentally click the wrong name on the Welcome screen .
• Restrict logon times. You might want to limit the computing hours for some users . The easiest way for home users to do this is with Parental Controls; for details, see "Restricting Logon Hours" on page 579.
• Restrict access to certain files. You'll want to be sure that some files are available to all users, whereas other files are available only to the person who created them. The Public folder and a user's personal folders provide a general framework for this protection . You can further refine your file protection scheme by selectively applying permissions to varying combinations of files, folders, and users .
• Turn on the Guest account only when necessary. You might occasionally have a visitor who needs to use your computer. Rather than logging on with your own account and exposing all your own files and settings to the visitor, turn on the Guest account in such situations .
Was this article helpful?