©
mechBgon's guide to building your first PC from parts   : )

  1. Start

  2. Case prep 1

  3. Case prep 2

  4. Data and power cables

  5. Serial ATA stuff

  6. General motherboard/CPU info

  7. Testing & installing the motherboard assembly

  8. Installing the hard drive

  9. Final connections

  10. Security during Windows Setup

  11. Best practices for ongoing security

  12. Resources (drivers, diagnostics, links, online antivirus scans, antispyware resources)

  13. A brief visual glossary

back to the Best-practices security page

Terminology for different versions of Windows Windows 2000, Windows XP and Windows Vista have two main categories of user accounts. One is the "Administrator" type of account, which has unlimited power over the computer. The other type is called a "Restricted User" account on Windows 2000, a "Limited" account on Windows XP, and a "Standard" account on Windows Vista. The key concept is the same; it's a type of user account that's safer to use. Microsoft's site with additional information on Vista user accounts

For the sake of simplicity, I will refer to Limited, Standard and Restricted User accounts as "non-Administrator accounts" for the rest of this page.

What are non-Administrator accounts? These types of user accounts don't have unlimited power over the computer. No one can shoot you with your own handgun if it has no ammunition, and likewise a non-Administrator account's inherent lack of power makes it MUCH more secure against viruses and spyware than using a Computer Administrator account. When Windows is installed, it makes you an Administrator to begin with, but you can change that if you want. skip to the setup instructions

What about older versions of Windows, like Windows Millenium Edition (WinME) or Windows 98? Windows ME and Windows 98 do not have this sort of account available. If you're reading this, you're evidently interested in keeping your computer secure, so my advice is to abandon WinME and Win98 or at least keep them isolated from networks or the Internet. The world has changed, friends.

The user accounts on my Windows XP home computer. As you can see, I have one Administrator account and two Limited accounts.

Which type of user account am I using now? Administrator, or non-Administrator? If you don't know which type you're using, then you're almost certainly using an Administrator account, because that's how Windows sets you up by default. It's up to you to change your account to a non-Administrator account if you want to.

How much does a non-Administrator account improve my computer's security? A great deal by itself, plus it reinforces your other security measures against tampering as well (antivirus, firewall, automatic updates). On Windows Vista, the use of Administrator accounts is safer than on Windows XP/2000, as long as you don't disable User Account Control, but you might as well do the job right and use a Standard account. show me some more security tips

Non-Administrator accounts also help keep kids, roommates, siblings, and visitors from messing up your computer or getting into your stuff. I set up my home computer with a separate non-Administrator account named visitors. My other accounts are password-protected, so visitors is the only account that visitors can get into at the Welcome screen.

If I try a non-Administrator account and I don't like it, can I undo it? Yes, it's easy to switch back and forth.

How to change to a non-Administrator account

There always needs to be at least one Computer Administrator account. So if you've been using the computer's only Computer Administrator account as your regular "daily driver" account, you'll need to make a new Administrator account before you can switch your own account to a non-Administrator account. The following directions are for Windows XP, but Vista is similar.

  1. In Control Panel, open User Accounts, click Create a new account and make a new account (I named mine superuser). Let it remain a Computer Administrator account.

    Now that you've got this new Administrator account, you have the option to set your account to a non-Administrator ("Limited," in this case).

  2. Click Start > Log Off and log off. You should now see a Welcome screen showing the new Administrator account, as well as your regular account. Log into your new Administrator account.

  3. Go to User Accounts and click on your usual account:

    superuser is my new Administrator account. user is the account I've been using, which I want to change from Computer Administrator to Limited.

  4. Click Change the account type:

    Above: I click Change the account type for my regular account, so I can change it to Limited.

  5. Change the account to a non-Administrator (Limited), as shown in the picture below. If I want to reverse the change, I log into my Administrator account, and simply change this account back to a Computer Administrator again.

    Now my account is a Limited account (below).

You're done! : ) The key idea is to only use your Administrator account when you actually need Administrator-level powers, such as when adding new hardware & software. For instant messaging, email, Web browsing and other daily computer use, use your non-Administrator account.

If you have Windows XP Professional Edition, or Vista Business or Ultimate Editions, take another two minutes and follow my easy Software Restriction Policy instructions too. To see what version of Windows you have, just click Start > Run, type winver in the box and click OK.

So if this is so effective, why don't more people do it? There's GOT to be a catch. Some software doesn't work correctly when you run it from a non-Administrator account. If you have problems, try my tips on this page. Windows Vista is specifically designed to handle this stuff better, so there's another reason to choose Windows Vista if you're building a PC. show me how to pick a version of Vista

Split personality! Note that you can log onto multiple accounts at the same time. Click Start > Log Off and choose Switch User, and you can log onto another account without logging out of the first one. If you're not accustomed to running more than one account, it will help to remember that each account has its own folder in C:\Documents and Settings, containing each account's own My Documents, Desktop, Favorites and so forth.

back to the Best-practices security page