KC_78
asked on
Best practice for using Windows XP Pro as a single user at home with DSL
I recently formatted my computer and installed Windows XP Pro. I'm the only one using it at home. It defaults to the out-of-the-box Administrator account, which is fine. However, my question is, should I be using this account? I already went ahead and installed all my programs using that account, even my Pocket PC.
Then I decide to create just a regular user account, and when I did, it creates another Administrator account, no choice. So, what's the deal? Now when I log in, it logs me automatically into the "new" administrator account. When I do GPEDIT.MSC, it shows 2 Administrator accounts.
I just don't quite get how the My Documents and Settings folder and the policy structure is. Basically I am just a single user at home that happened to have XP pro when I bought the machine and I don't want to drill and drill down the folders till I get to where everything defaults to My Documents.
And basically, it's also a security issue i.e. hackers, viruses etc.... I've heard so many opinions from co-workers and stuff, but I really don't think they know what they are talking about (and these are IS people!!) How safe is it to use the out of the box Administrator account as the everyday user account? Should I even have created a new user that got me the other administrator account? What are the best practices?
Should all programs be installed using the hidden administrator account or the created administrator account? Should I do everyday work in an administrator account, and if so, which? If I created another user and called it "Kenny" as a Power User, isn't that like administrator privilidge? Then regular User account would be too limited. I just want to do everything up front so that when I log in, it will just be me and I don't have to go finding profiles of software that were installed in different accounts etc...... for example my pocket pc.
I'm so confused..... please help.
Then I decide to create just a regular user account, and when I did, it creates another Administrator account, no choice. So, what's the deal? Now when I log in, it logs me automatically into the "new" administrator account. When I do GPEDIT.MSC, it shows 2 Administrator accounts.
I just don't quite get how the My Documents and Settings folder and the policy structure is. Basically I am just a single user at home that happened to have XP pro when I bought the machine and I don't want to drill and drill down the folders till I get to where everything defaults to My Documents.
And basically, it's also a security issue i.e. hackers, viruses etc.... I've heard so many opinions from co-workers and stuff, but I really don't think they know what they are talking about (and these are IS people!!) How safe is it to use the out of the box Administrator account as the everyday user account? Should I even have created a new user that got me the other administrator account? What are the best practices?
Should all programs be installed using the hidden administrator account or the created administrator account? Should I do everyday work in an administrator account, and if so, which? If I created another user and called it "Kenny" as a Power User, isn't that like administrator privilidge? Then regular User account would be too limited. I just want to do everything up front so that when I log in, it will just be me and I don't have to go finding profiles of software that were installed in different accounts etc...... for example my pocket pc.
I'm so confused..... please help.
Never operate as ADMIN or a user with admin rights- use "runas" to elevate your priveldges when you need to install (highlight an icon- hold shift, and right-click- you'll see runas...) it also has cmd line
I recommend User, power-user is just below admin, but not by much. First, and formost- get AV, mcafee is my choice. Second, turn on XP's firewall, it is decent, and does a pretty good job of keeping your pc from attracting attention- go to GRC.com and do a before and after firewall comparison https://grc.com/x/ne.dll?bh0bkyd2
http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp
Turn off a few services... you say you don't need to connect to other windows boxes? Then stop the Server service, then disable it. Do the same with "Remote registry" and "messenger". Run windows update as soon as you can, get patched.
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp (same with the other two) You'll need the Server service if you plan to share a folder on the internet (not recommended- no matter what) or you need to connect to a windows domain, or windows server.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_whynot_admin.asp
http://www.microsoft.com/downloads/details.aspx?FamilyID=2d3e25bc-f434-4cc6-a5a7-09a8a229f118&displaylang=en
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_runas.asp
The my doc's question has been taken care of above. Security is a Process, not a Program- as annoying as running RunAs is... it is a best practice- Unix has been doing this from the begining- that's why they own M$ in the security arena. RunAs is the same as Sudo for linux/unix. GRC.COM also has some good tips and porgrams to help keep you safe.
remember, anti-virus, number one rule with M$- make the AV companies money...
GL!
-rich
I recommend User, power-user is just below admin, but not by much. First, and formost- get AV, mcafee is my choice. Second, turn on XP's firewall, it is decent, and does a pretty good job of keeping your pc from attracting attention- go to GRC.com and do a before and after firewall comparison https://grc.com/x/ne.dll?bh0bkyd2
http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp
Turn off a few services... you say you don't need to connect to other windows boxes? Then stop the Server service, then disable it. Do the same with "Remote registry" and "messenger". Run windows update as soon as you can, get patched.
http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp (same with the other two) You'll need the Server service if you plan to share a folder on the internet (not recommended- no matter what) or you need to connect to a windows domain, or windows server.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_whynot_admin.asp
http://www.microsoft.com/downloads/details.aspx?FamilyID=2d3e25bc-f434-4cc6-a5a7-09a8a229f118&displaylang=en
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_runas.asp
The my doc's question has been taken care of above. Security is a Process, not a Program- as annoying as running RunAs is... it is a best practice- Unix has been doing this from the begining- that's why they own M$ in the security arena. RunAs is the same as Sudo for linux/unix. GRC.COM also has some good tips and porgrams to help keep you safe.
remember, anti-virus, number one rule with M$- make the AV companies money...
GL!
-rich
As a alternative to McAffe i will reccomend Trendmicros products.. (sorry richrumble ;-) ) Dont purchase NORTON.. its only trouble!!!
As for a firewall i recomend www.zonealarm.com, I think its better than the built in XP firewall, and its free and extremely easy to set up.. (it aslo have some features that the built in does not have)
As for a firewall i recomend www.zonealarm.com, I think its better than the built in XP firewall, and its free and extremely easy to set up.. (it aslo have some features that the built in does not have)
ASKER
Guys, you are great, I would accept the answers, but there are still some issues....... when I'm on my computer, I multitask. I work (job stuff), I tweak around if I found something out, I install, I do everything. I am the only person using the computer. I tried to follow those links that you guys gave me, but especially the microsoft guidlines, they seem like they are targeted for families. Like no one touches the administrator account, but make one limited for the wife, the kids etc....... But for me, I'm just a single boring Chemical Engineer who is trying to learn some stuff from the internet because people at work are too cheap to pay for training and I get all these expectations from them. (I'm sorry, I'm just venting)
But when I use user or poweruser, it seems almost impossible to work and at the same time use the internet to find answerse.....with all the restrictions.
Also, maybe I wrote the question too hastily. However, the issues about viruses and trojans and firewalls did help alot. I just put in another post and it is similar, but its more to do with the structure of how Windows reacts when you install stuff. PLease take a read and maybe it'll be clearer as to what I am actually trying to ask........ (I don't explain stuff very well......) THANKS
But when I use user or poweruser, it seems almost impossible to work and at the same time use the internet to find answerse.....with all the restrictions.
Also, maybe I wrote the question too hastily. However, the issues about viruses and trojans and firewalls did help alot. I just put in another post and it is similar, but its more to do with the structure of how Windows reacts when you install stuff. PLease take a read and maybe it'll be clearer as to what I am actually trying to ask........ (I don't explain stuff very well......) THANKS
ASKER
Opps, I'm sorry the post that I wrote again is in the Windows XP category and it's title is " In which account should I be initially installing software with a clean system?"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Rich for your patience with me. I apologize if I came across as stubborn. I finally figured out what was going on. I'm actually in the middle of reinstalling WIN XP Pro to try and reproduce the results.
I guess is that this situation is made transparent by M$ to the general public. M$ I think wants its users to use the XP interface and not really the classic interface, because with the classic interface, I think you can actually see more information, that's why I was confused.
What's happening is that when you do a fresh install of Win XP, you're doing it in the Administrator mode, you have to. Then you do the essentials like drivers. When you go create a user next, it wants you to have an account that is both in the administrator account and in the user account. Bear in mind, this is creating a user using the XP interface, not the "control userpasswords2" way. So, in the XP interface, a box shows up for you to name the account. And in the XP interface, there are only 2 choices when you create an account, Administrator and Limited. I think that's where I was confusing you guys because the limited account is grayed out, with a message saying "that at least one account must be in the administrator group".
So, from what I gather, when you turn on your computer with the XP welcome screen, M$ wants the average user to see that little boxy picture thingy with the newly created account and not the original Administrator account. So right after I created the user "John Doe", I went to control userpasswords2, and sure enough, John Doe belonged in both the Administrators and Users group. Something M$ came up with automatically if you create an account using the XP interface. And I think this is probably for reasons, say the new administrator account, called "IS ADMIN" gets full permission to that computer and other people in a company or whatever, at home (the kids) get their own little nice picture and account.
So, FYI to everyone who I confused, there is no 2 administrator accounts. M$ wants you to have at least 2 users in the "Administrators Account GROUP", so that the ORIGINAL Administrator ACCOUNT can be hidden.
So with that said..... foot in the mouth, or in this case no brain filter...... I will close the case. I think I will create another account (Power users group) to function since I'm the only one using the computer and to install apps I'll use the account in the Administrator group.
Thanks for all your help.............KC
I guess is that this situation is made transparent by M$ to the general public. M$ I think wants its users to use the XP interface and not really the classic interface, because with the classic interface, I think you can actually see more information, that's why I was confused.
What's happening is that when you do a fresh install of Win XP, you're doing it in the Administrator mode, you have to. Then you do the essentials like drivers. When you go create a user next, it wants you to have an account that is both in the administrator account and in the user account. Bear in mind, this is creating a user using the XP interface, not the "control userpasswords2" way. So, in the XP interface, a box shows up for you to name the account. And in the XP interface, there are only 2 choices when you create an account, Administrator and Limited. I think that's where I was confusing you guys because the limited account is grayed out, with a message saying "that at least one account must be in the administrator group".
So, from what I gather, when you turn on your computer with the XP welcome screen, M$ wants the average user to see that little boxy picture thingy with the newly created account and not the original Administrator account. So right after I created the user "John Doe", I went to control userpasswords2, and sure enough, John Doe belonged in both the Administrators and Users group. Something M$ came up with automatically if you create an account using the XP interface. And I think this is probably for reasons, say the new administrator account, called "IS ADMIN" gets full permission to that computer and other people in a company or whatever, at home (the kids) get their own little nice picture and account.
So, FYI to everyone who I confused, there is no 2 administrator accounts. M$ wants you to have at least 2 users in the "Administrators Account GROUP", so that the ORIGINAL Administrator ACCOUNT can be hidden.
So with that said..... foot in the mouth, or in this case no brain filter...... I will close the case. I think I will create another account (Power users group) to function since I'm the only one using the computer and to install apps I'll use the account in the Administrator group.
Thanks for all your help.............KC
The two admin issu is strange.. newer encountered that myself, you should be able to create users as you wish!
Wether you should use the administrator account or not is dependent of how much you trust yourself not to delete anything important.. i use only the admin account on my home network, but then again we are two proffesionals that uses it.. (and never does mistakes.. ;-) )
The best approach according to MS is to create a poweruser account for trusted users, and lower levels to your kids and so on.. THe poweruser has all rights but destroying the most important system files.
The structure of MY DOCUMENTS is C:\Documents and Settings\username (you may copy all your folders from the admin account from there to the new user and keep bookmarks, files, shortcuts and most your programsettings.. ps: reboot afterwards..)
Mattis