User Account Management
You might have noticed a common theme running through the section on Windows security in this tutorial, that being that users can, and often annoyingly do, deactivate crucial security systems on their PCs because they "find them annoying," "they slow down the PC," which isn't true, or they stop the user "from doing what [they] want," which is very often the whole point, as if the user wants to do something that's blocked by Windows' security systems, it's very likely they shouldn't be doing it anyway.
When it comes to user accounts, it's important to create them in ways that constrain the user to do only what they ought to be doing, and not necessarily what they want to be doing. It might be difficult to prevent a user from spending time on Facebook or eBay, or from playing Minecraft (though these are fairly innocuous activities that are unlikely to jeopardize the security of the PC), allowing a user access to file-sharing, adult, or gambling websites (where malware can often hide), or permitting them to install their own apps and utilities on a PC, which does present a serious potential security risk and therefore a serious risk to the stability and operation of the PC and the integrity of its files and the data stored on both it and elsewhere on your network.
Remember that PCs no longer operate in isolation, not even in the home. Malware infecting a PC can quickly spread across the network, affecting other PCs, and even servers and network hardware and storage, and the result can be expensive downtime or even the opening of backdoors into company data that can result in an embarrassing and extremely costly data breach.
Administrators vs. Standard Users
Back in the days of Windows XP, every new user was an Administrator, even the Standard users to a certain extent, because there was no UAC feature to prevent unwanted changes being made to a PC. Administrators can change anything on a PC, anything at all. They can install new software, modify configuration settings, and even delete files in the \Windows operating system folder.
Standard users on the other hand can only make changes that affect their own user account, and nobody else's. This can have some downsides in the workplace, especially if a user does need to install the odd extra piece of software (all users can install apps from the Microsoft and Windows Business stores), but it's generally accepted that there should be just one Administrator on a PC (usually the person who knows what they're doing) and that everybody else should be a Standard user.
Local Accounts vs. Microsoft Accounts
If you are using PCs in the workplace, you'll most likely have users set up on PCs using Domain or Azure Active Directory accounts managed by a Windows Server system. Smaller businesses might have users signed into PCs using a Microsoft 365 account, but for everybody else it's the choice between using a Microsoft account to sign into a PC or a local account.
While it is still technically possible to install Windows with a local account (make sure the PC is disconnected from the Internet at the time of installation). Microsoft wants everybody using a Microsoft account because that's what offers the "best experience" and Windows 10 will try, and likely succeed in forcing you to switch to a Microsoft account instead. List the pros and cons using Microsoft and local accounts on a Windows 10 PC (Tables).
Table: The pros and cons of using a local account
Local Account
Pros Cons No personal data is shared Syncing of personalization and Ease of Access with Microsoft settings is not supported No files are stored in the Windows Store cannot be used without Microsoft cloud unless you deliberately account sign-in set it up OneDrive file sync is not supported without Microsoft account sign-in Setup and configuration can take much longer After a reinstall
Table: The pros and cons of using a Microsoft account
Microsoft Account
Pros Cons You get the full Windows 10 Personal advertising data is shared with experience with all features Microsoft unless you opt out during or supported and working after installation Profile sync across your Integration is built into Microsoft Windows 10 devices (PCs, services you may not wish to use laptops, tablets, smartphones) including personalization and Ease of Access options File backup and sync between PCs are possible using OneDrive Setup and configuration is partly handled automatically after a reinstall
User Identity and Sign-In Management
Windows 10 supports many more ways for a user to sign into a PC than just by using a password, but this isn't always a good thing. These additional sign-in methods include picture passwords, where you draw shapes over a picture (fairly pointless but useful for children perhaps); a PIN, such as the one you use for your bank card at an ATM; and Windows Hello, which supports several forms of biometric sign-in from fingerprint readers to iris and facial recognition.
How to Create a Superstrong Password
It is always a good idea to use a password manager, though the main web browsers such as Chrome and Edge have excellent password managers built-in that can sync across desktop and mobile platforms. If you don't use a dedicated password manager however, these are my top tips for creating superstrong passwords for use on your PC and with websites and Internet services:
- Create passwords that are a bare minimum of 12 characters in length.
- Always use a mixture of numbers, uppercase letters, lowercase letters, and symbols.
- Substitute some letters and numbers for other characters. For example, you can use a 5 instead of an s or S; an & instead of a or A; () instead of o, O, or 0; and / instead of the number 7.
- Use a phrase, perhaps a line from a song or poem, instead of a single word to make the password longer.
- Append some unique characters representing the service or website the password is for to the beginning or end of the password to make it unique to that service or website. For example, use ebA for eBay, aMa for Amazon, or g()() for Google web services.
- Choose a format you will use for each word in your password, for example, capitalizing the second letter of each word and substituting the first vowel with a symbol.
An Introduction to Family Safety
While we're on the subject of preventing users from doing things that can adversely affect the security of the PC, it's worth finishing up by talking about children. If you have children, then you also have my sympathies, because you'll be all too aware that especially younger children have almost no idea of what constitutes a risk, either in the playground or on the Internet.
Windows 10 does include Family Safety features, and when you add a new user to the PC, you'll be asked if they are a family member or somebody else. The former option then lets you choose if the person is a child or an adult. Child accounts are automatically hooked into the Family Safety features, which include website filtering, game ratings management, and usage time management for the PC.
For the purposes of maintaining security, it's the website filtering that's the most useful. This can prevent children from accessing adult, file-sharing, or gambling websites where malware is often found.
Note: It's worth mentioning that no Family Safety or Child Protection feature, be they from Microsoft, from a third party, or managed by your Internet Service Provider (ISP), can't guarantee to block every attempt by a child to access content that you consider inappropriate. Thus, it is important to maintain good communication with your child on how they can keep themselves safe online, and why it is important for them to do so.
Managing and Deleting User Accounts
User accounts are managed in Windows 10's Settings app. There's really not much else you can do with them in the Control Panel. If you have a user set up on a PC that's an Administrator when they should really be a Standard user, you can change their account type in Accounts and Family & other people. Note that you need to be signed in as an Administrator to do this.
Sometimes, though, you will want to remove a user from a PC. Clicking in their account name in the Settings app will reveal a Remove button. Bear in mind though that removing an account will delete their user folders from the PC, including any files and documents they have created and stored. Always make sure files are fully backed up before performing this action!
Caution: Deleting user accounts and their files does NOT securely delete the files and data, which can still be recovered through the use of file recovery apps. To securely wipe currently unused space on your PC, you will need a third-party tool such as CCleaner from piriform.com. You can also wipe the free space on your PC by opening the Command Prompt (Admin) from the Win + X menu and typing cipher /w:[directory name or drive letter].
