Windows 8 Accounts and Security
Everyone who uses Windows knows that you typically sign in, or "log in" as we used to say, to the PC using an account with which unique settings, documents and files, and even applications are associated. The types of accounts we've used in Windows have certainly evolved over the years, but for the most part, there have been two basic kinds of sign-ins: domain accounts, which are used exclusively by corporations, and local accounts, which are specific only to the PC on which they are used; home users and most individuals have always used this latter account type.
In Windows 8, Microsoft is introducing a new type of sign-in that is tied to a Microsoft account, or what used to be called a Windows Live ID. (With Windows 8, Microsoft is eliminating Windows Live as a brand, but is continuing its most popular products and services, often with new names.) As you'll discover, this new account type is really just a formalization of a capability that debuted in Windows 7, but it takes on new prominence in Windows 8 thanks to this system's pervasive PC-to-PC sync capabilities.
Windows 8 also provides interesting new choices for signing in, augmenting the long-lived password system with some new choices that may make more sense on today's modern Windows devices and PCs. As always, securing your PC against electronic and human attack is job one for Windows 8, and in this version of Windows, you have more tools than ever to help ensure that your PC and its valuable data are safe.
But it all begins with your user account. So let's look at that first.
Once relegated only to the corporate market, where they have always made sense because of their security and permissions boundaries, user accounts are central to today's PC experience-so central, in fact, that you establish your user account when you first install Windows or set up your new PC.
Of course, user accounts aren't generally as restrictive at home as they are at work. It's your PC, after all, and most people rightly feel that they should be able to do anything they want on their PC. So that first user account you create, during Windows Setup, is automatically an administrator-class account, providing the permissions and access control that one would expect.
These local user accounts, or what we used to call workgroup accounts, work well enough for what they are. And they allow for some niceties, even at home. You can create multiple accounts on a single PC, giving users their own sign-in identity, along with its associated custom settings (desktop wallpapers and so on) and Windows and application configurations.
But local user accounts are starting to show the strain of time, and as our PC usage changes, so do the needs we place on them. For example, most people don't bother to protect their own user accounts with a password, which can have huge ramifications in the event of a stolen PC. Local accounts are literally local to that one PC and thus hard, if not impossible, to replicate across machines; if you have more than one PC, as so many of us do now, making each one look and work the same is tedious. Local accounts make home network sharing difficult, too, which is why Microsoft created the homegroup sharing technique for Windows 7.
What's interesting is that Microsoft basically solved these issues over a decade ago when they instituted the Active Directory domain services scheme in Windows Server. This system, which is used by corporations around the world, provides a more centralized approach to user accounts (and other things). So instead of signing in to a single PC and locking all of your personalized settings to that one machine, you sign in, instead, to the domain. And if you need to access a different machine, your customized experience can travel with you, so to speak, from PC to PC. With this scheme, the settings you typically think of being associated with an account are no longer locked into a single PC.
Active Directory is powerful and interesting, but it's also far too complex for a home network and of course requires expensive and complex servers in addition to the PCs that people actually use each day. So this system isn't well-suited for regular users at home.
So for Windows 8, Microsoft has created a new type of user account, based on your Microsoft account (previously called Windows Live ID) that provides many of the niceties of Active Directory but with none of the complexity. In fact, for most people, signing in to a Windows 8 PC with a Microsoft account is just as easy as doing so with a traditional local account. But there are numerous advantages to doing so.
So let's examine them as part of a wider discussion about the types of accounts you can use with Windows 8.
Understanding Account Types
Windows 8 lets you sign in using three different types of accounts: domain, local, and Microsoft.
Domain accounts are used by corporations that utilize an Active Directory infrastructure running on top of Windows Server. The account is centrally managed by your employer, as are whatever permissions and capabilities you may be able to enjoy.
You connect Windows 8 to a domain as you did with previous Windows versions, using the advanced system control panel. Once the domain is configured, you reboot the PC and then sign in with your domain account's username and password. In use, Windows 8 works almost identically to a local user account, but you lose some of the integration pieces that are special to Microsoft account sign-ins. As we'll see in just a bit, there is a simple way to mitigate that issue.
In Windows XP, Vista, and 7, most home users signed in to their PC using a local account, or an account that is, literally, local to that one PC. Local accounts are typically one of two account types, administrator or standard. An administrator essentially has complete control of the system and can make any configuration changes they want. A standard user can use most application software and many Windows services, but is prevented from accessing features that could harm the system. For example, standard users cannot install most applications, change the system time, or access certain Control Panel applets.
You can bypass this limitation by entering the credentials for an administrator account. You do so using a feature called User Account Control, which we'll examine later in this article.
In previous Windows versions, most people simply used an administrator-type account because standard user accounts were so limiting and annoying. But with the move to multi-PC households and the PC-to-PC sync capabilities one gets with using a Microsoft account instead of a local account, our expectation is that the vast majority of Windows 8 users will no longer use local accounts. It's still supported, of course, but it's just depreciated.
Signing in to a Microsoft account is now the default, and preferred, way of doing things. A Microsoft account provides you with all of the benefits of a local account- simplicity and the ability to have both administrators and less privileged users-plus the benefits of the multi-PC settings replication of a domain account, and, of course, integration with Microsoft's online services and third-party services like Facebook, Twitter, and more.
But the Microsoft account is more than a nicety. It's required for many of the Metro-style apps that are built into Windows 8, including the productivity apps- Mail, Calendar, People, and Messaging-the digital media and Xbox apps-Xbox Music, Xbox Video, and Xbox LIVE Games-and more. Windows 8 was designed to integrate deeply with a Microsoft account, much like Windows Phone before it. And a Microsoft account is super easy to use.
For these reasons, we believe that signing in with a Microsoft account is the obvious choice for most Windows 8 users.
There's just one problem. In some cases, you can't sign in to your PC with a Microsoft account the first time you set up Windows 8. For example, if your PC is
offline the first time you use Windows 8, a Microsoft account won't even be offered. But the more obvious example, perhaps, is a work PC: There's no way that corporate
will let you or other users bypass the built-in security features of their carefully crafted policies and sign in with your personal Microsoft account.
If only there was a way around this limitation.
Making the Most of a Domain or Local Account
If you are signing in to a PC with a domain or local account, there are some changes you can make to provide you with the best possible experience. Which you do will depend somewhat on whether you're currently signing in to Windows 8 with a local account or a domain account. These changes include:
- Switch a local account to a Microsoft account: If you opted out of the Microsoft account sign-in when you first set up Windows 8, perhaps because you
were confused by this new account type and simply wanted things to be as close as possible to the way it was in Windows 7, Microsoft actually lets you
change your local account after the fact and switch it to a Microsoft account.
You cannot do this with a domain account. Only a local account can be switched to a Microsoft account.
To make this change, navigate to PC Settings and then Users. Then, under Your account, click the Switch to a Microsoft account button.
You can also use this same interface to switch from a Microsoft account to a local account. And no, we can't think of a single reason why you'd want to do this.
- Connect a domain account to a Microsoft account: If you're using a domain account, you can't switch it to a Microsoft account. But you can link your
domain sign-in with your Microsoft account, achieving the same benefits as you'd get by simply signing in with a Microsoft account. In the business, this
is what we call a "best of both worlds" solution.
To do so, navigate to PC Settings and then Users. Under Your account, click the Connect your Microsoft account button. When you do. Here, you choose which PC settings you'd like to sync with your domain account.
After choosing which settings to sync, you will sign in to your Microsoft account and confirm or enter your security verification information, just as you do when you sign in with this type of account normally. And from now on, you can use Microsoft's account services-and the bundled apps in Windows 8 that take advantage of them-seamlessly, without needing to sign in with each app. Actually, it's even better than that: Some apps simply won't work unless you sign in with a Microsoft account. This linking process makes them work.
- Sign in to app groups with a Microsoft account: There is a third approach, one that provides a more limited way to access some Microsoft account goodness,
but without changing your domain or local account in any way. That is, instead of linking or switching your existing sign-in account, you can simply
try to run one of the connected apps in Windows 8 and then sign in when prompted by a screen.
This approach isn't as sophisticated as using (or linking) a Microsoft account. You'll need to sign in a few different times, to different app groups-Microsoft considers the productivity (or what it calls "communications") apps to be one group, for example, and the Xbox (media and games) apps to be a separate group. And you don't get the PC-to-PC settings sync functionality that's available with a real Microsoft account sign-in. But if you don't have a choice-or are just really, really stubborn-this will at least let you use the built-in Metro apps to their fullest.
In previous Windows versions, we managed local user accounts in Control Panel, a desktop user interface that dates back to the earliest days of Windows. But in Windows 8, basic user account management tasks now occur within the Metro-based PC Settings instead, while, confusingly, a few more advanced or esoteric features can still be found in legacy control panels. So you may find yourself moving back and forth between the two environments depending on your needs.
Let's start with the basics.
Managing Accounts in PC Settings
Like many Metro interfaces, the Users section in PC Settings is almost disarmingly simple. This UI lets you manage features related to your own and other user accounts.
These features, which vary somewhat depending on the type of account you use to sign in, can include:
- Switch to a local account/Switch to a Microsoft account: If you're signed in with a Microsoft account, there is a Switch to a local account button that will let you do just that, albeit at the expense of losing all of the included functionality one gets with such an account type. If you are signed in with a local account, however, you will see a Switch to a Microsoft account button instead.
- Connect your Microsoft account/Disconnect your Microsoft account: Those who are signed in with a domain account (used only in corporations and other businesses) will see a button, Connect your Microsoft account, as described earlier in this tutorial. If you've already connected your domain account to a Microsoft account, you will see a Disconnect your Microsoft account button instead.
- Change your password: Those with local or Microsoft account sign-ins can change their password at any time using this button. Domain users will not see this option; instead, you can type Ctrl + Alt + Del and choose the Change a password option from the full-screen menu that appears. However, your ability to actually change your password will be based on corporate policy. (And, in fact, many businesses may require you to change passwords on a regular schedule, whether you want to or not.)
- Create a picture password/Change a picture password: With the advent of touch-based Windows devices, including tablets and other touch screen
devices, Windows 8 now offers two fun and efficient new ways to sign in to your computer: picture password and PIN (the latter of which is described
next). Neither replaces your normal password. Instead, you can use either to implicitly sign in to the system using your actual password, but using a
method that is simpler (and, in this case, a bit more fun) than a normal password. This is especially useful because tapping out a long password on a touch
screen can be tedious.
A picture password is essentially a photo over which you trace any combination of three circles, lines, and/or taps, using the device's touch screen. You might imagine a picture of a family member where you "poke" them in each eye and then draw a smile over their lips as an example of this type of sign-in (though not necessarily one you would want to choose to use, since such a combination of swipes is fairly obvious and could undermine the security of your PC).
Creating a picture password requires completing a short wizard. After providing your password to prove that this is your account, you're prompted to choose the photo you'll use. Obviously, you can use any photo of your choosing.
Once you've selected the picture and the wizard has verified this selection, you'll be prompted to set up your gestures. Here, you choose the three gestures you want to use-again, any combination of three circles, lines, and/or taps-as your sign-in.
The wizard will make you repeat the gestures to ensure that you've got the sequence memorized correctly, and then you're good to go. You can later change the picture password or remove it.
- Create (or change) a PIN: If you've ever used a smartphone, you know that four-digit PINs, or personal identification numbers, are the norms for securely
signing in on such devices. This sign-in option allows you to use the same convenient sign-in type on your Windows PC or device, and while it's particularly
nice for touch-screen devices, we've both switched to using this sign-in type on our traditional desktop PCs, too, since it's so fast. Setting up a PIN is
very straightforward, and each digit must be a number.
O ddly enough, you can use the picture password and PIN sign-in types even with a domain account. However, some corporations have very strict password policies, so as is the case with other options in this tutorial, you may not be able to use these features with a work-based domain account.
- Add a user: If you select the Add a user link under Other users, you'll be presented with the new full-screen interface. It's set up for a Microsoft account by default, but you can click the link titled Sign in without a Microsoft account to configure a traditional local user account instead.
So, yes, you can mix and match Microsoft and local accounts (and even domain accounts) on a single PC, though our general rule about using Microsoft accounts exclusively when possible still applies for your own PCs.
With the understanding that common sense is a key aspect of anyone's personal security regimen-and, on the flip side, that human error is almost certainly the number one factor behind most security mishaps-we feel compelled to remind readers that picture password, like any other authentication scheme, is only as secure as you make it. So use some common sense when creating a picture password, keeping the following tips in mind:
- Complexity: It's not hard to guess that a picture password that uses a person's headshot as the picture most likely involves poking both eyes and making a smile across the lips. Be more creative than that and use a photo that is more complex, with less obvious points of interest.
- Use different gestures: Three identical straight lines do not secure a picture password make. Consider mixing it up, using a combination of taps, straight/curved lines (in both directions), and circles that move in both directions (clockwise and counter-clockwise).
- Physically shield the screen: You wouldn't let strangers watch you enter your bank card's PIN at a cash machine. Don't let onlookers see your picture password . . . no matter how cute you think it is.
- Clean the screen: Today's touch-screen devices leave indelible smudges each time you tap or gesture. So be sure to keep your screen clean, reducing
the chance that someone could tilt the device in the light and quickly guess which gestures you use to sign in.
You're not locked into using this or any other sign-in type. You could have a password, a picture password, and a PIN all configured for the same account and then choose which to use at sign-in time.
Advanced User Management with Control Panel
PC Settings is cute and everything, but if you want to dive into the nitty-gritty of user account management, you'll need to visit the old-school Control Panel interface instead. And yes, you still want to know about this interface even if you're not particularly interested in advanced features. And that's because there are certain things related to account management that you can only do from Control Panel.
For example, the very first account you create with Windows 8 is always an administrator-class account, and that's true whether that account is a Microsoft account, as recommended, or a traditional local account. But when you create other accounts, as explained earlier, those accounts are not administrator-type accounts. And the Metro-style PC Settings interface doesn't offer any way to change them.But Control Panel does. In fact, Control Panel provides so much additional functionality with regards to user accounts that it seems a shame to ignore it.
Of course, you need to find it first. The easiest way is via Start Search: Display the Start screen, type user, select the Settings filter in the right pane, and then choose User Accounts in the results list. This displays the old-school User Accounts control panel.
If you have only configured one user account, you cannot, however, change it from an administratortype account to a standard user account. You must always have one administrator configured on the PC.
Here are some of the user account-related tasks you can only complete using Control Panel:
- Change an account type: As noted previously, the first account you configure
on your PC-whether it's a Microsoft account or a local user account-is an
administrator-type account. But what about subsequent accounts? As it turns
out, all subsequent account additions-be they Microsoft or local accounts-
are created as standard users, not administrators. This may be desirable, but
if you'd like to change an account from one type to the other, you can do so.
To change an account's type, click the link Manage another account in the User Accounts control panel. This will change the display, where you can choose an account to change.
Select the account you wish to modify to display a screen. Here, you can see a secondary Microsoft account that was automatically configured as a standard account type when it was added to the system.
When working with a local account, you can also use this screen to change the account name, create or change the password, set up parental controls, or delete the account.
When working with a Microsoft account, you can also use this screen to set up parental controls or delete the account (from the PC).
Click the Change the account type link, choose Administrator, and then click the Change Account Type button. Now, you can see that this other Microsoft account is an administrator too.
- Manage User Account Control: In Windows Vista, Microsoft introduced what was then a very controversial feature called User Account Control, or UAC, which
took advantage of Microsoft's efforts to componentize Windows by dividing each of the system's functional entities, or components, into one of two groups:
those that require administrative privileges and those that don't. Those that don't would just work and you could just go about your day and not really think
about the security implications of anything underpinning the system.
But then there are those other components that do require an administratorclass account to actually work. Those components are a bit trickier. These components will trigger a UAC dialog, or prompt, that must be bypassed before you can continue whatever task you are trying to complete.
UAC is theoretically annoying, but it's been refined over the past two Windows versions to be, well, less noisy. That is, it doesn't rear its head very often anymore, and if you're logged in with administrator privileges-and chances are, you are-it will rarely do more than interject a small "Are you sure?" type dialog to interrupt your workflow.
This interruption will vary according to what you're trying to do-a UAC prompt appears when you try to install an application, for example-and according to what type of user account you're using. But the important thing to note is that the presentation of UAC prompts hasn't really changed since Windows 7. So unless you've been using Windows XP for the past few years, you already get the drill. It works much as it did in Windows 7 and is much less annoying than it was in Windows Vista.
Configuring User Account Control works as it did in Windows 7, via the User Account Control Settings control panel. So there's no need to waste time on it: UAC works as before, isn't annoying, and shouldn't be messed with.
Note: There is one interesting side note about UAC in Windows 8: One place you'll never see this prompt is in any of Windows 8's Metro experiences. That's because UAC is a desktop technology, and the Metro environment has its own more pervasive protections built in and designed to protect the OS from exactly the kinds of issues that UAC, too, is aimed at.
- Enable and configure Family Safety: Microsoft first provided pervasive Windows-based parental controls functionality in Windows Vista, providing
parents with a way to create and enforce settings related to computer usage, including a web filter (for allowing and disallowing individual websites and
downloading), time limits, games, and applications (including which can and cannot be used).
In Windows 8, Microsoft is carrying forward the parental control functionality from its predecessor, and it works almost exactly the same way, with a few useful improvements. Parental controls, called Family Safety in Windows 8, can be applied only to non-administrator accounts-including Microsoft accounts, which is indeed new to Windows 8-and is administered one account at a time.
Parental controls are not available when you sign in as a domain user.
There are two ways to add parental controls to an account. You may recall that when you add a new account to the system, it's silently created as a standard user account, and not as an administrator. So as an added nicety, Windows 8 provides a check box option, which lets you enable Family Safety right when the account is created.
Or, you can add parental controls to an account after it has been created. To do so, select Manage another account from the main User Accounts control panel, select the account you want to manage, and then select Set up Family Safety.
If you're familiar with the parental controls functionality that was included in Windows 7, all of the functionality from that release carries over into Windows 8. But there are a few useful additions in this release, too. For example, where the Windows 7 parental controls allowed you to specify the hours of each day that the child could use the PC-this feature is now called "curfew"-Windows 8 adds the ability to limit how many hours they can use the PC each day as well. Additionally, Family Safety integrates with Windows Store so you can see and control which Metro-style apps and games your child downloads, based on country-specific ratings; in the United States, we use ESRB (Entertainment Software Ratings Board) ratings.
- Enable the Guest account: While you can go to great lengths to protect standard user accounts with parental controls, sometimes all you're looking for is a
single, temporary user account with standard user privileges that anyone can use. As with previous Windows versions, Windows 8 includes such an account,
called the Guest account, and it's a safe and easy way to let others use your PC without worrying that they're going to view, modify, or delete any crucial
data, uninstall or change an application, or perform other dangerous tasks.
To enable the Guest account, select Manage another account from the main User Accounts control panel. Then, in the Manage Accounts screen, choose Guest. (Its icon will note that the Guest account is off.)
The control panel will ask you whether you're sure you wish to enable this account, noting that password-protected files, folders, and settings are not accessible to guest users. Click Turn on to enable the Guest account.
Now, when you leave the computer, you can lock your account (easiest way: Winkey + L). And then your children or actual guests can browse the web, run apps, and perform other common duties using the Guest account while you're away: A new Guest option will appear on the lock screen.
Remember that the Guest account is temporary to each sign-in. So when the user signs out of the Guest account, any settings changes or documents they've created will be deleted. Each time you sign in to the Guest account is like the first time that account is used, and nothing is retained.
- Reset EAS Policies: When you sign in to a Windows 8 PC or device with a Microsoft account, you're using a technology called Exchange ActiveSync
(EAS) under the covers to provide push-based access to your Hotmail-based e?mail, calendar, contacts, and other data. EAS is a Microsoft-created corporate
standard that is used by Hotmail and Microsoft's Exchange- and Office 365-based services, and also by competing services from Apple, Google, and
other companies. (In this way, it's a de facto standard for all modern mobile devices.) And one of its big advantages is that it supports the notion of EAS
policies, which can set restrictions on the device-smartphone, tablet, or PC-that you use to access the underlying services. For example, your workplace
may want to ensure that you sign in with an account that has an acceptable password (from a length and complexity standpoint) and then auto-locks
after a certain period of inactivity.
When you sign in with a Microsoft account, whatever restrictions Hotmail enforces are automatically applied to your PC. But this is only required if you are using Microsoft's bundled Mail app. If you access Hotmail's e?mail, calendar, and contacts from a Windows application, or from the web, you can decouple Hotmail's EAS policy requirements from your PC. And, oddly enough, you do this from the User Accounts control panel: Just click Reset EAS Policies on the left, and you'll see a window.
The easing of restrictions will apply until and unless you run the Mail, Calendar, People, or Messaging app(s) again. At that time, the EAS policies required by Hotmail will be simply be silently reapplied. If you sign in with a corporate account, however, it won't be so silent: You'll be prompted to accept the policies change.
User Accounts Control Panel and Domain Accounts
The User Accounts control panel experience described in this tutorial applies only to those who sign in with a local or Microsoft account. If you sign in with a domain account-or on a PC for which a domain account has been configured-you're going to see some different options in the User Accounts control panel. While many of these options are only of interest to domain administrators, it's worth pointing out one of the common tasks we mentioned earlier is managed using this interface: changing an account type. To change an account type, click Manage User Accounts. Instead of opening a new view in the User Accounts control panel window, you will see the old-school windows.
Now, select the account you want to change-and if you see two entries for one account, as you will for Microsoft accounts, choose the top one-and click Properties. Then just choose Standard user or Administrator from that window.