I am getting a new laptop soon and wasn't sure what the best course of action was on this topic. On my previous computers, I have always had a standard user which I used most of the time and an administrator, which I used only when there was an application which required to be "Run as Administrator" (I almost never logged into the admin account). With UAC and whatnot, however, is it safe for me to use my admin account as my primary account with which I do most of my day to day work?
Windows – Is a Separate Administrator Account Necessary in Windows 7
uacwindows 7
Related Solutions
UAC is not considered a security boundary. What this means is that there is only (relatively) weak protection preventing malicious software from "escaping" UAC and gaining administrator access. (In particular, Microsoft do not promise to fix issues that allow this to happen.)
Personally, I always use a standard user account on my home machine, except when I'm actually administering the computer.
is an administrator account as safe these days as a standard account coupled with the built-in Administrator account when needed?
In short: Still no.
The longer answer...
UAC is not a security feature
Back in the days of Windows XP and previous versions of Windows, it was quite difficult to practice the Principle of Least Privilege, not least in a corporate environment. The principle implied that you would do all your day-to-day tasks using a standard user account. Any tasks requiring admin privileges would be executed using a separate account with admin rights (given that the user had a legitimate need for it).
But Windows XP wasn't designed with this in mind, and there were many quirks and limitations, when running as a standard user - even if you also had access to an admin account. As a standard user, you were not able to click on the systray clock to show the neat month calendar, you couldn't change network settings and the "run as" function didn't work for everything (especially Windows Explorer, and thus also Scheduled Tasks, Printers and other shell folders, if memory serves me right).
Of course there were workarounds for a lot of these deficiencies, but it took a lot of time to discover, document and, well, work around them.
Security is a balance between, well, security and convenience. UAC was introduced with Windows Vista, primarily to detect when admin rights were needed, and to automatically prompt you to authenticate with an(other) account, with admin rights. This made practicing the Principle of Least Privilege a lot easier.
As a side-effect, performing tasks requiring admin rights, while logged in with an admin account, gives you a chance to actually confirm that you want to exercise these rights. UAC prompts when installing software seem reasonable, whereas when opening a normal webpage doesn't.
However, it turns out most users don't use separate accounts and quite a few day-to-day tasks require admin rights (adjusting settings for clock, network, power plan etc.), and would thus trigger an UAC prompt in Vista. This slew of prompts causes most users to
a) Blindly accept any UAC prompts, with no attention to what was actually requiring elevation, or
b) Disable UAC confirmation entirely
With Windows 7, Microsoft made several Windows executables auto-elevate permissions, so if you you're using an admin account, some actions are automatically executed with elevated (admin) rights. This made UAC seem a lot less obtrusive.
UAC auto-elevation can be exploited
So, in Windows 7 there's a built-in mechanism for auto-elevating rights. If this mechanism can be exploited, by an application running with standard user rights, then UAC (which was not designed to be a security mechanism), can be circumvented and you can end up running applications with admin rights, though you haven't been prompted to confirm it.
Turns out UAC auto-elevation can in fact be exploited by injecting code, as proven by Leo Davidson (Windows 7 UAC whitelist: Code-injection Issue (and more)) and discussed and demonstrated by Long Zheng (UAC in Windows 7 still broken, Microsoft won’t/can’t fix code-injection vulnerability).
Conclusion
Seen from a security perspective, it still makes sense to use separate accounts for day-to-day work and anything requiring admin rights. This is the only way to be (reasonably) sure, that no applications run with admin rights, without your explicit authorization.
That said, it's a balance between convenience and security. As pointed out by @GeminiDomino, you could also fill all ports with epoxy, as used by the military. You could also run your computer "air gapped", like Bruce Schneier, so that it never directly connects to any network.
In the end it comes down to if you're OK with having to explicitly authenticate when performing admin tasks or not.
Best Answer
Running as
Administrator
(the account named Administrator) is a bad idea, but running as a regular user who is in the Administrators group is quite a bit safer than it used to be on Windows XP, as you said because of UAC.The main thing UAC does is that it changes the
Session ID
of processes to run in a less-privileged session, unless you successfully launch the program as an administrator and pass the UAC prompt (which comes from a secure desktop so it is very, very hard to bypass or force acceptance of the real UAC prompt).With that said, it is always safer to run with the least amount of privileges you need. A Standard User account doesn't even have permission to use UAC to elevate to an administrator unless they type in valid credentials of an actual administrator account. This is one level removed from running as a member of the Administrators group, where you can obtain admin privileges just by clicking Yes on a prompt on the UAC secure desktop.
Lastly, consider that what most people really consider valuable is their personal data in their home folder, e.g. C:\Users\You\Documents, etc. Even without any UAC rights whatsoever, any executable code (or compromised processes such as a web browser) would be able to access all or a subset of your user profile data, regardless of the permissions you assign. So you should always be wary about executable code you download on the internet, regardless of how much you de-privilege you user account. Otherwise, attackers can make great use of things like your Firefox or Chrome user profile data (the sites you visit, your bookmarks, any saved passwords, etc), word documents; they might even want to steal your music or just be a nuisance and flat-out delete it all.
Running as an admin is safer than it used to be on Windows XP, but nothing Microsoft has done has made running untrusted code any safer. You have to be vigilant to keep yourself from being exposed to malicious or untrusted code. The main thing to avoid is don't visit websites or click on links in emails that you don't trust. Even if you never explicitly download any executable code, browser exploits remain one of the primary attack vectors into a client computer, despite a decade of intensive research and development on browser security models.