Seeking advice on user account structure for a semi public laptop


  1. Pavl
    Posts : 116
    10pro 20H2 19042.1237
       New #1

    Seeking advice on user account structure for a semi public laptop


    I have been asked to help set-up a laptop to be used in a semi-public but controlled environment.

    Not had sight of machine (and there may be more to follow) so do not know version .. but first thing I want to do is either a 'clean install', 'in place upgrade' or whatever method you think is best to bring machine(s) up to current spec.

    I would like opinions as to the most practical/ functional user account structure based on my first thoughts below ....

    Obviously ...
    Bios very strong password...
    Built-in admin enabled with very strong password...

    Then.....
    1. A 'spare' admin account just to use that password as a temporary way for a manger approve changes instance by instance....
    2. Perhaps an open/public basic user account with appropriate warnings about public nature of it ... simply for on-the-fly assistance, demonstrations and anything non important.
    3. Then a small collection of 'pre-created' basic / restricted user accounts without ability to change password (that to be managed by admin level user account). I gather "Bree" got past16 thousand plus before Windows gave up ! This case will be far fewer !
    4. I will create an encrypted database for record keeping (probably KeePass) which will be held by designated persons / managers / administrators.



    So...
    • Should there be a 'master' MS online user account or 'local'?
    • Should all other accounts be 'local'?
    • These user accounts may well be short-term or temporary and need to be disconnected from any other previously created external accounts or login methods. Privacy for all parties involved is the key here.
    • It seems that parental controls are seen as insufficient by some ... what is your opinion?
    • And that 'family groups' are seen as difficult ... see last post in this older thread....


    Bypass Family Settings by conversion to Local Account

    The owners wish to allow access to specific people but be able to control or restrict any 'unapproved' use.
    It is especially important that each basic user account cannot access or view the other user accounts in any way.

    My assumption is that a basic user account with parental controls may not quite be enough ?

    I am aware that I will have to address data protection issues but that is beyond the scope of this post at the moment.

    Thank you and have a peaceful Christmas
    Paul
      My Computers
    Quote Quote

  3. zebal
    Posts : 1,746
    Windows 10 Pro x64 22H2
       New #2

    Hello,

    Administrative account vs standard account is the only security advantage against privilege escalation.

    Having multiple elevated accounts and\or multiple standard user account brings no additional security, what it does instead is it protects one user from the other and offers separate customization and nothing more, end of story.

    You said:
    A 'spare' admin account just to use that password as a temporary way for a manger approve changes instance by instance....
    If I get your point, by doing so you only introduce weakness relative to admin account with a strong password.
    Every elevated account (admin account) must be equally protected, if one fails then all others are automatically failure, because one admin if taken control of, that means system is ready for clean reload, additional administrators mean nothing regardless of how well protected.

    Administrator account is secure as much as you trust the person using it.
    It's the most secure when only you have access to it, under condition you don't misuse it.
      My Computer
    Quote Quote

  4. MaloK
    Posts : 2,800
    Windows 7 Pro
       New #3

    Hi,

    All accounts can be local, no problem with that.

    Parental Control is an internet oriented control software and will not prevent Users from doing what users can normally do.

    If you have Windows Pro. With well crafted Group Policies, you can achieve pretty good temper resistance without additional software. And control nearly all aspects of windows configuration from there.

    Apply Local Group Policy to Specific User in Windows 10
      My Computers
    Quote Quote

  6. Samuria
    Posts : 8,107
    windows 10
       New #4

    Most pc like this you would run Deepfreeze on it with that on reboot it reverts back to how it was set if you delete windows get a virus reboot and its back you can get free software that does the same Please Wait... | Cloudflare
      My Computer
    Quote Quote

  7. W10 Tweaker
    Posts : 1,807
    Windows 10 Pro 21H1 19043.1348
       New #5

    I'm with MaloK


    Windows 10 Pro would best provide the security you require for this "semi-public PC".

    FYI, I was able to buy an upgrade key (home to Pro) for about $18 Canadian and you may find cheaper. Just exercise caution where you purchase this key.
      My Computer
    Quote Quote

  8. Pavl
    Posts : 116
    10pro 20H2 19042.1237
    Thread Starter
       New #6

    Thank you and a very peaceful Christmas .. Zebal, MaloK, Samuria & W10 Tweaker

    Very helpful.
    As I dont yet have sight of machines and suspecting the worst it is likely to be Home and not Pro.
    And I dont yet know how the owner wishes to administer this set-up and what future plans are.

    I had a look at Deepfreeze last year for a slightly different situation and I believe the owner has a different system in mind .... the idea is to provide support to people who may face issues with computer use elsewhere or not have access in the first place.
    You might use the word "vulnerable" in some cases.
    So it is more a case of providing a reasonably robust and functional system rather than trying to keep out 15 year old hackers.

    And if this is administered correctly (yes ... I know that is wishful thinking) giving the principle management admin user password to a "day" manager seems more scary than the temporary/short term/single instance use of a 'spare' admin password.
    If such use is logged and its use is with dire warnings ........?

    But I see that one broken admin is potentially an open machine.

    Here is where functionality / security compromise decisions will have to be taken.

    And from comments by Access database wizards ... if it is really that important you should not be using Access in the first place.
    This situation does not at first sight seem to be at the highest level for malicious use but rather at the level of quiet control / restricting mis-use of websites and the ability to provide a safe environment. Similar to "child protection but with adults.

    That was why I thought of the parental controls.

    From my end of the telescope I prefer the Pro with group policy method but will have to wait to see what I am working with.

    Much food for thought and thank you for your input.

    Will report back when I have sight of this machine a know more of the envisaged system.

    May 2022 be better than 2021 for you all.
    Paul
      My Computers
    Quote Quote

  9. Samuria
    Posts : 8,107
    windows 10
       New #7

    The best of deepfreeze or simliar if anyone changes a password you may not notice but deepfreeze reboot and you know its as you set it up
      My Computer
    Quote Quote

  10. Pavl
    Posts : 116
    10pro 20H2 19042.1237
    Thread Starter
       New #8

    Hello and a good and peaceful '22 to the forum.

    So now I know the nature of the beast ...
    Brand new, still in the box, laptop with W10 HOME preinstalled.
    I have strongly advised the upgrade to Professional and am going to assume this will go ahead (I will be the one actually doing it).

    I have looked at the search results within tutorials here and can find the methods for applying group policies but ......
    Is there specific advice as to which policies would be most suitable / useful in this situation.

    To recap .....
    A village community association wishes to offer computer use to those in need.
    The people could be just casual users without access to their own for some reason.
    There is a distinct probability that "vulnerable" people may part of that user group.
    It is possible that a user may be in an abusive relationship and so such computer use may be pursued..... or in other words ... a deliberate attempt may be made to discover the nature of such computer use including on-site attempts and external attempts via internet connection.
    I will pre-create basic user names and passwords which can only be changed from an admin account and these basic users details will be stored on encrypted usb keys (KeePass).
    Password will be known to usb key admin holder but keyfile will be stored by another admin. Hence two keys to unlock...
    Another encrypted database will be held with different password and keyfiles for the upper level records not needed by daily management.

    I have a draft proposal for the overall administration / management of this first machine but do not have the experience to know which specific policies would best secure this machine.

    So I am rally looking for a check-list of policies that I can implement.
    Any advice very much appreciated.
    Paul
      My Computers
    Quote Quote

  12. MaloK
    Posts : 2,800
    Windows 7 Pro
       New #9

    Hi,

    Library Privacy Checklist for Public Access Computers and Networks | Advocacy, Legislation & Issues

    PCI Compliance: Requirements Explained + PCI DSS Checklist (2021)

    Group Policy Best Practices

    https://www.giac.org/paper/gsec/4304...setting/107011
      My Computers
    Quote Quote

  13. Pavl
    Posts : 116
    10pro 20H2 19042.1237
    Thread Starter
       New #10

    Thank you "MaloK".
    Links much appreciated, now down to the reading ....
    May '22 be grand.
    Paul
      My Computers
    Quote Quote

 

  Related Discussions
Hello and thank you for reading, I have 4 Windows 10 desktops that I'd like to clone for Disaster Recovery. If I restore these clones it may not be on like hardware. I'm looking for simple inexpensive recommendations. I am familiar with...
Windows 10 Pro - Version 20H2 (OS Build 19042.928) Howdy Folks, :-) I'm looking for the easiest way to delete a file that won't delete. FWIW: this is an instructional video I downloaded for a new software I purchased: PDFelement Video...
Windows 10 Pro - 2004, OS Build: 19041.685 Howdy Folks :-) I'm interested in trying Microsoft Power Toys and have downloaded <PowerToysSetup-0.27.1-x64.exe> 19,480,952 bytes from GitHub - microsoft/PowerToys: Windows system utilities to...
Seeking Advice Using WAU Manager (by carifred.com)
in Windows Updates and Activation

Windows 10 Pro - 1909, OS Build: 18363.1139 Re: Seeking Advice Using WAU Manager (by carifred.com) Howdy Folks, :-) 1. The "Hide Selected button" is *turned off*/*doesn't work* and online help doesn't give me any information. What might I be...
Seeking advice, bad performance after updating
in Windows Updates and Activation

A couple of days ago my system did an automatic update (which I have hopefully found a work around to prevent). Ever since it rebooted from the update there has been a noticeable drop in performance. When I boot up it takes longer for the...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 06:01.
Find Us




Windows 10 Forums