February 17, 2023

Separate user and admin accounts

Are you using an account with administrative (admin) privileges to perform day-today work tasks?

Many people do, but it is not a recommended practice.

Here’s why:

Adversaries can gain access to your computer through successful phishing attacks or if you unintentionally download malware from an infected website. If this happens while you are using an account with admin privileges, the adversary will then have administrative access to your machine as well. This could allow the attacker to install malicious software, alter system settings, create additional user accounts, access files, steal data, and potentially move laterally to compromise other systems.

To mitigate this threat, use a separate dedicated account for administrative tasks, such as installing software or changing system settings, and limit your everyday account to ‘standard’ user privileges.

  • If convenience is a concern, Windows and Macintosh systems allow a standard user to perform ad-hoc administrative tasks by entering the admin username and password.
  • If you are not using the default administrator account, disable it. (See resources below for Microsoft and Mac operating systems).
  • On Windows, if you do use the default ‘administrator’ account, change the name of the account to something different to make it more difficult for it to become compromised. (Microsoft says changing the password makes it “slightly” more difficult for attackers.)

Protect all accounts with strong passwords or passphrases.


Microsoft: Enable and Disable the Built-in Administrator Account

Microsoft: Rename administrator account


Microsoft: Protect important folders with controlled folder access

Apple: Set Up Users, Guests, and Groups on Mac

Office of Information Security: Working Remotely online training

More Articles