Control Access to the PC with different types of passwords.
Windows machines have processes that allow a user to log onto their computer with what is known as “accounts”. The accounts let you run your access to the PC (machine) as you are used to doing so using its software and allowing creating and saving your documents.
Upon login, accounts are accessed normally with a password. (This can be bypassed so that you turn on the machine and it goes directly to your desktop. This is not advised in a business setting because of the obvious easy access and security risks. Also, you will still need the password under certain circumstances, and not logging in makes it easier to forget or lose the password!)
What you may not realize is that Windows machines can have more than one account that each have their own login and can be “personalized” to show a desktop and keeps your documents and email and browser access private to the account. But accounts can be created that have different levels of “privilege” to configuring the PC.
A separate “Administrative” account (ideally) with a different password is configured upon set-up that that can be accessed upon logging in; this account allows complete control over the machine.
A “regular” user can be configured to a “Standard” account which can control their own documents and browser, has access to software and can also access some functions with Windows to control and personalize the machine as it shows to that account.
However, there is a feature within the Windows operating system that when the PC is logged into the Standard account that can allow for software download and certain other administrative tasks by prompting for the Administrative password.
https://www.howtogeek.com/226540/how-to-create-a-new-local-user-account-in-windows-10/
https://9to5mac.com/2019/03/04/create-user-account-mac/
Reasons for Controlling Downloads and Standard Accounts
This type of set-up is a best practice and standard operating procedure in a business setting (and advised on your home PC’s) because:
- If the standard account user clicks on email or browser functions that have malware which can penetrate the machine, the malware usually cannot take control of the machine. Microsoft estimates that using a standard account confers 85% greater protection.
- If the administrative password is kept with business management then employees cannot download unapproved software onto the machine either for innocent or malicious reasons. Downloading rogue software is a huge risk out there for smuggling in viruses, ransomware or software that monitor keystrokes to steal passwords and information.
- Keep your administrative passwords (and standard!) in a secure database.
- Limit employee access to administrative passwords.
- Change the related password when an employee leaves the business or you wish someone to no longer have access to the machine.
