The following guide explains how to configure those user accounts for optimal system security, and while it does so with Windows 7 in mind, it can be easily applied to previous Windows OS’ as well.

It may not sound that bad to have additional user accounts configured on the system. The secure way however is to either deactivate accounts that are not needed, or password protect them so that no one without proper authorization can log in using one of those accounts.

Probably the easiest way to do that is to use the Local Users And Groups Policy. It can be opened with the shortcut Windows-R, typing lusrmgr.msc and hitting enter.

Please note that this control panel is only available in Windows Professional, Ultimate and Enterprise and not Basic, Starter or Home editions.

Once loaded it displays the two items Users and Groups in the left sidebar. A click on users displays all users of the operating system.

windows7 users lusrmgrmsc

A double-click on an entry opens a properties menu for the selected user. Here it is possible to disable the account. It is recommended to disable the guest account in Windows 7, as it is usually not used at all.

disable windows7 guest account

Checking the “Account is disabled” box and clicking on Ok will disable the account, so that no one can use it to log in.

The Administrator account is the second account that gets automatically created during installation. It is disabled by default, and a double-click can be used to verify that.

A right-click on a user account opens a context menu with options to set passwords for each account. It is a good security practice to set secure passwords for all accounts, even the disabled ones. The password should have a length of at least 16 chars, and consist of numbers, letters and special chars.

As mentioned previously, Windows 7 Home, Starter and Basic owners do not have access to the configuration panel. Their option is to open the Control Panel from the Windows Start Menu, and there the User Accounts panel.

Information about the current account are displayed, plus an option to Manage another account.

manage another account

Please note that only the guest account is displayed along the user accounts of the operating system. A click on the Guest account displays options to change the picture of the account, and to turn the guest account off.

Now that the guest account has been disabled, it is time to do the same for the Administrator account. For that you need to open an elevated command prompt. Do that by clicking on the Start Menu orb, then All Programs, Accessories, right-click the Command Prompt link and select Run as administrator.

Now enter the following command to disable the Windows 7 Administrator account:

net user administrator /active:no

To change a password for a user account type

net user username password

with username being the name of the account, and password the new password.

The runas command could be used to run an application with lower privileges but it has the serious disadvantage that there is no password switch meaning the user has to enter the password whenever he is executing the application. It does not work with blank passwords and requires the Secondary Logon service to be running.

A better alternative is the PsExec tool by Sysinternals. That little tool can be used to start any application with another user. Unlike runas it comes with a password switch.

PsExec is part of the PsTools suite of Sysinternals, you only need psexec.exe which should be moved into a system path folder, for example system32.

The next step would be to create a new user account in Windows. To do that go to Control Panel > User Accounts and click on the Create A New Account link in there. Now type a name for the new account and set it to be limited in the next window.

Specify a password for the account by clicking on the Create Password link in the user account control. Once the limited account has been created it is time to test if psexec is working properly.

Start the Windows command line by pressing [windows R], typing cmd and hitting enter. Now type the following command to test the functionality of psexec:

psexec -d -u "low privileges" -p test notepad

This will start notepad using the user account low privileges with the password test. If everything worked out well notepad should appear. It is now time to check if notepad has been executed with lower privileges.

The Task Manager can be started with [CTRL ALT DEL]. Click on View > Select Columns in the top menu and check the User Name box so that the username that started an application is shown in the Task Manager.

You should now be able to locate the username with the lower privileges and see that notepad was started from that account.

It would be time consuming to run the processes from the command line all the time. You can simply create a bat file with the command to start the applications that you want to run with lower privileges. To do that for Firefox you would add the line

psexec -d -u "low privileges" -p test "D:\Program Files\Mozilla Firefox\firefox.exe"

in the bat file. The file could then be moved into the start menu.