• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Best Practices to set up (and secure) a Windows 10 gaming PC for teenager

Recommended Posts

Vocalpoint    27

I am doing a clean rebuild on my son's gaming PC this weekend and wanted some guidance on how to get Windows 10 configured from an admin perspective (during setup) and then secure the desktop when he logs in after everything is complete.

 

I do all my rollouts via MDT to ensure all PC's get a consistent image (and settings) on each Win 10 Pro install - the MDT Task Sequence installs Windows 10 under the local admin account for the initial deployment and then I disable local admin via a script as one of the last steps in the Task Sequence.  

 

I then usually login using a local account (the main user of the PC - whose account was added via that last script action in MDT) and configure the PC. These local accounts have had admin privileges assigned but now that my son is 15 and tends to click on stuff and install crap all the time without asking or any real forethought - I feel like I about two clicks away from a big security problem in short order - so I need to secure this desktop a bit better when he is using it.

 

Now - I do not want to be "Admin Dad" (too restrictive) but I also do not want him to be drowning in admin prompts every time he attempts to run a program or go to a share or look up something on the web for homework etc.

 

Ideally - I need full admin access to configure the box and then pass it back to him with certain key restrictions in place - like no software installs, device autoplay disabled, Windows Defender activated - basic security stuff).


What would be the best (most efficient) play here? Configure the PC (and all the apps etc) using his account (while it is still full Admin) and then move his account back to a Standard User afterwards? Or install the PC using a different local (named) account (That is part of the Administrators group) and then pass the machine back for him to logon under his own local (Standard) acct?

 

The big worries here are malware, phishing, oddball email attachments - the usual stuff. Great kid - just not technically savvy enough (yet) to realize that he might be getting himself into trouble.

 

Appreciate any tips from the field.

 

Cheers!

 

VP

 

Share this post


Link to post
Share on other sites
Brandon H    2,918

If you don't want him installing anything on his own I'd set a local admin account with a password of YOUR choosing then set your sons account as a standard user with either another local profile or using his Microsoft ID.

It's up to you if you provide him with the admin password at that point as it will now ask for the password every time he tries to install something that way :)

 

This is actually a recommended install method in general but most just make their main account admin and leave it at that.

  • Like 2

Share this post


Link to post
Share on other sites
Matthew S.    960
Posted (edited)
10 minutes ago, Brandon H said:

If you don't want him installing anything on his own I'd set a local admin account with a password of YOUR choosing then set your sons account as a standard user with either another local profile or using his Microsoft ID.

It's up to you if you provide him with the admin password at that point as it will now ask for the password every time he tries to install something that way :)

 

This is actually a recommended install method in general but most just make their main account admin and leave it at that.

That's actually how I set up all my systems, can't trust my parents not to click on and install something their not supposed to, even have my gaming rig set up that way too...  Also if the software he's using is recent, he should NOT be seeing UAC prompts unless he's trying to change a global system configuration or install something.

  • Facepalm 1

Share this post


Link to post
Share on other sites
Jim K    13,233

Creating his account under "Family & other users"?

  • Like 1

Share this post


Link to post
Share on other sites
Vocalpoint    27
Posted (edited)
13 minutes ago, Matthew S. said:

That's actually how I set up all my systems, can't trust my parents not to click on and install something their not supposed to, even have my gaming rig set up that way too...  Also if the software he's using is recent, he should NOT be seeing UAC prompts unless he's trying to change a global system configuration or install something.

Perfect!

 

@Brandon - Good one! I do have at least one extra named local admin account that is created during the MDT task sequence. I will use that for any admin tasks that might pop up

@ Jim K - all the accounts are created on the fly during the MDT deployment. Since we are on a workgroup layout here at home - I need the account names and passwords to be standardized and created automatically.

 

Now - how about the actual Windows 10 setup?  I want to limit the profiles created when configuring this box - so I am thinking I may just logon using his local account (while it still has admin) - configure everything and then drop it back to a Standard account and pass it over to him.

 

Was also wondering about UAC - once his account is back to a standard user account - does UAC play into this at all? Does that UAC slider make the Standard experience any better or worse? 

 

Thanks for the input - I do appreciate it.

 

VP

Share this post


Link to post
Share on other sites
Brandon H    2,918

you will want to keep 1 active admin account (just not the built in 'admin' user) otherwise he/you won't be able to install anything once setup is complete and he's a standard user again.

 

Example Accounts:

Name:       Access:

Joe             Local Admin Account with Password

Son            Standard Account (Local or Microsoft ID)

 

-----------------------

 

This way when logged in as 'Son' when he goes to install something it will ask for the password from the 'Joe' account.

 

I'd recommend leaving UAC at its defaults; it is what will prompt for the admin password when needed; the prompt should only come up when Admin privileges are needed (installing/uninstalling software and GPO/Registry items are the only main times it will prompt. there shouldn't be any reason to run normal apps with admin privileges)

 

edit: you can even hide the 'Joe' admin account from the login screen so he can't just log straight into that. Here is a guide for that

https://www.windowscentral.com/how-hide-specific-user-accounts-sign-screen-windows-10

Share this post


Link to post
Share on other sites
Vocalpoint    27
1 minute ago, Brandon H said:

you will want to keep 1 active admin account (just not the built in 'admin' user) otherwise he/you won't be able to install anything once setup is complete.

 

Example Accounts:

Name:       Access:

Joe             Local Admin Account with Password

Son            Standard Account (Local or Microsoft ID)

 

-----------------------

 

This way when logged in as 'Son' when he goes to install something it will ask for the password from the 'Joe' account.

 

I'd recommend leaving UAC at its defaults; the prompt should only come up when Admin privileges are needed (installing/uninstalling software and GPO/Registry items are the only main times it will prompt. there shouldn't be any reason to run normal apps with admin privileges)

Sounds good to me.

 

I also started wondering about this kinda stuff....for example when elevating to install an app or deleting a shortcut or doing simple Windows non-destructive type stuff. 

 

https://social.technet.microsoft.com/Forums/en-US/65ecacc7-7537-4153-9a52-dbda10559738/issue-of-adminstandard-user-permissionconfusion?forum=win10itprosecurity

 

I have experienced some of what this user is getting at - specifically with the local admin account suddenly "owning" file/folder permissions to files that get installed after "admin" permission is requested (by my son).  I am hoping to avoid being called up to his office every five minutes if he decides to delete a shortcut off the desktop etc.

 

Comments?

 

VP

Share this post


Link to post
Share on other sites
Brandon H    2,918
3 minutes ago, Vocalpoint said:

Sounds good to me.

 

I also started wondering about this kinda stuff....for example when elevating to install an app or deleting a shortcut or doing simple Windows non-destructive type stuff. 

 

https://social.technet.microsoft.com/Forums/en-US/65ecacc7-7537-4153-9a52-dbda10559738/issue-of-adminstandard-user-permissionconfusion?forum=win10itprosecurity

 

I have experienced some of what this user is getting at - specifically with the local admin account suddenly "owning" file/folder permissions to files that get installed after "admin" permission is requested (by my son).  I am hoping to avoid being called up to his office every five minutes if he decides to delete a shortcut off the desktop etc.

 

Comments?

 

VP

have not run into that ever myself but I'm sure someone here can comment on that part :)

 

btw I just made an edit to my last post as you replied. You can actually hide the created Admin account from the login/welcome screen too so he can't just log straight into that bypassing his standard user.

https://www.windowscentral.com/how-hide-specific-user-accounts-sign-screen-windows-10

 

could be helpful for you :)

Share this post


Link to post
Share on other sites
Matthew S.    960
1 hour ago, Vocalpoint said:

Sounds good to me.

 

I also started wondering about this kinda stuff....for example when elevating to install an app or deleting a shortcut or doing simple Windows non-destructive type stuff. 

 

https://social.technet.microsoft.com/Forums/en-US/65ecacc7-7537-4153-9a52-dbda10559738/issue-of-adminstandard-user-permissionconfusion?forum=win10itprosecurity

 

I have experienced some of what this user is getting at - specifically with the local admin account suddenly "owning" file/folder permissions to files that get installed after "admin" permission is requested (by my son).  I am hoping to avoid being called up to his office every five minutes if he decides to delete a shortcut off the desktop etc.

 

Comments?

 

VP

That should not happen unless said shortcut/folder is in the %PUBLIC%\Desktop folder... or in a protected folder like say C:\Windows C:\Program Files C:\ProgramData which should not by default be written to by any users anyways.. but if his Steam folder is located in C:\Program Files\Steam, you will need to change the folder permissions for the SteamApps folder so that everyone can read/write to it.

  • Facepalm 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.