Look, I’m not a target - there’s no bad guys out there trying to hack into my stuff, but I’m also not infallible. Clicks happen. Best practice is to run as non-Administrator…yet here I am running with scissors. It’s time I practice what I preach. So, I set out to live the non-Admin life. Here’s how it went:

After I paved my trusty Windows 10 PC, I installed Windows 11, setup all my stuff the way I wanted (as an Administrator still), enabled the default Administrator account and set the password. After all, there still has to be an Admin account somewhere. I logged into the Admin account, revoked my normal account’s admin access, and then logged in as myself again.

Here’s a little background/rundown on what my PC normally does:

  • Email - I use Outlook to check several accounts - one for a financial website I run, one personal (this blog), and one non-important one. I also use my browser to check several Google (Gmail and Google Apps) accounts. My life is tied into these accounts.

  • Development - Visual Studio, Git, SQL Server Management Studio, MySQL

  • The usual Word/Excel/OneNote stuff.

  • Server Management

    • RDP into several Windows servers (Hyper-V server, SQL server, Web server, IIS Reverse Proxy)

    • SSH into several Ubuntu servers (Wordpress, UniFi, UISP, Remote Syslogger)

  • Plex Media Server

  • All the usual Twitter/Facebook/Reddit/Blogs browsing.

  • I consume/produce a lot of technical content on this thing - I install all sorts of software on here, trying things out (Man in the middle tools, Fiddler, Wireshark, hex editors, Autopsy, debuggers, disassemblers, you name it). If there is something really sketchy, I’ll spin up a VM for it and run it on there (I’m looking at you, free CAD software I downloaded from that .ru site)

  • All the games. Steam, EA, Origin, etc.

  • All of my life’s archives - family photos/videos, resumes, tax documents, you get the idea.

If I did get compromised (likely due to my own stupidity, rather than being a target) this would really suck.

So lets get into it. The first thing I decided to do, was to move all the Server management stuff into its own VM. Then I moved all dev stuff into another VM. Both of these are Windows Server operating systems, and I set those up the same way as my desktop - using a low-privileged account with an Administrator account on standby.

Quirks

On my regular machine, I could no longer connect to the Hyper-V instance running on my own PC. To resolve this, I added my user account into the Hyper-V Administrators group. Okay, so I’m living the non-Admin Life mostly…with an asterisk, I suppose.

While logged in as a regular user inside either of the Windows Server VMs, I couldn’t power them off. We can fix this with Group Policy (gpedit.msc). I didn’t want to add my local user into the Administrators group (obviously), and Backup Operators group grants too many permissions. Therefore, I created a new group called “PowerUsers”, added the user account into that group, and granted that group the ability to power off the server.

The three email accounts I’d previously setup in Outlook (when I was an Admin) were gone, so I had to re-setup all of those.

Boo.

2/5/2022 Quirks Update:

  • Private Internet Access wouldn’t install. I had to restore admin access to complete the installation.
  • Hyper-V “Enhanced Session” didn’t work out of the box because that connection technically works over Remote Desktop Protocol and my user account wasn’t a member of the Remote Desktop Users group.

Results

So far, I haven’t really cared that I’m no longer an admin in my day-to-day usage. Browsing, emailing, Teams, Slack, Affinity Photo, and Office all work just fine. Of course, none of those are “power-user” type things, but that’s kind of the point.

The Server Manager VM can connect and do all the things (Hyper-V management, remote IIS management, remote desktop connections, and Windows Admin Center) all without needing local admin privileges. Do I really need a separate VM then? No. However, there’s a lot of plumbing that goes on behind the scenes to get Hyper-V to connect to remote servers, and I don’t necessarily need or want that exposure on my main PC (Powershell remoting over WinRM, credential delegation/CredSSP, etc.).

The Development VM is new territory for me. I’ve always used a Windows desktop OS for development, but decided to try a server OS. I also previously ran Visual Studio as an Administrator because I would connect to a full-blown local instance of IIS. Now, I’m using the default IIS Express server that’s built into Visual Studio. So far everything seems to be working fine as a non-Admin.

A few side benefits to having multiple isolated VMs:

  • They don’t need to be running all the time. It’s just-in-time access.
  • Less cruft building up on my personal machine from installing random crap.
  • If I need to pave my PC for whatever reason, I don’t need to rebuild everything from scratch.

I’m sure I’ll find more quirks as time goes on, but for now I’m just going to browse the web like a Regular Everyday Normal Guy.