Personal PC: Microsoft Account yes or no?

pparks1 said:

However, if you were to initiate an outbound connection to a shady website, (or a legit website that was compromised....like this very forum even) the return traffic could contain malicious payload, and could also generate additional outbound traffic.

Click to expand...

That's right, and is easily offset by not using Administrator account to browser the internet.
Then all that you need to do is regularly delete your account and create a new one to remove malware which the AV cannot detect, this way system is protected and there is no need to reinstall. (although ofc. it's still possible for system to be compromise ex. privilege escalation)

Therefore using a standard account to do daily stuff.

edit:
I know some people will correct me and tell me I'm wrong regarding Admin account:

But I'm just being stubborn in this regard.

zebal said:

That's right, and is easily offset by not using Administrator account to browser the internet.
Then all that you need to do is regularly delete your account and create a new one to remove malware which the AV cannot detect, this way system is protected and there is no need to reinstall. (although ofc. it's still possible for system to be compromise ex. privilege escalation)

Therefore using a standard account to do daily stuff.

edit:
I know some people will correct me and tell me I'm wrong regarding Admin account:

How User Account Control works

Learn about User Account Control (UAC) components and how it interacts with the end users.

learn.microsoft.com

But I'm just being stubborn in this regard.

Click to expand...

Using a standard account is always a good standard. However, this doesn't make you unhackable. Maybe they won't have access to install something, but they could have enough access to read data that your standard user account does have access to.

pparks1 said:

However, this doesn't make you unhackable. Maybe they won't have access to install something, but they could have enough access to read data that your standard user account does have access to.

Click to expand...

Sure they could, but if you have anything valuable it should be kept in another user profile,
current account which you use is only for surfing and similar, daily stuff, gaming etc.
At least that how I use computer, I don't use only one account for everything.

If for ex. some web server which you visit somehow gains access to your PC it won't have access to system or other accounts on your PC.
so it's easy to get rid of undetected malware and hackers if one practices this.

They can steal only stuff which you keep in your current account, ex. passwords or bookmarks or steam account etc.
But for this we need additional protections such as password manager with virtual keyboard if ie. you steam account is worth 1K dollars of whatever.

zebal said:

Sure they could, but if you have anything valuable it should be kept in another user profile,
current account which you use is only for surfing and similar, daily stuff, gaming etc.
At least that how I use computer, I don't use only one account for everything.

If for ex. some web server which you visit somehow gains access to your PC it won't have access to system or other accounts on your PC.
so it's easy to get rid of undetected malware and hackers if one practices this.

They can steal only stuff which you keep in your current account, ex. passwords or bookmarks or steam account etc.
But for this we need additional protections such as password manager with virtual keyboard if ie. you steam account is worth 1K dollars of whatever.

Click to expand...

I'm sure there is something of value to somebody using my standard personal account. I don't use multiple accounts on my home computer actively. Even on my work computer, I'm not supposed to use my elevated admin account to login, it's only there for UAC prompts and I put in my credentials when I need to elevate acces.

zebal said:

I'm not aware of any method or real-life case where an inbound blocking hardware firewall has been breached, it's theoretically impossible.
only if you're runing a service and need to open port it becomes possible to get trough.

Click to expand...

Absence of evidence is not evidence of absence.

Even though you're not aware of this, does not mean it has not been done. Thing is, though, hackers trying to make monetary gains are probably more likely to attack corporations than individual users. However, the way into a corporate network is not through direct, brute-force measures (in this day and age), but rather, through other things, like Social Engineering - which then necessitates access to individual users' info, which can easily lead to hacking an individual's computer.

Add to the fact that the Pandemic completely reshaped the global workforce landscape, allowing multitudes of people to work from home, with much more lax security than offices used by corporations, and you have the resultant explosion in all sorts of attacks, particularly (but not limited to) ransomware, over the following couple of years.

Unless you've performed extensive penetration testing yourself, on a network that someone else desgined, including multiple layers of firewall and security, or else you've designed such a system and allowed for an inde0pendent 3rd-party to attempt to penetration-test your system, you cannot say you are unhackable. Ever. Between 0-day exploits of hardware devices, though both firmware exploits as well as software exploits, to methods to get around such devices, such as credentials obtained through other methods, such as Social Engineering, there is always a way.

Plus, you should remember that even with all your inbound ports closed, as soon as you send something outbound that port is effectively open for hte acknowledgements necessary to monitor and report on the traffic.

zebal said:

Yes agree but most powerful one.

Click to expand...

Not even close. You think Ransomware is carried out by direct, brute-force hacking? Perhaps you should go back and start reading up on what ransomware is, how big it has gotten, and the usual suspects when it comes to methods used to obtain valid, legitimate access to systems to allow for the data to be held hostage.

I think you might be a bit surprised.

CharmaineK said:

So those who don't use a MS Account can't sync between devices and easily access files. If you want to also access your files on your devices you use than you need to use a MS Account. If you prefer to only use a local account then everytime you need a file you will need copy to a to USB stick and plug it into that device or email to yourself. I have used a MS account for many years and I use Office365. I like the convenience of being able to access my files on all my devices.

Click to expand...

Well, you need some sort of mechanism. You can use third party services just as well as the Microsoft ones to accomplish the the same things. So, in effect, you don't need a Microsoft account, but doing so via the Microsoft account is a bit easier, more than anything.

Dru2 said:

I can't account for every what if in the universe, but at the end of the day, if you're connected to the internet, you're hackable. That's fact.

And that's my point.

Click to expand...

No one can. 0-days exist.

zebal said:

That's why digital signatures are important and why we should install only software from publishers which we trust.
It makes no sense to trust no-one.

Click to expand...

Until the digital signatures themselves are hacked or manipulated. And before you start saying it cannot happen, it already has beforte, including one very stupid one from Microsoft itself when theirs expired and they forgot to renew and someone else renewed it instead. It's a matter of public record and history.

zebal said:

Sure they could, but if you have anything valuable it should be kept in another user profile,
current account which you use is only for surfing and similar, daily stuff, gaming etc.
At least that how I use computer, I don't use only one account for everything.

Click to expand...

A separate user Profile does not preclude the ability to get access to the data. It is still physically on that machine, and accessible relatively simply with admin access or higher. And anyone who gets a malicious packet snuck in to your system while you're doing nothing nefarious but browsing the web needs little time to gain said access and they're off to the races.

If it was so complex to get access to data in a different profile or with tings like ACLs being used, ransomware would not be as prevalent as it is now.

You're really trying to make it sound like you're safe. You're safer than the average person - but as long as you are connected to anything anywhere anyhow, you're less than 100% safe. No matter how good you are, you're not 100% safe with even a single connection.

zebal said:

If for ex. some web server which you visit somehow gains access to your PC it won't have access to system or other accounts on your PC.
so it's easy to get rid of undetected malware and hackers if one practices this.

Click to expand...

Wrong, wrong wrong wrong wrong. Wrong on so many different levels.

PC access on one account allows them to easily and trivially gain access to the entire PCs contents. Running things as a Standard user that has the ability to elevate privileges to Admin is the norm for the vast majority of people. But even if you have a truly limited user account that cannot be elevated, once they are in your system, exploits can be found and manipulated. Things like program executables and runtimes can be exploited in a variety of methods to call them to fail, and the failures can be used to then extend their access deeper into the machine until they can successfully gain direct access to an account, any account, that has admin level privileges or higher.

It's not as simple as you're making it out to be, and furthermore, you're not taking into account what we're really saying. I urge you to start seriously studying cybersecurity before you continue tyo make these sorts of broad, general statements.

zebal said:

That's why digital signatures are important and why we should install only software from publishers which we trust.
It makes no sense to trust no-one.

Click to expand...

Digital signatures does not protect your PC. Digital signatures are just proof of authenticity of the software or digital documents.

@johnlgalt
You're making good points and I agree with all you said.

johnlgalt said:

Plus, you should remember that even with all your inbound ports closed, as soon as you send something outbound that port is effectively open for hte acknowledgements necessary to monitor and report on the traffic.

Click to expand...

Nice, I'm aware of this and is mostly used on wifi networks, I honestly don't know if it's possible world wide but I'm going to research if it is because it sounds interesting.

johnlgalt said:

But even if you have a truly limited user account that cannot be elevated, once they are in your system, exploits can be found and manipulated. Things like program executables and runtimes can be exploited in a variety of methods to call them to fail, and the failures can be used to then extend their access deeper into the machine until they can successfully gain direct access to an account, any account, that has admin level privileges or higher.

Click to expand...

You're stating something which I already acknowledged in my previous post #101 about privilege escalation.

"if you're connected to the internet, you're hackable."
Well, I would really like to know why hasn't been MS, facebook and similar firms hacked so far, they're connected to internet aren't they, so why nobody hacked them? if to be connected means to be hackable.

zebal said:

"if you're connected to the internet, you're hackable."
Well, I would really like to know why hasn't been MS, facebook and similar firms hacked so far, they're connected to internet aren't they, so why nobody hacked them? if to be connected means to be hackable.

Click to expand...

What???


A little awareness goes a long way. As we been saying, if it's computer code, it can be hacked!!!

@Dru2

"Our investigation has found a single account had been compromised, granting limited access," Microsoft said.

Click to expand...

I stopped reading here.

Also:

A shadowy hacktivist group claimed responsibility, saying it flooded the sites with junk traffic in distributed denial-of-service attacks.

Click to expand...

I don't that's hacking, DDOS-ing someones server isn't a type of hacking I would consider to be hacking.
The whole point I'm making here are methods or how to protect system itself, hacking about to gain access to system in full, to make it a zombie.

Having unprivileged access mean nothing and DDOS-ing is not really hacking.

You obviously have your set beliefs on cybersecurity and protections so there's nothing further for me to say.

Good luck. Movin' on.

Dru2 said:

You obviously have your set beliefs on cybersecurity and protections so there's nothing further for me to say.

Good luck. Movin' on.

Click to expand...

I'm sorry you feel it that way, but if you read previous posts all that I was stating is about having a separate unprivileged account for the sole purpose to protect system.

What happened with Microsoft in those news basically confirms my point in that hackers must be limited to unprivileged access to system.
otherwise system isn't compromised.

badrobot said:

Digital signatures does not protect your PC. Digital signatures are just proof of authenticity of the software or digital documents.

Click to expand...

That is literally what Smart App Control is about and what Windows 12 is bringing as the main security feature along with "forced" Admin-less User account. I have disabled running apps without digital signature using "ValidateAdminCodeSignatures". I do not use AV and this also one of the main features I rely on to prevent running a random exe either by me or by some script.

I am a serious OneDrive user - that terabyte of cloud storage is way too useful - and all my devices can access it. As another forum user pointed out, Microsoft 365 Personal is a five-device subscription - for that $70USD a year.




personal

zebal said:

Well, I would really like to know why hasn't been MS, facebook and similar firms hacked so far, they're connected to internet aren't they, so why nobody hacked them? if to be connected means to be hackable.

Click to expand...

Not watch the news much?

And stopping reading because of one line shows an obvious bias about how you feel about cyber security. Like Dru2, I'm done with this convo as well. I feel more than confident in what I am saying, because top security researchers all around the world have said this long before I did.

PGHammer said:

I am a serious OneDrive user - that terabyte of cloud storage is way too useful - and all my devices can access it. As another forum user pointed out, Microsoft 365 Personal is a five-device subscription - for that $70USD a year.




personal

Click to expand...

I do the family plan, as I have 3 other family members, and another personal account, all with the individual storage and access to Office, for $99 US / year.

I also use Microsoft logins on my OSs and my VMs.

Doesn't mean everyone has to, needs to, or wants to. And you can have that subscription and still not use a Microsoft account login for Windows without any detrimental effect of using those subscriptions and services.

Long story short, if you are worried about privacy issue, stay offline.