Why build a fence and leave the gate open?

Most who work in an office place understand the concept of “user accounts” or a “login” name used for accessing a computer system.  Facebook, email, and (technically) all Windows-based personal computers use accounts for access.  Generally, though, most people never even realize this.  Most homes go out, pick up a new Home Edition desktop or laptop at a box store, and after running the the initial setup routine never use a password again.

Doing so commits a dangerous mistake.

This incurs many security concerns regarding saved credit card information, passwords to websites (like online banks) saved in the browser, and just a casual disregard for important things like Social Security Numbers saved in personal tax returns among other things.  Leave pornography out of the equation for a minute.

Stop and consider identity theft for a moment.

IF a bad actor is already using your computer:  They would already know where you live, they could get a bank account number or an SSN, and they could apply for a new credit card in your name.  Or use your bank’s website to order a new debit card shipped to their house.  The teenage neighbor next door could order a raft of unnameable material right under their noses of his or her parents.  Bad security is always bad, regardless of how convenient using it might seem.  If you live alone and no one ever visits and you can guarantee you will never be robbed, then please disregard this advice.  If not, please take note.  Critical Armor focuses on “Guarding the Mind” but security controls on a technology system need not only serve a single purpose.

As if identity theft weren’t bad enough, it is only a footnote to the greater purpose of Critical Armor.

Case in point:  Only the Lord knows how many young people access Internet pornography not from their computer in their home, but from the wide open computer at Grandma’s house.

We hope Critical Armor inculcates a new way of thinking in the reader.  No matter the past, no matter that “nothing bad has ever happened”, no matter that “they’re all good kids”, there truly is no time like the present to make this change.

Create a Restricted Account.

Figure 1

Figure 1

Why a restricted account?  Several reasons.  For one, it will remain generally more secure against malicious software like viruses, trojans, and worms.  More to the point, though, it prevents the installation of software like alternate web browsers (and Virtual Private Networking clients) that can go around other security controls.  Also, it prevents meddling with the system files of the C:\Windows directory.

Most parents have probably never noticed the “Ease of Access” button on the Windows 7, 8, and 10 login screen.  Many misled young people have noticed it.  There are dozens of YouTube videos teaching kids how to replace this executable file with a copy of the Command Prompt.

Why, one might ask?  Well, unfortunately Microsoft has designed the default state of the computer to run at the Local Administrator level.  So, if a user can somehow pop open a command prompt WITHOUT logging in, that user has full access to everything without any restrictions.  Restrictions like K9 Web Protection.  So why not copy a portable version of the Chrome web browser on a USB stick and go anywhere the Internet has to offer?  Or even just type chrome.exe and run an installed version.

This should prove the need for Defense-in-Depth to any family who might not quite find themselves convinced.  Protections solely in the Zone 1 : Device arena (such as K9, Microsoft Family Protection, or even MobiCIP) need backup from the other zones to have a comprehensive strategy.

Please note that MobiCIP appears to connect directly with each Windows user account.  Therefore, if configured properly, even the Administrator account on the protected system will be monitored (if not filtered–depending on your settings).  In other words, one cannot simply go around it.  Critical Armor will continue to test this for potential vulnerabilities.

User Types

Windows defines multiple types of user accounts, each with its own privileges.  We won’t be dealing with Domain users, as those would only be included upon a Corporate or Business system.  Neither will we use the Power User class, since for our purposes a power user would function almost indistinguishably from an Administrator.  Therefore, even if the computer uses some other version of Windows than one labeled “Home”, please stick to just the normal User and the Administrator groups–feel free to name the accounts anything, as the notion moves.

The much loathed “Microsoft account” bears additional discussion as well.  While the reasoning remains unexplained, Microsoft requires that child accounts in the Family Protection settings include valid email addresses.  Critical Armor suspects that the system relies on this account for authentication (not allowing fake accounts to hide things) as well as an authorized communication channel for reporting activity.  While many parents complain about this requirement in the forums, Microsoft does not appear particularly motivated to change it.  In fact, the account may be central to the protections.  So don’t count on it going anywhere.

Consider this an opportunity.

No, you won’t necessarily need a Microsoft Account for simply adding a user, but it will be needed for using the built-in Microsoft Family Safety functionality.  Critical Armor recommends setting up a Microsoft Account for this purpose.  If the machine will never connect to the Internet, then disregard–create a simple local account.

Email Addresses

Figure 2

Figure 2

Establish a family domain name and use it for years.  Many new Top Level Domains (TLDs) established now offer names like .house, .email, .life, or even .ninja.   A different article will detail how to set a domain up to send and receive email in a final form, but here we will simply simulate a new address to accomplish our goals.

Google now operates as a registrar.  Critical Armor understands that some people seem to either love or hate Google, so feel free to make alternate accommodations, if necessary.  However, for an annual fee of $12.00, the cost shouldn’t stand in the way.  And since this post will simply setup email addresses as an alias that forwards everything to a parent’s account, the Google Domain Tools will work well, but feel free to complete the task some other way if expert enough to do so.

Figure 3

Figure 3

And most people already have a Gmail account kicking around somewhere.  Go to https://domains.google.com/registrar, log in or create an account (figure 2).  Then click Search Domains and try to find one that the family can use for years.  As a general rule, something that sounds cute now when the family includes a three-year-old might seem a little embarrassing for a sixteen-year-old.

So, possibly steer clear of http://smithbabybupkins.com and the like.  Your children will thank you when they’re teenagers.

Once registered, the click on “My Domains” and select the “Email” column.  In the first field, add the name of each child and then forward them to an existing email address of a parent.  Don’t forget to click the add button.  Repeat for each child.  Please note, same rule applies here for nicknames.  Just imagine a mature and godly young lady heading off to Bible College saddled with an email address like sweetiepieface@smithbabybumkins.com.  That will look a little odd on the application forms.  Certainly the Christian shouldn’t be motivated by peer pressure, but nonetheless, who would trust a banker or a loan officer that introduces himself as Booger?

In the future, Critical Armor will discuss the procedure to make these addresses fully functional, but for the purposes of this article, we only need to send and receive messages in some fashion.

Windows Settings

04-windows-10-restricted-user

Figure 4

05-windows-10-restricted-user

Figure 5

Figure 6

Figure 6

Figure 7

Figure 7

Go the Settings by clicking on the Notifications icon in the bottom right corner, then the All Settings tile (Figure 4).  Once there, click on Accounts (Figure 5).

 

Select the “Family & other users” and click “Add a family member” (Figure 6).  Notice that in the example, one child account already exists, but in this case the child’s account “Can’t sign in.”

That’s not a problem.  It may be exactly the desired state–please consider carefully which machines a child’s account may even use and limit to only a few.  Since all accounts will tie to the email (Microsoft Account) of the main administrator, so if a child cannot sign in, examine this setting first.  To change it, simply click on the user name and select “Allow” to enable a child account on any and all Windows 10 machines required (Figure 7).  Again, for work computers or parent-only systems, Critical Armor recommends to leave the child account unable to login.  Limiting the logins to the minimum number mitigates a potential risk.

Remember to change passwords regularly.  Set a reminder in on a mobile device to change passwords at least every three months.  Stop now, please, set a reminder and then stick to it.

24-windows-10-restricted-user

Figure 8

Figure 9

Figure 9

Figure 10

Figure 10

It seems like one should click on the plus symbol to beside “Add a new family member” to begin the process (Figure 8), but please DO NOT. Don’t worry.  Nothing bad will happen, but the process will complete much more easily by clicking “Manage family settings online” as circled in red.

In the web page that pops open, select the link to “Add a child” (Figure 9).

Figure 11

Figure 11

Then, type in the email address (or forwarder) created earlier under Figure 3 above.  Use the button labeled “Send invite” as seen in Figure 10.

 

The page will return to display the new “family” user (called test) in this example.  Notice that the system sent an invitation that needs action to accept.  This invitation consists of two emails forwarded to the parent’s inbox.

The first will be a confirmation email to verify that the child’s email address exists (Figure 12).  Remember, if set as a forwarder in Google Domains, this email will arrive in the parent’s inbox since this process does not use full email accounts with send and receive capability.  Microsoft should accept the account as verified (Figure 13).  Also, remember that the webpage may default to the main account, so be certain to log in under the child’s address in this step.

Figure 12

Figure 12

Figure 13

Figure 13

Figure 14

Figure 14

The second email will join the “Family” under the terms of the Microsoft Account System.  It will also include a link or a blue button to accept.  A web page will ask for a parent’s permission (Figure 14).

Click the blue button “Have a parent sign in” which will prompt again for a username and password.  It seems confusing, but this time it will be the parent’s account.  Log in as the parent.

Figure 15

Figure 15

Figure 16

Figure 16

The parent must authorize the account into the family, which works as a security control.  It prevents a child or other person from creating bogus accounts for whatever purpose, perhaps to get around web protection software in some way.

Uncheck the box (circled in red on Figure 15) to prevent third party applications via the Microsoft Store.  Feel free to change this setting later, but generally it means the account can sign into games and apps not published by Microsoft but still function in the Microsoft Windows 10 marketplace.  Unchecking this box will not prevent the installation of software from third parties, it only deals with signing INTO software from third parties, and will probably never matter.

Figure 17

Figure 17

Figure 18

Figure 18

Finally, a last check to prevent a child from going around the system by creating “shadow” or secondary accounts.  To complete the setup, Microsoft asks for a credit card number to charge fifty cents (Figure 16).  This fifty cents goes to charity (of some kind) and buys absolutely nothing.  As a security control, however, it keeps a children, who generally do not have credit cards, from completing the signup process without detection somewhere along the way.  Nothing is fool-proof, naturally, a pre-paid Visa would work (and if the parent does not use debit or credit cards, maybe the legitimate way around this obstacle).

The system will at this point allow the parent to fill out the child’s profile (Figure 17).  The only truly important part of this form will be an accurate date of birth.  The system will remove all parental controls upon the child’s eighteenth birthday–so it may work well to roll back a few years to prevent it from happening unexpectedly in the middle of a child’s senior year of home school.  The “Remove yourself” link (circled in red in Figure 18) might stick out as odd.  For the purposes of this walk-through, Critical Armor created another “child” user with an age over eighteen, as calculated by the entered birth date.  For a child under eighteen-years-old, this option remains “grayed out” or non-clickable.  If this link appears live (blue), go to the user’s profile and check the birth date entered.

Figure 19

Figure 19

Lastly, back on the computer itself, notice the change user type.  Of the two choices, either Administrator or Standard User, it is important that the child is in the later category.  An Administrator can install and uninstall software, change settings, alter back-end processes, and touch the system files.  For the most part, the Standard User cannot.

Ideally, even the Parent would not use the Administrator type of user.  Critical Armor recommends that each family create an account (not a child, but an additional account) for each Parent and set those users to “Standard User.”  After these accounts exist, change the Administrator password to one with high complexity and different from any commonly used.  Or, for accountability purposes, the two parents each enter one half of the password.

If done correctly, the daily-use account has few privileges to make changes to the system or protections.  This limits the possibility that a child (or anyone else) will find a computer accidentally left logged in to a powerful account.  Consider individual accounts for the parents carefully.  Yes, it will create some difficulty to install software or change settings–that is the whole purpose–but this may just be the most useful way to be intentional about the way the computer gets changed.

One further note:  This instruction took significantly longer than expected and involved many revisions.  Microsoft has several ways to create child users, so after much trial-and-error Critical Armor picked the path that should simplify the next step of implementing the Microsoft Family Safety feature.  So, if something seems a bit out-of-order, please let us know. 

Build the Castle!