advice on how to set up a 'least privileges' arrangement
HOW TO CHANGE FROM THE WINDOWS DEFAULT ADMINISTRATOR ACCOUNT TO A STANDARD USER
Running as a standard user is universally recommended. It's too bad that Windows does not guide you to this, and that clear instructions are hard to find.
These steps assume that you installed Windows 10 as a single user, making no effort to avoid being an administrator - as most of us did. You created and have been logging in as username "John" with some password. You don't need or want to be an Admin but that's what happened.
• Get to "PC Settings | Accounts | Family & other people | Add someone else to this PC".
• Select "Add a user without a Microsoft account".
• For "Who's going to use this account?" give the new Admin account name e.g. "BigJohn".
• Set a password for "BigJohn"; see ideas below on this*.
• Set the "BigJohn" Account Type to "Administrator - Local account".
• Use Ctl-Alt-Del to Switch User, and log in as "BigJohn".
• Get to "PC Settings | Accounts | Family & other people".
• Change the original "John" Account Type to "Standard User".
Reboot and log into the "John" account as usual. Now you are running as a standard user. This makes it harder for traditional malware to take over your machine. It also means that you'll have to answer a UAC prompt more often; that's annoying but you get used to them. After a malware invasion I've decided that it's worth the effort. I think that an even more limited account can be created but will leave that for the those more knowledgeable to explain, with pros and cons.
* For passwords I like to use a garbled passphrase. Take two words such as "much time" and change them into "mchu==temi". The goal is to avoid dictionary words and include symbols, but still be easy to remember and type for those UAC prompts. Having lots of shifted case and numbers will be so tedious that you're liable to drop back to something too simple.
