Admin rights key to mitigating vulnerabilities, study shows

Admin rights key to mitigating vulnerabilities, study shows

Summary: By running users under standard, non-admin accounts, IT can prevent a very high percentage of Microsoft vulnerabilities from being exploited.

TOPICS: Security, Windows

It's been best-practice for a very long time: all users and processes should run with the fewest privileges necessary. This limits the damage that can be done by an attacker if the user or process is compromised.

Unfortunately, running users without admin rights on Windows XP was generally impractical. It is a much more reasonable and manageable approach on Windows Vista, 7 and 8, but many organizations still run users as administrator because it makes things easier in the short term.

A new study from Avecto demonstrates the real world import of running with "least privilege". In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.

The greatest impact comes with remote code execution vulnerabilities. Such vulnerabilities are necessary in the large majority of meaningful attacks. 100 percent of critical remote code execution vulnerabilities would be mitigated with non-administrator rights.

Avecto 2013 Microsoft Vulnerabilities Study: Mitigating Risk by Removing User Privileges

Non-administrator users can still be compromised, but it's much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive security architecture including prompt application of updates to patch vulnerabilities.

Avecto is a UK software company which develops products to help organizations configure and manage their systems to run with least privileges necessary.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm ahead I guess!

    Took admin rights away from our users 10 years ago.
    • Good for you

      You're one of the smart ones. Have you noticed any significant effects from it, like users trying to run fake_flash_installer.exe and complaining about the errors?
      Larry Seltzer
  • Design Issue

    The problem I see with W7 is the escalation methods is very poor and forces many users to run at higher level than ideal. Also, updating Windows is not the easiest to manage since there is no centralized repository to manage updates through.
    • hogwash

      • Not really

        Anyone who does gaming on Windows 7 knows just how frequently you need admin access. There's a reason that people complained about UAC back when it was introduced in Vista: because most software on Windows begs for admin access even for basic functionality. Admin in Windows is a real mess, not so much because Windows itself has bad security, but because of awful design choices that are prevalent within Windows' developer culture.
        • poor design

          If a game requires admin access it must, pretty much by definition, be poorly-designed. There's nothing a game should be doing that should require admin access. Hell, Microsoft Office is far more complicated than the average game and you can run it as a standard user.
          But many developers figure they can write to whatever directory they want or access privileged APIs that they don't need. Blame the developer.
          Larry Seltzer
        • Is this comedy centeral

          I have had 2 laughs so far from people on this thread, thanks Larry. If the game needs admin rights then i think you have downloaded a malware riddled version of a torrent site. it would how ever require the admin token to install the game but after that no.
          • bolo

            modifying the os to meet the desires of the app has been "SOP" for developers since the 5150 came out. as the 5150 was not marketed in a rather odd manner this didn't seem to be important,.... at the time

            look a FLASH if you want a really bad example of stupid software. it has server as a vector for malware now for years. the developers argue "but we haveto, in order to make it run well". they have always used that argument.
        • 10X (like getting 100 on a test)

          KiteX3 has summarized the windows security issue rather well in 1 short paragraph.
    • Secunia and many others

      Windows itself comes with great repositories for Microsoft updates. There are great products from Secunia and others for managing updates of all software on devices, and many patch management systems for enterprises to do the same using Active Directory.
      Larry Seltzer
    • Thanks for the laugh mate

      No central update management? LOL. So WSUS or software deployment through GPO isnt a centralized management?. So whats the version for administering 100 linux machines? if you had to roll out an update for say......Adobe flash, how would you push that to 100 linux nodes mate?
      Anyway back to the admin rights, when i started here every user had full admin rights to the machine and the first day that was stopped and everyone complained like they had lost their child.
      By leveraging a GPO to allow printers to be installed and setting correct secpol.msc parameters a windows machine can almost be bullet proof. Also once again utilizing EMET goes along way but Linux users dont believe this because once again they start windows, it doesnt look like linux and they dont understand the inner working of windows and read something on a forum such as this by someone who doesnt even Administrate windows machines form a living and believe what they say is gospel.
      Try locking down a Win 7/8 machine and then start throwing exploits at it and see how far you go, an i bet it will be no where mate. Many have tried against my network and failed.
      • Mate

        Red Hat Satellite, ClusterSSH Series 4 , Spacewalk comes to mind.

        “So whats the version for administering 100 linux machines??
    • WSUS?

      • Windows Server Update Services (WSUS)

  • Malware is still capable of running without admin rights in windows

    All it needs to do is deposit somewhere in userland and annoy the heck out of people.
    • yes, but...

      Very little malware functions when run as standard user. It almost certainly can't propagate to other systems, and the damage it can do is limited to that user.
      Larry Seltzer
    • CryptoPrevent

      There are ways to add policies to anti-virus progams to prevent creation of executables in userland, but even easier (and deploy-able via scripting, including batch) is CryptoPrevent.

      CryptoPrevent was developed to stop CryptoLocker, but is shuts down the entire userland trajectory.
      • vb6 no thanks

        The only problem with not allowing execution of a executable from the %appdata% is that a lot of custom software or others such as google chrome all frun from this space so that would stop anything being executed from the users %appdata% path.
        Like i said below, using EMET can really help in situations of drive by downloads.
        • Whitelisting is your friend

          Haven't run into that problem with Chrome. Had a speed bump experience with a couple of Firefox extensions, but, once white-listed in CryptoPrevent, they installed fine.

          This happens a lot less often, and with a lot less hassle, than with the NoSpript (Firefox) or ScriptSafe (Chrome) exgtension white-lists.
  • This is no secret

    The MS-people know it too, but culture is hard to change, and Windows inherited its security culture from DOS.
    John L. Ries