Admin rights key to mitigating vulnerabilities, study shows

Summary:By running users under standard, non-admin accounts, IT can prevent a very high percentage of Microsoft vulnerabilities from being exploited.

It's been best-practice for a very long time: all users and processes should run with the fewest privileges necessary. This limits the damage that can be done by an attacker if the user or process is compromised.

Unfortunately, running users without admin rights on Windows XP was generally impractical. It is a much more reasonable and manageable approach on Windows Vista, 7 and 8, but many organizations still run users as administrator because it makes things easier in the short term.

A new study from Avecto demonstrates the real world import of running with "least privilege". In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.

The greatest impact comes with remote code execution vulnerabilities. Such vulnerabilities are necessary in the large majority of meaningful attacks. 100 percent of critical remote code execution vulnerabilities would be mitigated with non-administrator rights.

BreakdownOfMicrosoftVulnerabilityImpact2013
Avecto 2013 Microsoft Vulnerabilities Study: Mitigating Risk by Removing User Privileges

Non-administrator users can still be compromised, but it's much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive security architecture including prompt application of updates to patch vulnerabilities.

Avecto is a UK software company which develops products to help organizations configure and manage their systems to run with least privileges necessary.

Topics: Security, Windows

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.