madison
Home / News & Blogs

Windows 7 less vulnerable without admin rights

Elinor Mills CNET News | March 30, 2010 10:47 AM PDT

Summary

Ninety percent of critical Microsoft Windows 7 vulnerabilities can be mitigated by configuring the operating system for standard user rather than administrator, according to a new report.

Topics

Microsoft Windows 7, Microsoft Windows, Operating Systems, Software, Windows 7, admin rights, Elinor Mills CNET News
Ninety percent of critical Microsoft Windows 7 vulnerabilities can be mitigated by configuring the operating system for standard user rather than administrator, according to a new report released on Monday.

Removing administrator rights would also protect against exploitation of all of the Office holes reported last year, 94 percent of Internet Explorer (IE) flaws — including 100 percent of IE8 flaws reported last year — and 64 percent of all Microsoft vulnerabilities reported in that time period, according to BeyondTrust's 2009 Microsoft Vulnerability Analysis.

There are trade-offs to removing administrator rights. For instance, standard users typically cannot install software and use applications that require elevated privileges, said Saurabh Bhatnagar, vice president of product management at BeyondTrust.


For more on this story, read Report: Windows 7 holes eased by axing admin rights on CNET News.

Talkback Most Recent of 14 Talkback(s)

  • Yes they can
    Good this is finally getting into news.

    The standard users are not blocked from performing administrative tasks, if they know an admin account credentials.

    Here is how to set up a non-admin account:

    http://unixwiz.net/techtips/win7-limited-user.html
    ZDNet Gravatar
    Earthling2
    30th Mar 2010
  • Who in their right mind would use root or su
    in an unknown, potentially hostile environment?

    That is done in Unix/Linux/Clones and should also apply in the Windows world.

    Please see:
    http://en.wikipedia.org/wiki/Principle_of_least_privilege
    Principle of least privilege
    From Wikipedia, the free encyclopedia
    Jump to: navigation, search
    In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.[1][2]

    When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few

    Under Windows XP, here is a good tutorial on how to accomplish this with the help of the "Run As" command, similar to "su" in Unix.
    http://www.safecomputing.umich.edu/events/download/RunAsUser_sumit_05.pdf

    Google: http://www.google.com/#hl=en&source=hp&q=run+as
    Results 1 - 10 of about 141,000,000 for run as. (0.27 seconds)

    How do you like them Apples? happy
    ZDNet Gravatar
    WinTard
    30th Mar 2010
  • wow, ya think? the sad thing is...
    people will still continue to login as an admin, whether due to lack of awareness, just plain laziness, or the thinking of 'it will never happen to me. I'm still in awe of my boss's (the 'senior' network admin for our company) comments about his work laptop w/ win7: "I'm not concerned with the risks...i'm the network administrator and i'm smart enough not to click on a link or attachment to get a virus on my machine; which is why my account is an admin, and i've turned off UAC." (we were discussing a problem installing a program on 7, first I asked if he's logged in as admin, his reply was I'm logged as my normal account...I'm a local admin on this pc, w/ UAC turned off. Of course I raised objection with this)

    But, this is the same guy that doesn't see the problem with browsing the internet (facebook, whatever) on domain controllers, while setting his cup of coffee on shelves at the top of our server racks.

    I'm not being facetious, this kind of $hit really goes on at some places...scary.
    ZDNet Gravatar
    SonofaSailor
    30th Mar 2010
  • Another reason
    Some old applications won't run under Win7 without admin rights.

    Revert back to an old OS, update the software to a compatible version or run as admin ...... guess which one stupid people will choose?
    ZDNet Gravatar
    wackoae
    30th Mar 2010
  • Thanks Captain Obvious!
    You mean if you take away the users ability to install applications, change many settings, install half the IE browser plug-ins out there, and run any legacy applications; that Windows 7 becomes 90% more secure.

    Thanks, I'll keep that in mind.

    (You know, if you shut the computer off and don't use it at all, it's 100% more secure.)
    ZDNet Gravatar
    Socratesfoot
    31st Mar 2010
  • I think you are skipped part of the article...
    ...which showed what percentage of vulnerabilities in other versions of Windows would be mitigated by using a non-admin account, on most of them, it was around or below the 50% mark.

    That said, I've been using non-admin accounts for years. But I guess that comes from growing up in a mainframe environment...
    ZDNet Gravatar
    wright_is
    31st Mar 2010
  • Gee! Really?
    Windows-7 is more secure in User mode with UAC enabled, than in Administrator mode without UAC.

    Really? I would never have guessed...

    wink
    ZDNet Gravatar
    oldbaritone
    31st Mar 2010
  • RE: Windows 7 less vulnerable without admin rights
    Why not wipe windows clean and install Ubuntu? That'll also make it 90% more secure.

    I hear the new Ubuntu 10.04 has solved the perceived geek barrier of linux. Though from my limited computer knowledge, I'd say that barrier was broken with 9.04
    ZDNet Gravatar
    frombelow
    31st Mar 2010
  • RE: Windows 7 less vulnerable without admin rights
    possibly because there are still users of these devices who are doing actual work, rather than having a glorified tv set.
    given a 20 year running start for biz apps configured to windows, and an answer from the linux community of "well, nobody needs to do that anyway" perhaps ubuntu fanboy commnets need be addressed to all the mac users who are paying 300% more than necessary for a unix clone with a pretty gui.
    ZDNet Gravatar
    gabriel bear
    31st Mar 2010
  • say it with me; Vista had it right...
    It took a long, long time, and my really, really asking to be infected for my vista install to get spoiled.
    ZDNet Gravatar
    current user
    31st Mar 2010
  • Houses less vulnerable with doors locked
    How's that for an earth-shattering headline?
    ZDNet Gravatar
    fhall1
    2nd Apr 2010
  • RE: Windows 7 less vulnerable without admin rights
    They just figured that out?
    ZDNet Gravatar
    pprstevens@...
    7th Apr 2010
  • RE: Windows 7 less vulnerable without admin rights
    Win 7 and Office 2010 = the next piece of over-hyped
    broken code out of Redmond. I tested the '10 Beta and it
    sucked. I run Windows Vista 64bit and still cannot find
    drivers for all the MFP printers I use. Microsoft is
    getting worse by the day.
    ZDNet Gravatar
    Wally-M@...
    8th Apr 2010
  • RE: Windows 7 less vulnerable without admin rights
    What if the admin account has no password?
    ZDNet Gravatar
    Petes2020
    5th May

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity