Windows 7 less vulnerable without admin rights

Windows 7 less vulnerable without admin rights

Summary: Ninety percent of critical Microsoft Windows 7 vulnerabilities can be mitigated by configuring the operating system for standard user rather than administrator, according to a new report.

SHARE:
Ninety percent of critical Microsoft Windows 7 vulnerabilities can be mitigated by configuring the operating system for standard user rather than administrator, according to a new report released on Monday.

Removing administrator rights would also protect against exploitation of all of the Office holes reported last year, 94 percent of Internet Explorer (IE) flaws — including 100 percent of IE8 flaws reported last year — and 64 percent of all Microsoft vulnerabilities reported in that time period, according to BeyondTrust's 2009 Microsoft Vulnerability Analysis.

There are trade-offs to removing administrator rights. For instance, standard users typically cannot install software and use applications that require elevated privileges, said Saurabh Bhatnagar, vice president of product management at BeyondTrust.


For more on this story, read Report: Windows 7 holes eased by axing admin rights on CNET News.

Topics: Software, Microsoft, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Yes they can

    Good this is finally getting into news.

    The standard users are not blocked from performing administrative tasks, if they know an admin account credentials.

    Here is how to set up a non-admin account:

    http://unixwiz.net/techtips/win7-limited-user.html
    Earthling2
  • Who in their right mind would use root or su

    in an unknown, potentially hostile environment?

    That is done in Unix/Linux/Clones and should also apply in the Windows world.

    Please see:
    [i]http://en.wikipedia.org/wiki/Principle_of_least_privilege
    Principle of least privilege
    From Wikipedia, the free encyclopedia
    Jump to: navigation, search
    In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.[1][2]

    When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few[/i]

    Under Windows XP, here is a good tutorial on how to accomplish this with the help of the "Run As" command, similar to "su" in Unix.
    http://www.safecomputing.umich.edu/events/download/RunAsUser_sumit_05.pdf

    Google: http://www.google.com/#hl=en&source=hp&q=run+as
    Results 1 - 10 of about 141,000,000 for run as. (0.27 seconds)

    How do you like them Apples? :)
    WinTard
  • wow, ya think? the sad thing is...

    people will still continue to login as an admin, whether due to lack of awareness, just plain laziness, or the thinking of 'it will never happen to [i]me[/i]. I'm still in awe of my boss's (the 'senior' network admin for our company) comments about his work laptop w/ win7: "I'm not concerned with the risks...i'm the network administrator and i'm smart enough not to click on a link or attachment to get a virus on my machine; which is why my account is an admin, and i've turned off UAC." (we were discussing a problem installing a program on 7, first I asked if he's logged in as admin, his reply was I'm logged as my normal account...I'm a local admin on this pc, w/ UAC turned off. Of course I raised objection with this)

    But, this is the same guy that doesn't see the problem with browsing the internet (facebook, whatever) on domain controllers, while setting his cup of coffee on shelves at the top of our server racks.

    I'm not being facetious, this kind of $hit really goes on at some places...scary.
    SonofaSailor
    • Another reason

      Some old applications won't run under Win7 without admin rights.

      Revert back to an old OS, update the software to a compatible version or run as admin ...... guess which one stupid people will choose?
      wackoae
  • Thanks Captain Obvious!

    You mean if you take away the users ability to install applications, change many settings, install half the IE browser plug-ins out there, and run any legacy applications; that Windows 7 becomes 90% more secure.

    Thanks, I'll keep that in mind.

    (You know, if you shut the computer off and don't use it at all, it's 100% more secure.)
    Socratesfoot
    • I think you are skipped part of the article...

      ...which showed what percentage of vulnerabilities in other versions of Windows would be mitigated by using a non-admin account, on most of them, it was around or below the 50% mark.

      That said, I've been using non-admin accounts for years. But I guess that comes from growing up in a mainframe environment...
      wright_is
  • Gee! Really?

    Windows-7 is more secure in User mode with UAC enabled, than in Administrator mode without UAC.

    Really? I would never have guessed...

    ;-)
    oldbaritone
  • RE: Windows 7 less vulnerable without admin rights

    Why not wipe windows clean and install Ubuntu? That'll also make it 90% more secure.

    I hear the new Ubuntu 10.04 has solved the perceived geek barrier of linux. Though from my limited computer knowledge, I'd say that barrier was broken with 9.04
    frombelow
  • RE: Windows 7 less vulnerable without admin rights

    possibly because there are still users of these devices who are doing actual work, rather than having a glorified tv set.
    given a 20 year running start for biz apps configured to windows, and an answer from the linux community of "well, nobody needs to do that anyway" perhaps ubuntu fanboy commnets need be addressed to all the mac users who are paying 300% more than necessary for a unix clone with a pretty gui.
    gabriel bear
  • say it with me; Vista had it right...

    It took a long, long time, and my really, really asking to be infected for my vista install to get spoiled.
    current user
  • Houses less vulnerable with doors locked

    How's that for an earth-shattering headline?
    fhall1
  • RE: Windows 7 less vulnerable without admin rights

    They just figured that out?
    pprstevens@...
  • RE: Windows 7 less vulnerable without admin rights

    Win 7 and Office 2010 = the next piece of over-hyped
    broken code out of Redmond. I tested the '10 Beta and it
    sucked. I run Windows Vista 64bit and still cannot find
    drivers for all the MFP printers I use. Microsoft is
    getting worse by the day.
    Wally-M@...
  • RE: Windows 7 less vulnerable without admin rights

    What if the admin account has no password?
    Petes2020