Admin rights key to mitigating vulnerabilities, study shows

By running users under standard, non-admin accounts, IT can prevent a very high percentage of Microsoft vulnerabilities from being exploited.
Written by Larry Seltzer, Contributor

It's been best-practice for a very long time: all users and processes should run with the fewest privileges necessary. This limits the damage that can be done by an attacker if the user or process is compromised.

Unfortunately, running users without admin rights on Windows XP was generally impractical. It is a much more reasonable and manageable approach on Windows Vista, 7 and 8, but many organizations still run users as administrator because it makes things easier in the short term.

A new study from Avecto demonstrates the real world import of running with "least privilege". In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.

The greatest impact comes with remote code execution vulnerabilities. Such vulnerabilities are necessary in the large majority of meaningful attacks. 100 percent of critical remote code execution vulnerabilities would be mitigated with non-administrator rights.

Avecto 2013 Microsoft Vulnerabilities Study: Mitigating Risk by Removing User Privileges

Non-administrator users can still be compromised, but it's much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive security architecture including prompt application of updates to patch vulnerabilities.

Avecto is a UK software company which develops products to help organizations configure and manage their systems to run with least privileges necessary.

Editorial standards