Home : Security : News

Removing 'admin' mitigates most Windows flaws

Businesses should consider making employees log in as standard users, BeyondTrust has advised.

By Asavin Wattanajantra, 5 Feb 2009 at 13:06

The vast majority of all critical Microsoft vulnerabilities, some 92 per cent, could have been mitigated by removing the administrator rights of Windows users, a new report has revealed.

The researchers BeyondTrust said that the results demonstrated that if companies configured users as 'standard', they could better protect themselves against malware and zero-day threats.

According to the findings, removing administrator rights could have protected against 2008 vulnerabilities reported in Microsoft Office (94 per cent), Internet Explorer (89 per cent), and Microsoft Windows itself (53 per cent).

Microsoft already has best practice advice on this issue in its security bulletins, which says users whose accounts were configured to have fewer user rights on the system would be less affected than those who had administrative rights.

This issue has cropped up recently with the alleged ‘flaw’ in the Windows 7 Beta, where blogger Long Zheng said that its User Access Control (UAC) could be completely disabled without user interaction, increasing the risk of malware.

In a disclaimer, he said: “The user must be in the 'Administrative' user group, and not in the 'Standard' user group, where they will be prompted for an administrative password.”

Email to a friend

Print this page

< Previous Security : News Next >

2 comments

You need to Login or Register to comment.

This is brain dead

I spend almost 50% of my time bypassing Microsofts security lockdowns in work. I', the Level 3 support guy, I should be able to do anything on my PC or others, but no.

So how about somebody, somewhere comes up with a new paradigm. Its not idiot or Admin. Its not user or guru.

Unfortunately I'm nor that genious to come up with the new paradigm. But het, send me your idea, I'll err send you $5 ;)

By alanmcm55 on Friday Feb 6

Nice if they could . . .

It's not as if this is news - the problem is that there's a lot of legacy software that doesn't run / install under the standard user - and businesses are the area most likely to be running software written 10 years ago, from a company that long since gave up maintaining it.

Even on OS X (where the admin/standard split has been in there from the start) I've found software that simply will not install unless you actually log in as an admin user (rather than entering the admin user password to authorise an admin level action). And I'm talking software from Google, not some small firm.

The net effect of that is to push you towards making your main user have Admin rights - and seeing as on a personal machine you often set up the main user to auto-login without a password . . .

Basically, until all third-party software is fixed, there's always a pressure to run users as administrators.

By JulesLt on Friday Feb 6

Latest Security Analysis & Insight

What is your password worth?

Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.

More Security Analysis & Insight

Latest Security Reviews

Check Point 2210 Appliance review

Rating:

Check Point's new 2200 Appliances combined enterprise level network security with an SMB price tag. Its software blades provide a wealth of features, but do they complicate deployment? Read this exclusive review to find out.

More Security Reviews