Slashdot Mirror

← Back to Stories (view on slashdot.org)

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com)

Posted by EditorDavid on from the or-by-not-using-Microsoft-products dept.

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.

9 of 238 comments (clear)

  1. Not viable on Windows 10 by Anonymous Coward · · Score: 5, Informative

    as it is on macOS. On W10, for some things it will ask you to identify as an admin, and proceed, and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account. They couldn't even make this work.

    1. Re:Not viable on Windows 10 by quonset · · Score: 1, Informative

      This sounds like BS. I used an ordinary user account on Windows 7, I'm an ordinary user on Windows 8, no problems. Hard to believe they broke it in Windows 10.

      They didn't. I have my dad set to a general user account on his W10 machine and he has zero issues. Every program runs perfectly, even the one in DosBox.

      On those occasions something needs installed or updated, I log into the administrator account, take care of it, then log off. Not a single issue so far.

    2. Re:Not viable on Windows 10 by Gadget_Guy · · Score: 3, Informative

      Too much of the system still requires administrative rights for it to be viable.

      That is utter nonsense. It is such a shame to see this modded as informative, because it is completely misleading.

      I have use standard accounts since Windows NT 4.0. Now that was a pain, but every single version of Windows has made the process easier than the last. The biggest improvement was the UAC that prompts for the admin password when needed. Some badly written software can still cause problems like programmatically checking that the current user is an administrator and giving an error message if not. This means the UAC doesn't get a chance to kick in.

      But those programs are few and far between, and you can usually manually launch the program as admin by holding the shift key down and right-clicking on the program (or just change the icon's compatibility settings to run as administrator if the program has been installed). It is incredibly rare that you ever need to actually log in using the administrator account. Temporary elevation is usually enough (the equivalent of *nix sudo).

  2. Re:Duh? by Gadget_Guy · · Score: 4, Informative

    I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

    Have you also turned off UAC prompts? Because when I set the time it prompts me for the admin password and it works fine. I don't ever see the message that I don't have permissions to set the clock; I just see the icon on the button to set the time which shows that it will perform an elevation (prompt for password) to run it.

  3. We knew that almost two decades ago... by Anonymous Coward · · Score: 2, Informative

    when I worked at Microsoft. We talked about ways of protecting users, but the rumor was that it was killed because so many people buy new computers instead of fixing ones that have a Microsoft-created problem. Viruses are very profitable to Microsoft.

  4. Re:Duh? by Gadget_Guy · · Score: 4, Informative

    Why does windows ask for the admin password to get rid of an icon?

    Because those icons are stored in the shared desktop folder (default: C:\Users\Public\Desktop). Any file or icon here will be visible on the desktop of every user. If you shared a computer with other users, then you might not want the other people to be able to edit the icons that appear on your desktop because they could alter them to run malicious software instead. If you ran a program where you needed to login with a password, then they could write their own mock version of the software that logs the passwords and change the desktop icon to run it instead.

    If you don't share the computer with other people, then you could grant write permission on the shared desktop folder to all users. Then you could delete and update automatically created icons to your heart's content.

  5. Re:Duh? by TechyImmigrant · · Score: 1, Informative

    I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

    Have you also turned off UAC prompts? Because when I set the time it prompts me for the admin password and it works fine. I don't ever see the message that I don't have permissions to set the clock; I just see the icon on the button to set the time which shows that it will perform an elevation (prompt for password) to run it.

    That was an exaggeration for emphasis. I could be more specific.. On a work laptop, I can write to my 'c:\Users\\Documents' folder, but if I try to access it via the various shortcuts on the left of the file manager, I am denied access. No UAC, even though I have the password for that. The permissions on the thing vary based on the path you access it by? That's messed up.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. Re:Also in the news by AmiMoJo · · Score: 3, Informative

    "94% of all programs won't run properly without those rights."

    This has not been true since Vista.

    Vista introduced virtualization for the filesystem and registry. Apps would think they had admin rights, when in fact they were sandboxed and contained.

    These days most apps run fine without admin rights. You can install them and run them without any special access. Older apps that attempt to access protected paths like Program Files and the registry actually write to special per-user and per-app hives.

    If an app really needs admin rights you get the dreaded UAC prompt.

    This is why Vista was so painful. Too many UAC prompts, the virtualization was slow... But it was necessary.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  7. Re:Also in the news by Gadget_Guy · · Score: 3, Informative

    You just have to click the fucking yes button, you don't even need to enter your password.

    That only works if you have an administrator account. Standard users do have to type in a password.