94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.

Not viable on Windows 10

as it is on macOS. On W10, for some things it will ask you to identify as an admin, and proceed, and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account. They couldn't even make this work.

Re:Duh?

[Gadget_Guy]

I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

Have you also turned off UAC prompts? Because when I set the time it prompts me for the admin password and it works fine. I don't ever see the message that I don't have permissions to set the clock; I just see the icon on the button to set the time which shows that it will perform an elevation (prompt for password) to run it.

Re:Duh?

[Gadget_Guy]

Why does windows ask for the admin password to get rid of an icon?

Because those icons are stored in the shared desktop folder (default: C:\Users\Public\Desktop). Any file or icon here will be visible on the desktop of every user. If you shared a computer with other users, then you might not want the other people to be able to edit the icons that appear on your desktop because they could alter them to run malicious software instead. If you ran a program where you needed to login with a password, then they could write their own mock version of the software that logs the passwords and change the desktop icon to run it instead.

If you don't share the computer with other people, then you could grant write permission on the shared desktop folder to all users. Then you could delete and update automatically created icons to your heart's content.