Slashdot Mirror
94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com)
An anonymous reader quotes Computerworld:
If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
if apps had rights to there own folder / reg keys then there would be less of an need for admin.
Maybe.
For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.
Windows has %appdata% folders (c:\
programdata ) for 'stuff' (files, settings, databases,...) that is shared between all users.
Video and other drives have there own updates. The windows ones can lack the control apps.
This area is a complete minefield... i mean, these days geforce experience requires a sign in, as do the drivers for a razor mouse etc... that whole part of the ecosystem is pretty toxic.