Slashdot Mirror

← Back to Stories (view on slashdot.org)

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com)

Posted by EditorDavid on from the or-by-not-using-Microsoft-products dept.

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.

29 of 238 comments (clear)

  1. 100% of Microsoft Vulnerabilities by Anonymous Coward · · Score: 5, Funny

    100% of Microsoft Vulnerabilities Can Be Mitigated By not using Windows

  2. Not viable on Windows 10 by Anonymous Coward · · Score: 5, Informative

    as it is on macOS. On W10, for some things it will ask you to identify as an admin, and proceed, and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account. They couldn't even make this work.

    1. Re:Not viable on Windows 10 by Alcemenes · · Score: 5, Insightful

      I think you hit the nail on the head right there. I've always felt the interface to gain admin on Windows has been clunky and inconsistent at best.

    2. Re:Not viable on Windows 10 by aaarrrgggh · · Score: 5, Insightful

      It is very much on par with recommending not to plug the computer in to improve security. Too much of the system still requires administrative rights for it to be viable.

    3. Re:Not viable on Windows 10 by Gadget_Guy · · Score: 3, Informative

      Too much of the system still requires administrative rights for it to be viable.

      That is utter nonsense. It is such a shame to see this modded as informative, because it is completely misleading.

      I have use standard accounts since Windows NT 4.0. Now that was a pain, but every single version of Windows has made the process easier than the last. The biggest improvement was the UAC that prompts for the admin password when needed. Some badly written software can still cause problems like programmatically checking that the current user is an administrator and giving an error message if not. This means the UAC doesn't get a chance to kick in.

      But those programs are few and far between, and you can usually manually launch the program as admin by holding the shift key down and right-clicking on the program (or just change the icon's compatibility settings to run as administrator if the program has been installed). It is incredibly rare that you ever need to actually log in using the administrator account. Temporary elevation is usually enough (the equivalent of *nix sudo).

    4. Re:Not viable on Windows 10 by benjymouse · · Score: 4, Insightful

      They can't make it work. Windows core architecture is fundamentally broken and insecure. See MS's documentation about security tokens and permissions. You can only unmask permissions since 2008R2. This means that your process starts with max permissions and is masked to reduce it. Totally unlike the authentication/authorization and security elevation process in pretty much every other system out there.

      No, your process starts with a *masked* token. The security subsystem creates *two* tokens when you log in: One with all of your privileges and one where "admin" privileges has been masked out. Switching from the masked token to the unmasked token is called *elevation*.

      The desktop process (explorer.exe) and any process that you launch will *by default* use the non-elevated token. This means that by default none of your user processes have admin privileges, even if you logged in using a admin account. It is understandable that someone only familiar with the Linux/Unix model does not get this at first, because Linux/Unix do not have *tokens*. The *nix model can only describe the permissions of a process through an "effective user" - i.e, a reference to an account. No token.

      On Windows, each process has a security token which by default is inherited from the parent process, but may differ. This is not possible on *nix where you need to refer to some user id to describe the privileges indirectly.

      An executable's manifest may indicate that the it needs certain admin privileges when executed. In that case, Windows will look up to see if your *unmasked* token fits the required privileges. If it does, Windows will prompt you for consent to use the elevated token. If you approve, the new process is launched with the elevated token that was created and stored when you logged in.

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  3. Also in the news by Opportunist · · Score: 4, Insightful

    94% of all programs won't run properly without those rights.

    Unfortunately for the longest time developers for Windows got away with not giving half a shit about security. To make matters worse, when MS finally decided to tighten the screws, they went overboard by a long shot. You cannot even install a simple program without elevated rights.

    And to make matters worse, "elevated" means "full access, anywhere". There is no granularity, it's only "can't do jack shit" or "total control". You cannot open up the program files to install a normal program without also giving that program the ability to drop a low level driver into your system.

    Then again, if that worked, a lot of people would probably notice just WHAT kind of crap their beloved games barf into the deeper intestines of their computers for the sake of the all holy DRM.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Also in the news by HuskyDog · · Score: 2

      My wife's PC and my daughter's Mac both operate on the principle that they only have user accounts and I have access to a separate Admin account for doing things like adding software. Neither of them has ever experienced a problem which could be solved by giving their accounts higher privileges. Perhaps we have been lucky, or perhaps their requirements are modest.

    2. Re:Also in the news by KiloByte · · Score: 5, Insightful

      Hell yeah. Especially browsers have never, ever a reason to run as root.
      -rwsr-xr-x 1 root root 18768 Feb 19 21:17 /usr/lib/chromium/chrome-sandbox

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Also in the news by LinuxIsGarbage · · Score: 2

      I'm pretty sure with Vista, 10 years ago, where there was the push to run users as non-elevated, a lot of developers smartened up.

    4. Re:Also in the news by AmiMoJo · · Score: 3, Informative

      "94% of all programs won't run properly without those rights."

      This has not been true since Vista.

      Vista introduced virtualization for the filesystem and registry. Apps would think they had admin rights, when in fact they were sandboxed and contained.

      These days most apps run fine without admin rights. You can install them and run them without any special access. Older apps that attempt to access protected paths like Program Files and the registry actually write to special per-user and per-app hives.

      If an app really needs admin rights you get the dreaded UAC prompt.

      This is why Vista was so painful. Too many UAC prompts, the virtualization was slow... But it was necessary.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Also in the news by tepples · · Score: 4, Insightful

      Games don't require admin.

      Unless they use third-party digital restrictions management.

    6. Re:Also in the news by Gadget_Guy · · Score: 3, Informative

      You just have to click the fucking yes button, you don't even need to enter your password.

      That only works if you have an administrator account. Standard users do have to type in a password.

  4. Turn it off by krray · · Score: 3, Insightful

    I found it a whole lot easier to just turn Windows off.

    1. Re:Turn it off by swillden · · Score: 3, Insightful

      I've spent this weekend trying to repurpose an old laptop as a media/streaming machine, and decided to go Linux rather than Windows. It most certainly has not been easier. Maybe if you've worked with the system for years and know the ins-and-outs it is second nature, but Linux has caused all sorts of issues I wouldn't have had on Windows.

      If you've worked with Windows for years and know the ins-and-outs of that system, it's a lot easier to set Windows up than something else. Personally, when I have to set up a Windows system, I have a lot of issues I wouldn't have on Linux.

      I know because I had to install a Windows system for the first time in about a decade a few months ago. It took me all day and lots of hair-pulling to figure out how to find and install all of the drivers needed to make the thing run. At the end I was still left with a few devices showing errors in the device manager, which I was simply unable to get working. It worked enough, so I gave up on the rest. The worst part of the process was that right after installation Windows had no functioning drivers, for ethernet, Wifi or USB, which made it really hard to get drivers onto the box. I solved this by booting a Linux LiveCD (which worked out of the box), creating a small FAT32 partition, downloading the ridiculously bloated 250MB (WTF?!?) ethernet driver onto it, then booting Windows again and installing from the FAT32 partition. I have no idea how a Windows guy would have solved that.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Hiding the real point by Anonymous Coward · · Score: 2, Insightful

    The real point of this story is that by disabling admin rights Microsoft can pretend to the world that their products are not the least secure in their respective classes.

    Of course it completely fails to address the fact that unless you only want to do very simply things on a computer, admin rights are frequently required.

  6. Re:if apps had rights to there own folder then by vux984 · · Score: 4, Interesting

    if apps had rights to there own folder / reg keys then there would be less of an need for admin.

    Maybe.

    For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.

    Windows has %appdata% folders (c:\
    programdata ) for 'stuff' (files, settings, databases,...) that is shared between all users.

    Video and other drives have there own updates. The windows ones can lack the control apps.

    This area is a complete minefield... i mean, these days geforce experience requires a sign in, as do the drivers for a razor mouse etc... that whole part of the ecosystem is pretty toxic.

  7. Re:Duh? by TechyImmigrant · · Score: 5, Insightful

    Who runs with full admin rights?

    Define 'full'.

    I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  8. Re:Duh? by Gadget_Guy · · Score: 4, Informative

    I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

    Have you also turned off UAC prompts? Because when I set the time it prompts me for the admin password and it works fine. I don't ever see the message that I don't have permissions to set the clock; I just see the icon on the button to set the time which shows that it will perform an elevation (prompt for password) to run it.

  9. We knew that almost two decades ago... by Anonymous Coward · · Score: 2, Informative

    when I worked at Microsoft. We talked about ways of protecting users, but the rumor was that it was killed because so many people buy new computers instead of fixing ones that have a Microsoft-created problem. Viruses are very profitable to Microsoft.

  10. Re:Duh? by bmorency · · Score: 2

    one thing I run into is that I install a program for a user and it will create a desktop icon. For some reason windows will ask for the admin password to delete it. Why does windows ask for the admin password to get rid of an icon?

  11. Re:Duh? by Gadget_Guy · · Score: 4, Informative

    Why does windows ask for the admin password to get rid of an icon?

    Because those icons are stored in the shared desktop folder (default: C:\Users\Public\Desktop). Any file or icon here will be visible on the desktop of every user. If you shared a computer with other users, then you might not want the other people to be able to edit the icons that appear on your desktop because they could alter them to run malicious software instead. If you ran a program where you needed to login with a password, then they could write their own mock version of the software that logs the passwords and change the desktop icon to run it instead.

    If you don't share the computer with other people, then you could grant write permission on the shared desktop folder to all users. Then you could delete and update automatically created icons to your heart's content.

  12. Re:Duh? by tsa · · Score: 2

    Me too. It's just too much of a hassle to switch admin rights off. Maybe it's better now but knowing MS it will not have changed much since 2000 when I tried using my computer as a normal user. "You can only run that program in administrator mode," it would tell me, or it would just refuse to do the simplest things. I gave u in frustration. I do use my Mac as a normal user, which works fine. It only asks for administrator passwords when doing administrative things like installing programs and changing global settings.

    --

    -- Cheers!

  13. Re:Admin? by tepples · · Score: 2

    Both Windows and GNU/Linux separate "running as root" from "running as a member of the wheel group". Even if you're a member of the wheel group (which may be called Administrators under Windows or sudo under GNU/Linux), you still need to elevate in order to do any tasks that require superuser privileges. But perhaps creating two accounts, one in wheel and the other not, and doing work other than software installation as the user not in wheel would make it harder to social-engineer users into elevating.

  14. Re:Duh? by Gadget_Guy · · Score: 2

    Maybe it's better now but knowing MS it will not have changed much since 2000 when I tried using my computer as a normal user.

    What? Have you not heard about the User Account Control (UAC) that was implemented with Vista? It does exactly what you described happens on the Mac:

    It only asks for administrator passwords when doing administrative things like installing programs and changing global settings.

    Yep, that's exactly what Windows does. They really have done work on Windows in the last 17 years!

  15. Re:Duh? by Gadget_Guy · · Score: 2

    That was an exaggeration for emphasis. I could be more specific.. On a work laptop, I can write to my 'c:\Users\\Documents' folder, but if I try to access it via the various shortcuts on the left of the file manager, I am denied access. No UAC, even though I have the password for that. The permissions on the thing vary based on the path you access it by? That's messed up.

    That's not an account type issue; something is seriously borked on your system. That doesn't happen normally even if you are a standard user. It sounds like the user folders have been moved, but the icons haven't been updated to reflect this. (It's possible that something like OneDrive has fiddled with the folder locations).

    I assume that you are talking about the Quick Access section. If I were you I would right click on those folders and select "Unpin from Quick Access". Then browse to the folders and click on "Pin to Quick Access" in the Home ribbon to recreate the list. That should fix the problem.

  16. Re: only one problem.. by haruchai · · Score: 2

    Lol. Guess you never worked at a company that uses windows. See they have this thing called a domain. And the windows pc is joined. Then they have this thing called a user. They let employees have this. Then when developers like me want to install anything I have to ask fuck face neck beard to do it.

    But no vulnerability... besides the back of fuck face neck beards skull from the large pc case crushing it.

    We have an AD domain & ~10,000 users 95% of whom don't have admin rights. But judging by the number of malware infections and re-imaging I see reported, they seem to be really, really good at finding the 6% of cases where Windows without admin rights doesn't work.

    --
    Pain is merely failure leaving the body
  17. Re:Duh? by SQLGuru · · Score: 2

    I'm a DEV, too. My *account* is a limited account. But (depending on the project), I can launch Visual Studio with Admin rights. Some projects are just fine without them, so I don't use them. Other projects require admin rights, so I launch either through Shift-Right-click on the icon and select "Run as Admin" or I create a second shortcut and set the Admin flag. I get the UAC prompt when I launch it, but that's usually only once per dev session, so it isn't *that* annoying. But only Visual Studio is running as admin, the rest of my system (i.e. my browser) is still "protected" by using a limited account.

  18. Re:Admin? by rsmith-mac · · Score: 2

    But perhaps creating two accounts, one in wheel and the other not, and doing work other than software installation as the user not in wheel would make it harder to social-engineer users into elevating.

    I've read TFA twice now and I still can't figure out if that's what the authors are trying to suggest, or something else entirely.

    The entire point of UAC/sudo is to allow users to run in a standard context for day-to-day activities, and to quickly elevate certain applications/actions when it's required. Unless something has gone terribly wrong here, applications running un-elevated under an admin-capable UAC account have no more rights than an application running on a non-admin-capable account in the first place. Until elevation takes place, it's for all practical purposes a non-admin account.

    So what is TFA trying to suggest, and what is their metric? Are they saying UAC is broken and applications are trivially executing privilege escalation attacks? (And if so, how are standard accounts not affected?) Or are they just saying that since users can escalate applications, the OS automatically counts as vulnerable to the attack? In other words, is the argument that we should be doing away with UAC/sudo?