94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com)

← Back to Stories (view on slashdot.org)

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com)

Posted by EditorDavid on Sunday February 26, 2017 @06:34AM from the or-by-not-using-Microsoft-products dept.

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.

17 of 238 comments (clear)

Min score:

Reason:

Sort:

100% of Microsoft Vulnerabilities by Anonymous Coward · 2017-02-26 06:38 · Score: 5, Funny

100% of Microsoft Vulnerabilities Can Be Mitigated By not using Windows
Not viable on Windows 10 by Anonymous Coward · 2017-02-26 06:40 · Score: 5, Informative

as it is on macOS. On W10, for some things it will ask you to identify as an admin, and proceed, and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account. They couldn't even make this work.
1. Re:Not viable on Windows 10 by Alcemenes · 2017-02-26 06:48 · Score: 5, Insightful
  
  I think you hit the nail on the head right there. I've always felt the interface to gain admin on Windows has been clunky and inconsistent at best.
2. Re:Not viable on Windows 10 by aaarrrgggh · 2017-02-26 06:57 · Score: 5, Insightful
  
  It is very much on par with recommending not to plug the computer in to improve security. Too much of the system still requires administrative rights for it to be viable.
3. Re:Not viable on Windows 10 by Gadget_Guy · 2017-02-26 08:36 · Score: 3, Informative
  
  Too much of the system still requires administrative rights for it to be viable.
  That is utter nonsense. It is such a shame to see this modded as informative, because it is completely misleading.
  I have use standard accounts since Windows NT 4.0. Now that was a pain, but every single version of Windows has made the process easier than the last. The biggest improvement was the UAC that prompts for the admin password when needed. Some badly written software can still cause problems like programmatically checking that the current user is an administrator and giving an error message if not. This means the UAC doesn't get a chance to kick in.
  But those programs are few and far between, and you can usually manually launch the program as admin by holding the shift key down and right-clicking on the program (or just change the icon's compatibility settings to run as administrator if the program has been installed). It is incredibly rare that you ever need to actually log in using the administrator account. Temporary elevation is usually enough (the equivalent of *nix sudo).
4. Re:Not viable on Windows 10 by benjymouse · 2017-02-27 00:38 · Score: 4, Insightful
  
  They can't make it work. Windows core architecture is fundamentally broken and insecure. See MS's documentation about security tokens and permissions. You can only unmask permissions since 2008R2. This means that your process starts with max permissions and is masked to reduce it. Totally unlike the authentication/authorization and security elevation process in pretty much every other system out there.
  No, your process starts with a *masked* token. The security subsystem creates *two* tokens when you log in: One with all of your privileges and one where "admin" privileges has been masked out. Switching from the masked token to the unmasked token is called *elevation*.
  The desktop process (explorer.exe) and any process that you launch will *by default* use the non-elevated token. This means that by default none of your user processes have admin privileges, even if you logged in using a admin account. It is understandable that someone only familiar with the Linux/Unix model does not get this at first, because Linux/Unix do not have *tokens*. The *nix model can only describe the permissions of a process through an "effective user" - i.e, a reference to an account. No token.
  On Windows, each process has a security token which by default is inherited from the parent process, but may differ. This is not possible on *nix where you need to refer to some user id to describe the privileges indirectly.
  An executable's manifest may indicate that the it needs certain admin privileges when executed. In that case, Windows will look up to see if your *unmasked* token fits the required privileges. If it does, Windows will prompt you for consent to use the elevated token. If you approve, the new process is launched with the elevated token that was created and stored when you logged in.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Also in the news by Opportunist · 2017-02-26 06:47 · Score: 4, Insightful

94% of all programs won't run properly without those rights.
Unfortunately for the longest time developers for Windows got away with not giving half a shit about security. To make matters worse, when MS finally decided to tighten the screws, they went overboard by a long shot. You cannot even install a simple program without elevated rights.
And to make matters worse, "elevated" means "full access, anywhere". There is no granularity, it's only "can't do jack shit" or "total control". You cannot open up the program files to install a normal program without also giving that program the ability to drop a low level driver into your system.
Then again, if that worked, a lot of people would probably notice just WHAT kind of crap their beloved games barf into the deeper intestines of their computers for the sake of the all holy DRM.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Also in the news by KiloByte · 2017-02-26 07:05 · Score: 5, Insightful
  
  Hell yeah. Especially browsers have never, ever a reason to run as root.
  -rwsr-xr-x 1 root root 18768 Feb 19 21:17 /usr/lib/chromium/chrome-sandbox
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
2. Re:Also in the news by AmiMoJo · 2017-02-26 09:13 · Score: 3, Informative
  
  "94% of all programs won't run properly without those rights."
  This has not been true since Vista.
  Vista introduced virtualization for the filesystem and registry. Apps would think they had admin rights, when in fact they were sandboxed and contained.
  These days most apps run fine without admin rights. You can install them and run them without any special access. Older apps that attempt to access protected paths like Program Files and the registry actually write to special per-user and per-app hives.
  If an app really needs admin rights you get the dreaded UAC prompt.
  This is why Vista was so painful. Too many UAC prompts, the virtualization was slow... But it was necessary.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Also in the news by tepples · 2017-02-26 09:21 · Score: 4, Insightful
  
  Games don't require admin.
  Unless they use third-party digital restrictions management.
4. Re:Also in the news by Gadget_Guy · 2017-02-26 09:25 · Score: 3, Informative
  
  You just have to click the fucking yes button, you don't even need to enter your password.
  That only works if you have an administrator account. Standard users do have to type in a password.
Turn it off by krray · 2017-02-26 06:49 · Score: 3, Insightful

I found it a whole lot easier to just turn Windows off.
1. Re:Turn it off by swillden · 2017-02-26 10:15 · Score: 3, Insightful
  
  I've spent this weekend trying to repurpose an old laptop as a media/streaming machine, and decided to go Linux rather than Windows. It most certainly has not been easier. Maybe if you've worked with the system for years and know the ins-and-outs it is second nature, but Linux has caused all sorts of issues I wouldn't have had on Windows.
  If you've worked with Windows for years and know the ins-and-outs of that system, it's a lot easier to set Windows up than something else. Personally, when I have to set up a Windows system, I have a lot of issues I wouldn't have on Linux.
  I know because I had to install a Windows system for the first time in about a decade a few months ago. It took me all day and lots of hair-pulling to figure out how to find and install all of the drivers needed to make the thing run. At the end I was still left with a few devices showing errors in the device manager, which I was simply unable to get working. It worked enough, so I gave up on the rest. The worst part of the process was that right after installation Windows had no functioning drivers, for ethernet, Wifi or USB, which made it really hard to get drivers onto the box. I solved this by booting a Linux LiveCD (which worked out of the box), creating a small FAT32 partition, downloading the ridiculously bloated 250MB (WTF?!?) ethernet driver onto it, then booting Windows again and installing from the FAT32 partition. I have no idea how a Windows guy would have solved that.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:if apps had rights to there own folder then by vux984 · 2017-02-26 07:13 · Score: 4, Interesting

if apps had rights to there own folder / reg keys then there would be less of an need for admin.
Maybe.

For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.
Windows has %appdata% folders (c:\
programdata ) for 'stuff' (files, settings, databases,...) that is shared between all users.

Video and other drives have there own updates. The windows ones can lack the control apps.
This area is a complete minefield... i mean, these days geforce experience requires a sign in, as do the drivers for a razor mouse etc... that whole part of the ecosystem is pretty toxic.
Re:Duh? by TechyImmigrant · 2017-02-26 07:24 · Score: 5, Insightful

Who runs with full admin rights?
Define 'full'.
I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Re:Duh? by Gadget_Guy · 2017-02-26 07:38 · Score: 4, Informative

I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".
Have you also turned off UAC prompts? Because when I set the time it prompts me for the admin password and it works fine. I don't ever see the message that I don't have permissions to set the clock; I just see the icon on the button to set the time which shows that it will perform an elevation (prompt for password) to run it.
Re:Duh? by Gadget_Guy · 2017-02-26 08:10 · Score: 4, Informative

Why does windows ask for the admin password to get rid of an icon?
Because those icons are stored in the shared desktop folder (default: C:\Users\Public\Desktop). Any file or icon here will be visible on the desktop of every user. If you shared a computer with other users, then you might not want the other people to be able to edit the icons that appear on your desktop because they could alter them to run malicious software instead. If you ran a program where you needed to login with a password, then they could write their own mock version of the software that logs the passwords and change the desktop icon to run it instead.
If you don't share the computer with other people, then you could grant write permission on the shared desktop folder to all users. Then you could delete and update automatically created icons to your heart's content.