Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Bug Security Stats Windows

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 238

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
This discussion has been archived. No new comments can be posted.

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights

Comments Filter:
  • by Anonymous Coward on Sunday February 26, 2017 @01:38PM (#53934155)

    100% of Microsoft Vulnerabilities Can Be Mitigated By not using Windows

    • Don't forget opening Word macros from OpenOffice https://www.openoffice.org/sec... [openoffice.org]
    • by tepples ( 727027 )

      How so? If I access my Hotmail account through Firefox on a GNU/Linux PC or through the Outlook app on an Android/Linux tablet, I'm still vulnerable to any vulnerabilities in Microsoft's servers.

  • by Anonymous Coward on Sunday February 26, 2017 @01:40PM (#53934171)

    as it is on macOS. On W10, for some things it will ask you to identify as an admin, and proceed, and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account. They couldn't even make this work.

    • by Alcemenes ( 460409 ) on Sunday February 26, 2017 @01:48PM (#53934211)

      I think you hit the nail on the head right there. I've always felt the interface to gain admin on Windows has been clunky and inconsistent at best.

    • by aaarrrgggh ( 9205 ) on Sunday February 26, 2017 @01:57PM (#53934247)
      It is very much on par with recommending not to plug the computer in to improve security. Too much of the system still requires administrative rights for it to be viable.
      • by Gadget_Guy ( 627405 ) on Sunday February 26, 2017 @03:36PM (#53934717)

        Too much of the system still requires administrative rights for it to be viable.

        That is utter nonsense. It is such a shame to see this modded as informative, because it is completely misleading.

        I have use standard accounts since Windows NT 4.0. Now that was a pain, but every single version of Windows has made the process easier than the last. The biggest improvement was the UAC that prompts for the admin password when needed. Some badly written software can still cause problems like programmatically checking that the current user is an administrator and giving an error message if not. This means the UAC doesn't get a chance to kick in.

        But those programs are few and far between, and you can usually manually launch the program as admin by holding the shift key down and right-clicking on the program (or just change the icon's compatibility settings to run as administrator if the program has been installed). It is incredibly rare that you ever need to actually log in using the administrator account. Temporary elevation is usually enough (the equivalent of *nix sudo).

        • That works for a limited set of applications, mainly for things whose rights were "broken" from standard behavior-- I can think of a few tasks in the command prompt that would fit in that gpcategory. Those changes by Microsoft were an improvement to security, hands-down.

          But, about half the applications I use in Windows require administrator rights to work. Some of these center around DRM/Licensing controls, some are likely just lazy, and some are because the software was never designed for multiple user m
          • But, about half the applications I use in Windows require administrator rights to work.

            You should probably name and shame those applications then, because they are the problem; not Windows.

            I would add an extra reason to your list of why some programs require administrator rights: stupidity. The accounts software that we used for many years required administrator rights to run. It annoyed me because I could not see why it would be required. Upon inspection, I found a *.MANIFEST file in the install directory. It had a setting of something like userLevel=highestAvailable. I changed this to asInv

      • by rtb61 ( 674572 )

        I seems I must remind everyone. Windows 10 admin rights can not be turned off. Sure you can knock out your 'limited' admin rights but you can not shut down M$'s over arching admin rights which they demand and have basically implemented as a root kit implement, that is impossible for you to remove. So great big ole fat lie, you can not longer shut down admin rights, except your own, specifically 'limited' admin rights, as one you install windows 10, you surrender all your rights to M$.

    • by murdocj ( 543661 )

      This sounds like BS. I used an ordinary user account on Windows 7, I'm an ordinary user on Windows 8, no problems. Hard to believe they broke it in Windows 10.

      • Re: (Score:2, Informative)

        by quonset ( 4839537 )

        This sounds like BS. I used an ordinary user account on Windows 7, I'm an ordinary user on Windows 8, no problems. Hard to believe they broke it in Windows 10.

        They didn't. I have my dad set to a general user account on his W10 machine and he has zero issues. Every program runs perfectly, even the one in DosBox.

        On those occasions something needs installed or updated, I log into the administrator account, take care of it, then log off. Not a single issue so far.

        • Generally it is an application specific issue rather than an OS issue (although the way it works in OS X basically assumes the user is an administrator). Some updates can be addressed by a domain admin, but it is still a mess with AutoDesk and Adobe products, along with many software packages that are not multi-user aware.
        • by tepples ( 727027 )

          I have my dad set to a general user account [...] On those occasions something needs installed or updated, I log into the administrator account, take care of it, then log off. Not a single issue so far.

          Can you do that remotely on the home version, or do you need to be physically present? Because if it's Saturday evening, and your city doesn't run buses on Saturday evenings or Sundays (as Fort Wayne, Indiana, doesn't), it might be a long wait before you can be present at dad's computer.

          • Can you do that remotely on the home version, or do you need to be physically present?

            You don't need to be present. UAC prompts work through Windows Remote Assistance.

    • Microsoft tried going further. They called it Windows RT. Nobody bought it. They're trying it again with Windows 10 Cloud. I have a feeling nobody will buy that either.
    • AC is full of crap. Never had issues with Windows 10 and having a separate admin account (which is the best policy no matter the operating system).

      As far as the article, I agree with Avecto's findings. On any computers I have setup for others, I have always setup a separate admin account from the working user account and made sure the latter did not have admin rights. For some people I simply made this account without a password or something very simple they could remember easily. In either case, simply
      • by arth1 ( 260657 )

        AC is full of crap. Never had issues with Windows 10 and having a separate admin account (which is the best policy no matter the operating system).

        I would argue that not relying on a tie between accounts and privileges is a better policy. It may take more work to set up something like selinux and capabilities, but not a lot of malware or Oracle scripts (but, I repeat myself) can deal with that.

    • by tsa ( 15680 )

      This. It just doesn't work.

    • I have had the opposite experience. Once I started running on Vista I created my account and a separate admin account. I have all of my extended family doing the same. It is very much doable. The only thing that I had to run, logged in as the admin, was a diagnostic tool from Dell. Besides that UAC prompts work.
    • by AC-x ( 735297 )

      and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account

      Right click, select "run as admin". For the few system management apps that don't prompt for admin themselves that's all you need to do. No need to relog or change permission settings.

  • Also in the news (Score:4, Insightful)

    by Opportunist ( 166417 ) on Sunday February 26, 2017 @01:47PM (#53934205)

    94% of all programs won't run properly without those rights.

    Unfortunately for the longest time developers for Windows got away with not giving half a shit about security. To make matters worse, when MS finally decided to tighten the screws, they went overboard by a long shot. You cannot even install a simple program without elevated rights.

    And to make matters worse, "elevated" means "full access, anywhere". There is no granularity, it's only "can't do jack shit" or "total control". You cannot open up the program files to install a normal program without also giving that program the ability to drop a low level driver into your system.

    Then again, if that worked, a lot of people would probably notice just WHAT kind of crap their beloved games barf into the deeper intestines of their computers for the sake of the all holy DRM.

    • by murdocj ( 543661 )

      Nonsense. I run as an ordinary user and I rarely have to run anything as admin. Games don't require admin.

      • by robmv ( 855035 )

        It is true on the consumer side, they try at least to follow the minimal requirements to be a good Windows application. the business world on the other side is awful. Applications that don't work if you install on Program Files, that you need to add write permissions to the installation directory, or that need read write permissions on server shares. This is too common on small business targeted applications that I have lost count on the ones I have seen.

        A lot of Windows developers have no idea what %appdat

        • by murdocj ( 543661 )

          Hmmm... I'll just say that back in the 1990s I was worked on an end to end full suite of apps in a particular industry, and I recall going thru the work THEN to make sure that everything worked as an ordinary user, because we had a major customer who didn't want to give its users admin rights. I'm having trouble believing it's still the norm to hand out admin, or that there are a lot of applications that insist on installing in particular directory. But maybe I've led a sheltered life.

          • I'm pretty sure with Vista, 10 years ago, where there was the push to run users as non-elevated, a lot of developers smartened up.

      • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Sunday February 26, 2017 @04:21PM (#53934951) Homepage Journal

        Games don't require admin.

        Unless they use third-party digital restrictions management.

    • My wife's PC and my daughter's Mac both operate on the principle that they only have user accounts and I have access to a separate Admin account for doing things like adding software. Neither of them has ever experienced a problem which could be solved by giving their accounts higher privileges. Perhaps we have been lucky, or perhaps their requirements are modest.
    • by KiloByte ( 825081 ) on Sunday February 26, 2017 @02:05PM (#53934275)

      Hell yeah. Especially browsers have never, ever a reason to run as root.
      -rwsr-xr-x 1 root root 18768 Feb 19 21:17 /usr/lib/chromium/chrome-sandbox

    • by Kaenneth ( 82978 )

      Windows Store apps can have granular control...

    • Re:Also in the news (Score:4, Informative)

      by AmiMoJo ( 196126 ) on Sunday February 26, 2017 @04:13PM (#53934909) Homepage Journal

      "94% of all programs won't run properly without those rights."

      This has not been true since Vista.

      Vista introduced virtualization for the filesystem and registry. Apps would think they had admin rights, when in fact they were sandboxed and contained.

      These days most apps run fine without admin rights. You can install them and run them without any special access. Older apps that attempt to access protected paths like Program Files and the registry actually write to special per-user and per-app hives.

      If an app really needs admin rights you get the dreaded UAC prompt.

      This is why Vista was so painful. Too many UAC prompts, the virtualization was slow... But it was necessary.

  • Turn it off (Score:3, Insightful)

    by krray ( 605395 ) on Sunday February 26, 2017 @01:49PM (#53934219)

    I found it a whole lot easier to just turn Windows off.

    • by OzPeter ( 195038 )

      I found it a whole lot easier to just turn Windows off.

      I prefer to get paid.

  • if apps had rights to there own folder / reg keys then there would be less of an need for admin.

    For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.

    This can be an issue with games with user maps / mod and A lot of games have built in downloads for them.

    Video and other drives have there own updates. The windows ones can lack the control apps.

    • by vux984 ( 928602 ) on Sunday February 26, 2017 @02:13PM (#53934307)

      if apps had rights to there own folder / reg keys then there would be less of an need for admin.

      Maybe.

      For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.

      Windows has %appdata% folders (c:\
      programdata ) for 'stuff' (files, settings, databases,...) that is shared between all users.

      Video and other drives have there own updates. The windows ones can lack the control apps.

      This area is a complete minefield... i mean, these days geforce experience requires a sign in, as do the drivers for a razor mouse etc... that whole part of the ecosystem is pretty toxic.

    • if apps had rights to there own folder / reg keys then there would be less of an need for admin.

      This feature was implemented with Vista. To work around those badly written programs that assume that they can write to their installation folder or LOCAL_MACHINE registry, Microsoft implemented File and Registry Virtualization. If an application opens a file in read/write mode under Program Files, then a copy of that file is made in %APPDATA% and this file is used instead.

      This was only intended for old programs, and it only works for 32bit applications. It is assumed that 64bit applications are modern enou

      • by haruchai ( 17472 )

        This was only intended for old programs, and it only works for 32bit applications. It is assumed that 64bit applications are modern enough to know where they should place configuration files and such

        And that seems like a very bad assumption to make. I wonder how long before Microsoft realizes this and implements it for 64bit apps too

  • Chrome updates from the about menu need admin but it does have an background auto update that works without admin.

    Firefox has auto and about menu works without admin.

  • I have always managed my wife's PC (Win 2000, then XP, then 7 and now 10) by having non-admin accounts for each family member and a separate Admin account which I use only for installing applications (having where possible downloaded them using my personal account). I did this because it seemed sensible and is the way Linux works but was always rather mystified that it was never mentioned in any of the "How to make your PC more secure" articles which appear in the popular media.

    I wondered if for some rea
    • I've been doing this for a while now with my daughter's Windows 10 PC. She's running as a "standard" user account that prompts for my admin account's assigned PIN code when it needs elevated rights for an action.

      It's FAR more functional than an arrangement like this would have been with an older version of Windows like 7 or XP. But it's not perfect. One of the problem she's had is that she's gotten interested in modding games (Minecraft is a good example, as all the serious players use custom texture pac

  • I haven't read the article, my bad, my I guess it's not talking about vulnerabilities but about various malware which indeed in most cases requires admin rights to be properly installed.

    However a great number of modern viruses live under various hidden directories in the user's profile, e.g. C:\Users\User\AppData\Roaming, so Admin Rights or not but you will be successfully infected.

    The real problem with Windows is that most users blindly trust whatever .exe/.pdf/.docx/.xlsx files they receive from absol

    • Microsoft is trying hard to solve this problem by migrating to an app model which is used by Android and iOS but it just cannot work with Windows for far too many reasons

      Probably the same reason it doesn't work with iOS. You can't develop apps on an iPad Pro with keyboard and Apple Pencil because Xcode works only on a Mac. Likewise, you can't develop apps on a Surface 1 or 2 because Microsoft never released Visual Studio RT. (You can on Surface Pro and Surface 3 because those run full Windows.)

  • by Anonymous Coward

    The real point of this story is that by disabling admin rights Microsoft can pretend to the world that their products are not the least secure in their respective classes.

    Of course it completely fails to address the fact that unless you only want to do very simply things on a computer, admin rights are frequently required.

  • by Anonymous Coward

    when I worked at Microsoft. We talked about ways of protecting users, but the rumor was that it was killed because so many people buy new computers instead of fixing ones that have a Microsoft-created problem. Viruses are very profitable to Microsoft.

  • You can mitigate 100% of Microsoft vulnerabilities by not using Microsoft products! ;)

  • The other 6% can be eliminated by not turning the machine on. And the good news is you'll get almost as much work done.

  • 94% of the bad shit that will happen will happen with or without admin rights. who cares if your windows install is ok when cryptolocker is holding all your tax files from the last decade ransom for $500 bucks worth of bitcoin or your bank login credentials get stolen as you log in.
    • This. 99% of the known vulnerabilities are mitigated, sure. The other 1% are the vulnerabilities that attackers are actually using.
  • I put C:\Windows\System32\runas.exe /trustlevel:0x20000 before some apps to have them run as a basic user.

    [c:]runas /showtrustlevels
    The following trust levels are available on your system:
    0x20000 (Basic User)

    This works for firefox and outlook and some others. Chrome and slack fail.

  • Is there like a switch? An "Admin Rights" checkbox somewhere? Maybe not a bad idea but I haven't seen anything like that. Did I just miss it? I'm still using Windows 7 so maybe this switch is a new feature in Windows 10. If the author meant that a user should run as Standard (unprivileged) User and not as an Administrator then maybe he should have said that. It is not as simple as just turning something on or off. If you are running as an Administrator you would probably want to actually create a new standa

  • Bitch if something is not authorized
    -have good backups when ransomware comes in
    -enjoy
  • Most of your software wont work properly because monkeys still insist on writing config info into program files.

Keep up the good work! But please don't ask me to help.

Working...