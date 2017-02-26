94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 36
An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
Who runs with full admin rights?
Define 'full'.
I run with admin rights on my Windows 10 machine because it's the default and it's a pain in the neck to run without. "Sorry you don't have permissions to set the clock".
as it is on macOS. On W10, for some things it will ask you to identify as an admin, and proceed, and for other things it will just fail instead, either forcing you to relog as admin, or to enable admin for your main account. They couldn't even make this work.
I think you hit the nail on the head right there. I've always felt the interface to gain admin on Windows has been clunky and inconsistent at best.
This sounds like BS. I used an ordinary user account on Windows 7, I'm an ordinary user on Windows 8, no problems. Hard to believe they broke it in Windows 10.
As far as the article, I agree with Avecto's findings. On any computers I have setup for others, I have always setup a separate admin account from the working user account and made sure the latter did not have admin rights. For some people I simply made this account without a password or something very simple they could remember easily. In either case, simply
the way the MS system is designed: having no admin rights = a computer that's basically a paperweight.
The company buys into this and supports implementing a system of packaging and deploying applications are updated in the background or that users can request and install with our being prompted for an admin user. And setting up processes and procedures for users to request non standard apps, have it approved, and can call a helpdesk to who can then remote desktop the system and type in an admin login to get it installed.
I've worked at one company that did this, and it worked well because they set out to do
94% of all programs won't run properly without those rights.
Unfortunately for the longest time developers for Windows got away with not giving half a shit about security. To make matters worse, when MS finally decided to tighten the screws, they went overboard by a long shot. You cannot even install a simple program without elevated rights.
And to make matters worse, "elevated" means "full access, anywhere". There is no granularity, it's only "can't do jack shit" or "total control". You cannot open up the program files to install a normal program without also giving that program the ability to drop a low level driver into your system.
Then again, if that worked, a lot of people would probably notice just WHAT kind of crap their beloved games barf into the deeper intestines of their computers for the sake of the all holy DRM.
I don't know if Adobe does it still... but at one point they were using "extra space" in the MBR to store part of their DRM...
It isn't just games that go overboard with DRM
Nonsense. I run as an ordinary user and I rarely have to run anything as admin. Games don't require admin.
It is true on the consumer side, they try at least to follow the minimal requirements to be a good Windows application. the business world on the other side is awful. Applications that don't work if you install on Program Files, that you need to add write permissions to the installation directory, or that need read write permissions on server shares. This is too common on small business targeted applications that I have lost count on the ones I have seen.
A lot of Windows developers have no idea what %appdat
Hell yeah. Especially browsers have never, ever a reason to run as root.
/usr/lib/chromium/chrome-sandbox
-rwsr-xr-x 1 root root 18768 Feb 19 21:17
All of this leads to the conclusion that Microsoft's approach to security is fundamentally broken. This isn't new in Windows 10, it's been that way since they first decided to implement user accounts.
I found it a whole lot easier to just turn Windows off.
I found it a whole lot easier to just turn Windows off.
I prefer to get paid.
if apps had rights to there own folder / reg keys then there would be less of an need for admin.
For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.
This can be an issue with games with user maps / mod and A lot of games have built in downloads for them.
Video and other drives have there own updates. The windows ones can lack the control apps.
if apps had rights to there own folder / reg keys then there would be less of an need for admin.
Maybe.
For some apps storing stuff per user can lead to a lot of space used and a lot stuff being downloaded more then 1 time. Also makes it a pain for updates.
Windows has %appdata% folders (c:\
programdata ) for 'stuff' (files, settings, databases,...) that is shared between all users.
Video and other drives have there own updates. The windows ones can lack the control apps.
This area is a complete minefield... i mean, these days geforce experience requires a sign in, as do the drivers for a razor mouse etc... that whole part of the ecosystem is pretty toxic.
Chrome updates from the about menu need admin but it does have an background auto update that works without admin.
Firefox has auto and about menu works without admin.
I wondered if for some rea
I haven't read the article, my bad, my I guess it's not talking about vulnerabilities but about various malware which indeed in most cases requires admin rights to be properly installed.
However a great number of modern viruses live under various hidden directories in the user's profile, e.g. C:\Users\User\AppData\Roaming, so Admin Rights or not but you will be successfully infected.
The real problem with Windows is that most users blindly trust whatever
.exe/.pdf/.docx/.xlsx files they receive from absol