Want PC Security? Remove Admin Rights
A new study shows that almost all Microsoft vulnerabilities can be mitigated simply by eliminating administrator privileges from end-users.
A new survey of Microsoft security vulnerabilities shows that the vast majority of them can be effectively mitigated while users wait for systems managers to apply the software giant's monthly patches.
The third-party report, compiled by privileged access lifecycle management vendor BeyondTrust, claims that the cure for many ills that might befall users of PCs running Microsoft (NASDAQ: MSFT) software is straightforward.
"Key findings from this report show that removing administrator rights will better protect companies," said the study, dubbed BeyondTrust 2009 Microsoft Vulnerability Analysis.
Administrative rights include the authority for someone designated as the system administrator to control what software and hardware can be installed on a user's PC. Often, however, the default setting is to let the user have administrative rights on his or her own PC but, as noted in the report, that can be risky because, for instance, a piece of malware might trick the system to prompt a user with such rights to okay its installation.
"By removing the need to grant administrative rights to end-users, IT departments eliminate what is otherwise the Achilles' heel of the desktop -- end-users with administrative power that can be exploited by malware and malicious intent to change security settings and disable other security solutions," the report said.
Microsoft itself frequently recommends that administrative privileges be disabled for most users.
"If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," a boiler plate statement reads in most Microsoft Security Bulletins.
Suspending administrative rights for most users can help block -- or, in some cases, mitigate -- many common methods of exploiting security vulnerabilities.
For example, the report said, eliminating administrator privileges from Windows 7 PCs -- thus blocking users from engaging in some risky activities, such as installing applications brought in from home -- would block 90 percent, or nine out of ten, of the "critical" security flaws identified since the system shipped last year.
Additionally, removing administrative rights from users' PCs would protect against exploitation of all 55 of the vulnerabilities reported in Microsoft Office during 2009.
Similar results can be obtained by disabling administrative rights in Internet Explorer 8 -- although that is not true of earlier IE releases.
"100 percent of the Internet Explorer 8 vulnerabilities can be mitigated by removing administrator rights," the report said.
For all versions of IE, of the 33 vulnerabilities that Microsoft identified in 2009, 94 percent could be mitigated by shutting down administrative rights.
Further, configuring users without administrative privileges would protect against 81 percent of the 80 security vulnerabilities rated as "critical" -- the highest ranking in Microsoft's four-tiered severity scale, according to the study.
While systems administrators can configure users' capabilities using a variety of tools, BeyondTrust -- perhaps not surprisingly -- sells its own tool called Privilege Manager, which has been on the market since 2004.
In order to compile the report, BeyondTrust examined all of the Security Bulletins issued by Microsoft in 2009 -- a total of 75 bulletins accounting for nearly 200 bug fixes.