90% of Microsoft Windows 7 Vulnerabilities are Mitigated by Eliminating Admin Rights

[theheyes]

I've had to chop the word "critical" out of the title, so apologies for that.

I’m pretty sure I recall a previous version of this report floating around but this is the latest release and I thought I’d post it for anyone interested. I’m not expecting it to sway the naysayers but maybe those on the fence or new to the concept might be persuaded. I tend to think that people find computer security either really interesting or not interesting at all.

You can have a read of the report here:

BeyondTrust2009 Microsoft Vulnerability Analysis

Or just the executive summary below, truncated slightly:

Executive Summary

Microsoft and their partners regularly identify new security vulnerabilities in Microsoft software. In 2009 Microsoft published nearly 75 security bulletins documenting and providing patches for nearly 200 vulnerabilities. By examining all of the published Microsoft vulnerabilities in 2009 and all of the published Windows 7 vulnerabilities to date, this report quantifies the continued effectiveness of removing administrator rights at mitigating vulnerabilities in Microsoft software.

Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

• 90% of Critical Windows 7 vulnerabilities reported to date
• 100% of Microsoft Office vulnerabilities reported in 2009
• 94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
• 64% of all Microsoft vulnerabilities reported in 2009

Microsoft is to be lauded for releasing patches to known vulnerabilities each month. However, vulnerabilities take time to identify and patches take time to apply. During this period, threats can damage a corporate network and gain access to sensitive information. It is important that companies follow general best practices to improve security.

Note that although it says 2009 on the report some of the security bulletins sampled are as recent as March 2010. Don't say Pwn2Own.

On the flip side understand that running as a standard user is not a cure-all; software updates and a whole range of other factors contribute to the "defense in depth" approach, of which least privilege is just one.

So there you go, no news really. At least you have some reading fodder that will send you to sleep.

 

[theheyes]

It's tempting to cite Linux's user model here, and how even newbies are aware of the 'all powerful root' and even if they don't know why, they know not to use it as a day-to-day work account. MS in comparison seem to have only recently gone down this path of moving away from open Admin account usage e.g good setup under default installation using reduced privileges. Things are getting better though at least.

This is my experience also. In any kind of formal Linux tuition I’ve had it is pretty much the first thing they tell you. I even think it would be fair to say that anyone caught using a root account for everyday stuff would be perceived as a bit of a newbie. The added danger with Linux though is one wrong switch on the command line and you bork the whole system without so much as a confirmation box.

I have to run as Administrator or AutoCAD won't work!!

This is a big spanner in the works for a lot of people trying to implement least user privileges, especially in the workplace. Hopefully with the Windows model the way it is now these problems will slowly fade away. Unfortunately in my own experience I’m seeing software still not complying even though it was written in the last couple of years.

I formatted my main few days ago PC, and when next there I plan to set up an additional account using Standard User for daily purposes. WIth the intention of trying to form a habbit of using it always.

Not read the link, but do you have to password your UAC main account? As it would be handy to eliminate one step of having to type password if need to run as admin.

This is what I do. The user account created on install is left as the admin account, and I just create myself a new standard one. I do the bulk of the installs, stuff like flash player and adobe reader and also set the backup, within the admin account as you will be getting a lot of UAC prompts. After that using a standard account is pretty easy for me. In answer to your question I would always have a decent administrator account password.

 

[theheyes]

To be fair it's the ones that do supposedly work in IT that boggle the mind the most sometimes, like when you find MS Office installed on a domain controller.