Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

[smogsy]

just thought i would post this here:
https://www.bleepingcomputer.com/ne...nt-of-all-critical-microsoft-vulnerabilities/

many users say they must HAVE admin, in this day and age its not true. just some findings to prove the standard user effectiveness

 

[smogsy]

For the odd time someone installs something they shouldn't, time wise it makes more sense for people to have admin rights rather than having to ring us everytime something wants to update or install a new version.

easy fix, you can use group policy to allow them to update certain apps. & you can also setup a Form To fill in to request Admin for X days. & revoke them automatically.
This way you can track what they install to..

for corporate users yes, for home users its a nightmare they must have admin rights... I tried removing admin rights for some people who kept getting virus' not only does it not help for most "crapware" but they then call you weekly because x y or z will not update / install... better they need a paid for devirus twice a year than you get weekly phone calls

Home Users
Create a second account called Admin + Link UAC to Admin. Any install/update can be done from standard account But they get asked for the password to the Admin account.

This way they only have Admin access for certain tasks/apps. So NO Users Dont need admin.

 

[smogsy]

Is this not what UAC is doing anyway, blocking admin rights without your consent?

So surely if you have some idea of what you're doing and don't just blindly click yes on UAC prompts, then you don't need to run on a standard account?

Or does running on a standard account improve security even further?

UAC is only a tiny drop in the ocean

UAC does the following: (also depends on which level it is on, their are 4 in Windows 8/10)

here are many changes which require administrative privileges and, depending on how UAC is configured, they can cause an UAC prompt to show up and ask for permission. These are the following:

• Running an application as administrator
• Changes to system-wide settings or to files in the Windows or Program Files folders
• Installing and uninstalling drivers & applications
• Installing ActiveX controls
• Changing settings to the Windows Firewall
• Changing UAC settings
• Configuring Windows Update
• Adding or removing user accounts
• Changing a user’s account type
• Configuring Parental Controls or Family Safety
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files
• Changing the system date and time

If your running an admin account & have UAC ON, most the following will not even prompt you for UAC prompt. because you already have the neccsary rights to do so. & their built into windows.
With a standard account UAC will always prompt if it requires Admin Access.

• Changes to system-wide settings or to files in the Windows or Program Files folders
  
• Installing ActiveX controls
  
• Configuring Windows Update
• Changing a user’s account type
• Configuring Parental Controls or Family Safety
• Changing the system date and time

So Running Standard account is vastly more secure.

 

[smogsy]

Energize, what type?
i do application development and don't require admin privileges for almost any of the following:
i do
C/C#/C++,
Python
PHP/HTML/CSS/
power-shell