Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

smogsy · 2 Mar 2017 at 08:55

just thought i would post this here:
https://www.bleepingcomputer.com/ne...nt-of-all-critical-microsoft-vulnerabilities/

many users say they must HAVE admin, in this day and age its not true. just some findings to prove the standard user effectiveness

Rroff · 2 Mar 2017 at 09:09

Very simplistic view of it - in the realworld if you are even remotely a power user an admin account is still pretty much needed on Windows unless you are a sucker for punishment none the less still a lot of older software that doesn't work properly with a standard account. On Linux though, some exceptions aside, no reason to run admin every day.

Glanza · 2 Mar 2017 at 10:19

For the odd time someone installs something they shouldn't, time wise it makes more sense for people to have admin rights rather than having to ring us everytime something wants to update or install a new version.

Steampunk · 2 Mar 2017 at 10:56

Yep, if Windows didn't have such a **** permissions/group system, people wouldn't have to run as admin to get anything done.

edscdk · 2 Mar 2017 at 10:59

smogsy said:
just thought i would post this here:
https://www.bleepingcomputer.com/ne...nt-of-all-critical-microsoft-vulnerabilities/

many users say they must HAVE admin, in this day and age its not true. just some findings to prove the standard user effectiveness

for corporate users yes, for home users its a nightmare they must have admin rights... I tried removing admin rights for some people who kept getting virus' not only does it not help for most "crapware" but they then call you weekly because x y or z will not update / install... better they need a paid for devirus twice a year than you get weekly phone calls

smogsy · 2 Mar 2017 at 13:41

Glanza said:
For the odd time someone installs something they shouldn't, time wise it makes more sense for people to have admin rights rather than having to ring us everytime something wants to update or install a new version.

easy fix, you can use group policy to allow them to update certain apps. & you can also setup a Form To fill in to request Admin for X days. & revoke them automatically.
This way you can track what they install to..

edscdk said:
for corporate users yes, for home users its a nightmare they must have admin rights... I tried removing admin rights for some people who kept getting virus' not only does it not help for most "crapware" but they then call you weekly because x y or z will not update / install... better they need a paid for devirus twice a year than you get weekly phone calls

Home Users
Create a second account called Admin + Link UAC to Admin. Any install/update can be done from standard account But they get asked for the password to the Admin account.

This way they only have Admin access for certain tasks/apps. So NO Users Dont need admin.

KIA · 2 Mar 2017 at 17:42

smogsy said:
just thought i would post this here:
many users say they must HAVE admin, in this day and age its not true. just some findings to prove the standard user effectiveness

You can lead a horse to water, but you can't make it drink.

Anyway, it's good to know that the principle of least privilege still applies, as one would expect.

Rroff · 2 Mar 2017 at 19:12

edscdk said:
most "crapware" but they then call you weekly because x y or z will not update / install

Not really sure about Windows 10 as I've not really encountered much malware, etc. on there yet (maybe because security works better maybe) but 7 and 8 yeah something like 1/3rd of malware just goes straight through Windows security like it isn't even there. The article is very simplistic and idealistic IMO.

Raumarik · 2 Mar 2017 at 21:52

If people REALLY want to disable UAC I always suggest enabling applications whitelisting, only recently bothered doing this at home and not had any hassle with it. It can amusingly prevent some old bits of software updating, which in my case has reminded me to remove them.

UAC I personally always left on, I never saw it as a huge problem and software that typically prompted for that regularly was on the whole usually poorly written. People can blame MS all they want, bottom line is that software written for windows should function within it's predefined security mechanism and not constantly prompt the UAC if done properly.

Rroff · 2 Mar 2017 at 22:00

Halfmad said:
bottom line is that software written for windows should function within it's predefined security mechanism and not constantly prompt the UAC if done properly.

This isn't really about UAC but people running an account with admin permissions as a day to day thing - however in reality a lot of people have to use a lot of often legacy software that either pre-dates many of the Windows accounts/permissions systems or badly implements them and there often isn't a newer/better alternative.

Energize · 3 Mar 2017 at 00:57

Running my workstation would be a nightmare as standard user, it's such a pain just being asked permission every time I want to write to C:\

LizardKing · 3 Mar 2017 at 12:40

Steampunk said:
Yep, if Windows didn't have such a **** permissions/group system, people wouldn't have to run as admin to get anything done.

NTFS permissions and user/groups are one of the best bits of windows, blame the badly written software if its causing issues.

Energize said:
Running my workstation would be a nightmare as standard user, it's such a pain just being asked permission every time I want to write to C:\

Even admins have to runas to store data in the base directory of c:\ so it would make far more sense to work out of a separate folder?

Energize · 3 Mar 2017 at 14:04

LizardKing said:
Even admins have to runas to store data in the base directory of c:\ so it would make far more sense to work out of a separate folder?

You don't need to use "run as" if you use the built in superuser account, and it's just one example among many.

ChrisD. · 3 Mar 2017 at 14:05

What admin? Domain admin, local admin?

KIA · 3 Mar 2017 at 17:20

ChrisD. said:
What admin? Domain admin, local admin?

Both.

ChrisD. · 3 Mar 2017 at 17:34

Well best practice is already RBAC and only select few using domain admin (when it's needed, rather than day to day). For local at home, it's pretty obvious and Windows is catching up with *nix anyway.

Last job I was in regular admins were using domain admin in day to day duties including desktop logon, email, apps etc. How I laughed.

KIA · 3 Mar 2017 at 17:51

ChrisD. said:
Last job I was in regular admins were using domain admin in day to day duties including desktop logon, email, apps etc. How I laughed.

I've witnessed something similar. Logged in as domain admin, using IE on a Server 2003 box to browse the web, long after support expired.

ChrisD. · 3 Mar 2017 at 17:52

The only saving grace is that that particular system (as are most I work on) are disconnected from the web, thankfully. But yeah, that's pretty funny/facepalm!

Rroff · 4 Mar 2017 at 13:00

KIA said:
I've witnessed something similar. Logged in as domain admin, using IE on a Server 2003 box to browse the web, longer after support expired.

I had to laugh once - one of the IT guys where I was working was always berating other users about security and practises, etc. one day connected his personal laptop to a closed production network to install a printer driver (I'm guessing was impatient) subsequently it was infected with a virus knocking the systems on it offline :s (ah his face when he realised what he had done and that some of us realised how it had happened).

Mattus · 4 Mar 2017 at 17:25

Energize said:
Running my workstation would be a nightmare as standard user, it's such a pain just being asked permission every time I want to write to C:\

What are you doing which requires regular writing to the root folder? Can't you just write to another folder?