Admin rights underpin many Windows exploits, analysis finds

Including 100 percent of IE flaws

Organisations could dramatically cut their exposure to vulnerabilities in Microsoft software simply by limiting Windows admin rights, an analysis by BeyondTrust has reminded the world.

Using flaw data drawn from Microsoft's security bulletins throughout 2010, removing admin rights for users of Office and Internet Explorer would have mitigated security worries in 100 percent of cases.

Overall, of the 256 vulnerabilities published by the company during the year, 163, or 64 percent, would have been mitigated by removing admin rights. On the operating system side, 76 out of 162 flaws could be avoided using the same tactic.

Of the 142 Windows 7 flaws ever made public, 42 percent would be mitigated by removing admin rights.

The idea of removing or limiting admin rights is not a new one but is not simple to implement. Admin rights are often left on in Windows and managed through User Account Control (UAC) because restricting them causes problems for some applications, including legacy apps that assume such rights.

BeyondTrust's long-standing solution is a product called PowerBroker for Desktops which admins can use to define rights on an app-by-app or process-by-process basis, but always while keeping them to a minimum.

"Microsoft does a great job identifying and patching those vulnerabilities, but the pure number demonstrates the volume of vulnerabilities in some of the most common business software in the enterprise," said BeyondTrust's director of program management, Peter Beauregard.

If buying a software product to manage admin rights for one company's products doesn't appeal, a second argument is that limiting the same rights will also protect against a percentage of unknown vulnerabilities as well, he said. That would include non-Microsoft vulnerabilities that exploit the same privilege escalation design.

"Patching alone doesn't protect the enterprise, because so many vulnerabilities are undiscovered and others could take weeks to patch. Removing administrative privileges from users is the only way to eliminate the vast majority of risk that comes from these vulnerabilities," said Beauregard.

One dimension not addressed by the report is the situation of consumers who run Windows with admin privileges turned on by default. For this section of the Windows population, the only resort is a well of skepticism and the willingness to click 'no' when the Windows UAC interface throws up a request for admin rights.

Tags BeyondTrustsecurityMicrosoftsoftwareoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John E Dunn

Techworld

1 Comment

Robert C. Leif

1

Because of administrative privileges, I was almost ready to give up on Expression Web. Your implementation needs to provide specific information every time raising administrative privileges stops the user from progressing. Windows now is sufficiently complex, that it is a true operating system. Unfortunately, your customers wanted a household appliance. This may be one of the motivations to migrate to a pad device.

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?