Most of Microsoft's Critical Vulnerabilities, Solved by Removing Admin Rights

[Bot]

Removing administrator rights could have helped mitigate 94% of all Windows vulnerabilities with a Critical rating, reveals a new analysis signed by global security software company Avecto.

After taking a look at all security bulletins issued by Microsoft throughout 2016, Avecto came up with a few key findings to shed some light on the overall security problems of Windows OS. During the whole 2016, 530 vulnerabilities were reported, a small increase over the previous year. When it comes to Critical vulnerabilities, the number dropped to 189, much better than in 2014 when 240 such problems were reported.


"Remote Code Execution vulnerabilities account for the largest proportion of total Microsoft vulnerabilities. Of these, 70% were classed as Critical. Almost 90% of total RCE vulnerabilities and 94% of Critical RCE vulnerabilities could be mitigated by removal of admin rights," researchers note.

Another vulnerable asset of Microsoft is Edge, the company's latest browser. A total of 111 vulnerabilities were discovered about the browser, 68 of which were critical. All of them could be mitigated by the simple removal of admin rights. The same could be done regarding Internet Explorer, about which Microsoft announced 109 vulnerabilities, less than half compared to the previous year.

Read more: Most of Microsoft's Critical Vulnerabilities, Solved by Removing Admin Rights

 

[Deleted member 178]

This is why i promote SUA (Standard User Account) all the time.

 

[reboot]

This is why i promote SUA (Standard User Account) all the time.

This Security Post definitely highlights what you have been teaching us.

 

[_CyberGhosT_]

I used to use a admin account for win 7
now I just use a MS account for Win 10
with Admin disabled.
For those of you who don't know how to check or disable
the admin account here are 3 ways to do so :
3 Ways to Enable and Disable Built-in Administrator in Windows 10
Yes, this will also disable admin privledges for your current acct. too

 

[Deleted member 178]

There is no secret to have a secured system:

- Use all the features your OS can deliver.
- Set them to highest level possible then if it is in your capabilities, harden the OS via tweaks.
- Finally , you can add your favorite security app to cover some attack vectors.

Then you have to learn safe habits & behavior.

If you can follow this small steps; i can guarantee you that you will never be infected. It works for me and those i teached since 20 years, and i don't believe it will change soon.

 

[shmu26]

I used to use a admin account for win 7
now I just use a MS account for Windows 10
with Admin disabled.
For those of you who don't know how to check or disable
the admin account here are 3 ways to do so :
3 Ways to Enable and Disable Built-in Administrator in Windows 10
Yes, this will also disable admin privledges for your current acct. too

just so people know: the built-in admin account is disabled by default in every version of Windows from Vista on

 

[Ink]

I think that is why UAC was introduced, for Admin accounts.

 

[Deleted member 178]

I think that is why UAC was introduced, for Admin accounts.

Yes, UAC was made to ease doing admin tasks on standard accounts, nothing related about security.
Then MS observed that UAC block the elevation requested by malwares , so MS used that capabilities to "advertise" UAC as a "security" feature , that wasn't intended at the first place. And they suceed very well, because now everybody think UAC is a security feature.

 

[Handsome Recluse]

Yes, UAC was made to ease doing admin tasks on standard accounts, nothing related about security.
Then MS observed that UAC block the elevation requested by malwares , so MS used that capabilities to "advertise" UAC as a "security" feature , that wasn't intended at the first place. And they suceed very well, because now everybody think UAC is a security feature.

But they also say they aren't a security feature and they don't really update it. Eh, underhanded tactics are quite common anyway. Marketing isn't simply making your product known anyway.
Now I'm interested what percentage other strategies will get. I'd like to see the strategies asd.gov.au being empirically tested given those strategies' effectiveness seem to change in a whim.

 

[Rolo]

Can't say anything that controls access isn't a security feature--that's kinda what security does!

 

[_CyberGhosT_]

Yes, UAC was made to ease doing admin tasks on standard accounts, nothing related about security.
Then MS observed that UAC block the elevation requested by malwares , so MS used that capabilities to "advertise" UAC as a "security" feature , that wasn't intended at the first place. And they suceed very well, because now everybody think UAC is a security feature.

That's why for a very long time I put in my Profile UAC is on, but VS was and has been my
surrogate UAC

 

[Andytay70]

I use standard account for downloading and surfing etc and Administrator account for installing and updates.

 

[Dirk41]

Hi!
thank you for sharing

I have a question: you know UAC sometimes has been bypassed, if you use a SUA (like I always do) , it protects you from this kind of exploit?

 

[Deleted member 178]

I have a question: you know UAC sometimes has been bypassed, if you use a SUA (like I always do) , it protects you from this kind of exploit?

SUA reduce the affect of malware, by limiting their rights.

Q&A - What is the Windows Integrity Mechanism?

 

[Rolo]

Question for those who use standard accounts: How often are you prompted for elevated privileges and how often do you have to work around it?

Do you need to switch accounts to install software?

I ask since I've always used an admin account since not using it has broken a lot of software (especially games) or gives constant nagging (at many, many software updates). In the past, the hassle was just not worth the benefit to me.

Is this still the case or is using a standard account pretty quiet?

 

[Deleted member 178]

Question for those who use standard accounts:

yes , me !

How often are you prompted for elevated privileges and how often do you have to work around it?

Never unless i need to do some admin tasks, then i enter my password in UAC prompts.

Do you need to switch accounts to install software?

depends the soft; most apps just requires answering UAC (i set it on max) when it kicks in. However some others seems to work only/better when installed on Admin accounts (i.e: NVT ERP, etc...)
But safe practice would be to install softs on admin account, because you would only use admin account for admin tasks , your account won't be compromised by potential infections you may have from online activities you had.

I ask since I've always used an admin account since not using it has broken a lot of software (especially games) or gives constant nagging (at many, many software updates). In the past, the hassle was just not worth the benefit to me.

I dont play games
About update nagging , you can't avoid it, if you allow your soft to update when they want. one reason i use portable pass or i disable updates auto-installation.

Is this still the case or is using a standard account pretty quiet?

In my case, totally quiet. i never have any elevation requests unless it is voluntary from me.

 

[_CyberGhosT_]

Never unless i need to do some admin tasks, then i enter my password in UAC prompts.

Same here, and I am a gamer. I have no issues at all but VS reacts in about the same
manner as UAC, if anything needs elevation it is blocked till I allow it, without the fear
of a UAC "bypass"

 

[shmu26]

I use SUA, I get a prompt when I want to manually run a Macrium Reflect backup job. Otherwise, it's quiet, unless I am really messing around with my system.
The scheduled backup jobs don't produce a prompt.
I always install new programs right here in SUA (yes, I get a prompt) unless it is hard-core security softs like ReHIPS or something like that.
There are certain things you just can't do in SUA (like hack the registry, or kill certain key processes) and that is a good thing...