Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

Do you use a Standard User Account for daily usage?


  • Total voters
    61
D

Deleted member 178

Thread author
Just by preventing access to admin accounts, a system administrator could safeguard all the computers under his watch and prevent attackers from exploiting 94% of all the critical vulnerabilities Microsoft patched during the past year.

This is the conclusion of a study carried out by cyber-security firm Avecto for the second year in a row, after, at the same time last year, it discovered that a sysadmin could mitigate 86% of all critical vulnerabilities Microsoft patched in 2015, just by taking the same action and disabling admin rights.

What this growth from 86% to 94% means is that the security of Microsoft products is getting better, if users would only start following industry best practices and stop using admin accounts for daily work.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
SUA, SRP and other built in windows security should all be in place before anyone even considers adding 3rd party security software. But, I think it's time now that MS make SUA the default like on other operating systems. Thanks for the share Umbra.
 
D

Deleted member 178

Thread author
But, I think it's time now that MS make SUA the default like on other operating systems. Thanks for the share Umbra.
You will always have some guys thinking, "nahhh i can handle admin account safely, because i'm smart and skilled enough to use awesome security products properly" ... then they will blame the product when they get infected.
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
Only lazy people refuse to use it.
Lazy people like me ;)

However, I am considering changing my Admin account to SUA one. I've been using UAC for last few months, after 10+ years of having it disabled and so far it hasn't been anywhere as annoying as I thought it would be, to deal with multiple UAC prompts every day.
 
  • Like
Reactions: AtlBo

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
SUA is useful if you are having many PC to manage. Like me, I'm only using my tablet, SUA would not be useful to me. In fact, I would consider it a hassle to change accounts frequently
 
  • Like
Reactions: AtlBo
D

Deleted member 178

Thread author
Many here it seems are so focused on WD detection rates, failing to not only see all AV's can not keep up with zero-day malware fast enough to be effective "hence why they have other modules aka bloatware" that they also fail to understand if they use the tools already provided with the OS that it is unnecessary to do so.
Because they are formatted by those AV vendors with their "100% protection" and test labs.
 
D

Deleted member 178

Thread author
Can't agree with that one. I run admin because some of the business software I use won't run SUA, but as you know Umbra, I am pretty well protected.
Sadly, it is what i told earlier, "bad coding" , your software shouldn't need elevation and be able to be used on SUA...unless it does tasks related to the system ?
 
Last edited by a moderator:
  • Like
Reactions: AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
I'll go with all of what has been said here in favor of using SUA. Use it from the beginning and avoid configuration difficulties and having to move files.

SUA is your best friend as a user. The only extra requirement of using SUA is something that we all want from the OS anyway...password prompts for requests to make changes system-wide and access areas of the PC that are system related or not part of the user account. UAC properly oversees the SUA.

I kind of disagree that it's 100% easy to change over. For me, it took some getting used to the expectations of UAC's handling of the SUA. Running things as admin can be a thing to remember and then some software is simply not written for use in an SUA. This should NOT be the case as Umbra states. There are even security programs that deny access to settings in SUA, when clearly there should be support for multiple accounts and a password for the app that the admin can use to set settings for various accounts and use in an SUA him/herself.

Haven't 100% run into issues with software in SUA, except the typical annoying prompt for CCleaner. Schedule solves that. Otherwise, I can see how it would be basically impossible to run software that prompts every few minutes or whatever. It is hard for me to say other than that really is poorly designed software by today's standards.

Umbra has done a good job of trying to explain to users that they will enjoy their computer more if they try UAC full strength and SUA. He is right about this, and I recommend everyone to try it and see for yourself. It's all the reminders you want from a PC when you are adding software or making changes.
 
Last edited:

lab34

Level 6
Verified
Well-known
Mar 28, 2017
263
Thanks for sharing Umbra.
I've just switched my home PC to SUA.

I remember I've tried before and it hurts me.
But it was on the XP era. UAC seems to handle this nicely now.

In my company, you have a SUA by default. And you have to phone the support to have new software installed.
Some people (techs, dev, ...) can ask to be admin. :)

But they just change your account type to admin, they not give you another one :(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top