Running without Admin rights to mitigate vulnerabilities

DavidY

Active Member
VIP Member
Pro User
Messages
955
Summary: By running users under standard, non-admin accounts, IT can prevent a very high percentage of Microsoft vulnerabilities from being exploited.

Link to ZDNet story:
Admin rights key to mitigating vulnerabilities, study shows | ZDNet

I was interested to see this, because I set up 2 accounts on my home laptop in the days of XP, one with Admin rights (but which I only use to install stuff or run Backups) and one non-Admin account that I use day-to-day.

I still do the same in Windows 8, but I have wondered if it was still worth it. According to this study it is.

The only catch is that Avecto, who produced the study, do have an interest in persuading people not to run as Admin all the time, using their products, so they're not exactly independent.
Avecto is a leader in Windows privilege management, helping organizations to deploy secure and compliant desktops and servers.

But given it's pretty easy to set up a Standard account and run without Admin rights most of the time, I'll keep doing it...
 

My Computer

System One

  • OS
    Windows 8.1, 10
why would you need to buy a software to use a separate account? I've been using Admin and user account on my personal W7 Pcs forever without the need of software.

I guess there is a commercial software for everything, everyday a sucker is born.....

Only If I install soemthing while logged in as user, I'm asked to enter the Admin password. No big deal.
 

My Computer

System One

  • OS
    Windows 7 Pro 64
    CPU
    Core i3 3.3 GHz
    Memory
    16 GB 1600 MHz
    Hard Drives
    SSD Samsung 830 128 GB
I don't think he said you had to buy anything. Sure it would be a good idea - I (almost) never sign on as root on my Mac or CentOS but for some reason I always want admin for windows. Look at all the UAC complaints here - I'm not alone. Why - I'm not sure really. As long as you don't make your Admin password "Admin" it is certainly more secure.
 

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
why would you need to buy a software to use a separate account? I've been using Admin and user account on my personal W7 Pcs forever without the need of software.
I don't know, to be honest. I imagine the company who did the survey are selling some product for the corporate world; maybe where you occasionally need Admin rights but don't want to give people the password.

For home use, I do exactly the same as you.

Sure it would be a good idea - I (almost) never sign on as root on my Mac or CentOS but for some reason I always want admin for windows. Look at all the UAC complaints here - I'm not alone. Why - I'm not sure really. As long as you don't make your Admin password "Admin" it is certainly more secure.
I find that even when I'm logged in as non-Admin, UAC asks me for Admin login and password whenever I want to do something that needs it anyway, so it's not much extra hassle.

The advantage is that if my favourite website was hacked with something that sent me an unpatched Windows vulnerability, if I'm not logged in as Admin, the hope is the attack would be less likely to succeed (or at least a UAC would pop up so I'd know something was wrong).
 

My Computer

System One

  • OS
    Windows 8.1, 10
I got as far as the page where I had to give details of my name - surname - occupation - business name and email. There I stopped. I investigated avecto and could see that they do, as David suggests, sell security software. The biggest risk here is contra there own advert. You are exposing yourself to future spam email!
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    Other Info
    Use several different computers during a day, so specs are irrelevant.
This way to the Egress>>>>
 

My Computer

System One

  • OS
    Windows 8.1.1 Pro with Media Center
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Gateway
    CPU
    AMD K140 Cores 2 Threads 2 Name AMD K140 Package Socket FT1 BGA Technology 40nm
    Motherboard
    Manufacturer Gateway Model SX2110G (P0)
    Memory
    Type DDR3 Size 8192 MBytes DRAM Frequency 532.3 MHz
    Graphics Card(s)
    ATI AMD Radeon HD 7310 Graphics
    Sound Card
    AMD High Definition Audio Device Realtek High Definition Audio USB Audio Device
    Monitor(s) Displays
    Name 1950W on AMD Radeon HD 7310 Graphics Current Resolution 1366x768 pixels Work Resolution 1366x76
    Screen Resolution
    Current Resolution 1366x768 pixels Work Resolution 1366x768 pixels
    Hard Drives
    AMD K140
    Cores 2
    Threads 2
    Name AMD K140
    Package Socket FT1 BGA
    Technology 40nm
    Specification AMD E1-1200 APU with Radeon HD Graphics
    Family F
    Extended Family 14
    Model 2
    Extended Model 2
    Stepping 0
    Revision ON-C0
    Instruction
    Browser
    Opera 24.0
    Antivirus
    Avast Internet Security

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
This way to the Egress>>>>
Isn't that a female swan?

P. T. Barnum>>>

At one point, Barnum noticed that people were lingering too long at his exhibits. He posted signs indicating "This Way to the Egress". Not knowing that "Egress" was another word for "Exit", people followed the signs to what they assumed was a fascinating exhibit...and ended up outside.[SUP][9]
[/SUP]
Barnum's American Museum - Wikipedia, the free encyclopedia

AKA>>> Deception
 

My Computer

System One

  • OS
    Windows 8.1.1 Pro with Media Center
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Gateway
    CPU
    AMD K140 Cores 2 Threads 2 Name AMD K140 Package Socket FT1 BGA Technology 40nm
    Motherboard
    Manufacturer Gateway Model SX2110G (P0)
    Memory
    Type DDR3 Size 8192 MBytes DRAM Frequency 532.3 MHz
    Graphics Card(s)
    ATI AMD Radeon HD 7310 Graphics
    Sound Card
    AMD High Definition Audio Device Realtek High Definition Audio USB Audio Device
    Monitor(s) Displays
    Name 1950W on AMD Radeon HD 7310 Graphics Current Resolution 1366x768 pixels Work Resolution 1366x76
    Screen Resolution
    Current Resolution 1366x768 pixels Work Resolution 1366x768 pixels
    Hard Drives
    AMD K140
    Cores 2
    Threads 2
    Name AMD K140
    Package Socket FT1 BGA
    Technology 40nm
    Specification AMD E1-1200 APU with Radeon HD Graphics
    Family F
    Extended Family 14
    Model 2
    Extended Model 2
    Stepping 0
    Revision ON-C0
    Instruction
    Browser
    Opera 24.0
    Antivirus
    Avast Internet Security
Only joking sir - Terry Pratchett copied it in "A Hat Full of Sky" - it amused me.
 

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender

My Computer

System One

  • OS
    Windows 8.1.1 Pro with Media Center
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Gateway
    CPU
    AMD K140 Cores 2 Threads 2 Name AMD K140 Package Socket FT1 BGA Technology 40nm
    Motherboard
    Manufacturer Gateway Model SX2110G (P0)
    Memory
    Type DDR3 Size 8192 MBytes DRAM Frequency 532.3 MHz
    Graphics Card(s)
    ATI AMD Radeon HD 7310 Graphics
    Sound Card
    AMD High Definition Audio Device Realtek High Definition Audio USB Audio Device
    Monitor(s) Displays
    Name 1950W on AMD Radeon HD 7310 Graphics Current Resolution 1366x768 pixels Work Resolution 1366x76
    Screen Resolution
    Current Resolution 1366x768 pixels Work Resolution 1366x768 pixels
    Hard Drives
    AMD K140
    Cores 2
    Threads 2
    Name AMD K140
    Package Socket FT1 BGA
    Technology 40nm
    Specification AMD E1-1200 APU with Radeon HD Graphics
    Family F
    Extended Family 14
    Model 2
    Extended Model 2
    Stepping 0
    Revision ON-C0
    Instruction
    Browser
    Opera 24.0
    Antivirus
    Avast Internet Security
Running with a standard account was a good idea in XP and older systems. Any malware that might find it's way into your system would be able to do little damage with such an account. But with the introduction of Vista and UAC we have most of the benefits of a limited account with less inconvenience. But a standard account is still somewhat more secure. If it works for you that is the best option. For most others UAC is a viable alternative.
 

My Computer

System One

  • OS
    Windows 7
    Computer type
    PC/Desktop
this thing of running wthout admin rights, isn't it basically what linux does? in linux, you have enter your password for every little thing you want to do. they claim it stops malware from installing.

by the way, the idea just got a big review in PCWorld
 

My Computer

System One

  • OS
    windows 8.1 pro
    Computer type
    PC/Desktop
As Lmiller7 said perhaps it is antiquated. In NT I had to set some processes to "act as part of the operating system" and also be local admin. I've not had to do that for years.
 

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
I get it. So basically, running a standard account in windows 7/8 only saves you from your own mistakes, and even that won't help, if you know the password for the admin account. But it probably won't stop the sophisticated malware that affects modern systems.
 

My Computer

System One

  • OS
    windows 8.1 pro
    Computer type
    PC/Desktop
No it will not but the issue is granting authority.

If you download an .exe and select "run as administrator" then it is your fault. In my case the only programs I run as administrator are from sysinternals or occasionally cmd.

If you have set up a local admin account and decided to make the password "Admin" or "Password" then also it is your fault if some software guesses it.
 

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
In Windows any software you run will by default inherit your rights and privileges. If you are using an admin account and UAC is off any malware you accidentally run will be have essentially unrestricted access to the system. If it wishes it can do considerable harm to your system. If you are using a limited account that malware probably won't be able to do much. It won't stop really sophisticated malware but it will make it's task much more difficult.

Traditionally home Windows user have used an admin account for normal use. This goes back to Windows 9x which had no security worth mentioning and everyone was an admin. That being the case most software assumed it had unrestricted access to the system and acted accordingly. When XP was introduced it brought the NT platform to the masses. The NT platform has always had limited accounts but such an account imposes such restrictions on applications that many older versions would not run properly, if at all. Limited accounts work well in a business setting where most software is designed to run under these limitations. Most home users solved that problem in the most straightforward manner, they used an admin account all the time.

Most modern software will now run under a limited account. But old habits die hard.

Linux is an outgrowth of Unix which first became popular in universities. Most users only had access to a standard account with only a select few having a root account (like an admin account in Windows). Software was written accordingly.
 

My Computer

System One

  • OS
    Windows 7
    Computer type
    PC/Desktop
So why (running NT4) did I have to change my profile to "Act as part of operating System" in the past then? Sloppy programming?
 

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
It is unfair to claim sloppy programming without a great deal more information, more than you or I will usually have access to.
 

My Computer

System One

  • OS
    Windows 7
    Computer type
    PC/Desktop
Back
Top