Benefits of Removing Administrator Access in Windows

I think most security people advocate removing administrator rights for normal Windows users, but I enjoy reading even a cursory analysis of this "best practice" as published by BeyondTrust and reported by ComputerWorld. From the press release:

BeyondTrust’s findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft’s security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

Other key findings from BeyondTrust’s report show that removing administrator rights will better protect companies against the exploitation of:

* 94 percent of Microsoft Office vulnerabilities reported in 2008
* 89 percent of Internet Explorer vulnerabilities reported in 2008
* 53 percent of Microsoft Windows vulnerabilities reported in 2008.

I'd like to take this a step further. Let's compare a system operated by a user with no administrator rights -- but no antivirus -- against a system operated by an administrator *with* antivirus. I believe the no administrator rights system would survive more often, albeit not without some failures. Anyone know of a study like that?


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Comments

Michael Janke said…
I've switched my home computers to 'no anti-virus, no administrator' mode a while ago, without any evidence or data to support the switch, other than a gut feel that if it's a trojan that is dangerous enough to hurt me, it'll be sophisticated enough to evade AV anyway.

The absence of AV certainly gives me a faster, more enjoyable user experience.
I have seen the AV 2009 virus group infect a computer right in front of me where the user had no elevated rights, was fully patched, and fully up to date AV definitions. It came in and disabled the AV and the user couldn't have done that themselves either.

I haven't seen any studies, but what I see on a daily basis would support that. Malware is just able to shift too fast for AV to keep up. Running as admin can be like using flammable liquids to put out a fire.
I will say that I wish Microsoft would come up with an administrator mode, vice runas or UAC. Something where I can put in the password once, do my administrative functions, and then shut it down...kind of like a shell within the unprivileged shell. Something where I can install software, and other things without necessarily interrupting the other processes I may have running as the standard user and something where I don't have to log out.
Anonymous said…
Here is the closest thing to this type of study that I ever remember seeing in the public:

http://www.eweek.com/c/a/Security/Is-System-Lockdown-the-Secret-Weapon/

Read the "Fight for (fewer) rights" section.

Another site summarized the results in table form:
http://nonadmin.editme.com/WhyNonAdmin
Roman said…
*nix users have been running no admin, no A/V for years. That should indicate something towards what you're proposing. I realize the number of viruses written against *nix platforms are much less.. but they are using the model described.

@Crazy Computer Dad - For an administrative "shell", just runas the command prompt. From there, you can even runas Explorer.exe to get an admin explorer window. (On XP anyway)
Roman,
That is what I do, but I am comfortable with the command line in windows and unix. End users that run as admin are some of my biggest problems. They "need" admin and have the rank to force it, but there is no way I would be able to get them to runas anything.

A nice gui shell where they have temporary isolated privilege and access to the icons they need would be nice. It would be even better if it was like sudo and I could limit the controls they had access to. :-)

Now that I have written it out it gives me a few ideas...
jbmoore said…
If the malware is running using the System account, it already has Administrator privileges. Game over. It doesn't matter what privileges the user account had when the malware was introduced.(http://alieneyes.wordpress.com/2006/10/23/how-to-gain-access-to-system-account-the-most-powerful-account-in-windows/) Vista's a bit better, so what?
Tyler said…
I don't know of any studies off the top of my head, but I do have personal experience which shows that removing admin right significantly reduces (note I didn't say eliminates) the risk from malware.

In a previous job, the only people in the company that had desktop admin rights were IT - everyone else had them removed. I was in charge of monitoring (AV included) and guess where 90% of the infections occured? Thats right, IT.
Morgan Storey said…
The problem is *nix's programs have been written to be installed as root and run as user, a lot of Windows programs still don't run properly as a standard user, even stuff like outlook has issues running as a non-priveldged user.
Anonymous said…
I had one of my guys do a quick test using the STORM worm. One PC was running in admin mode and another was running as a normal user (all in XP). No surprise that the worm failed to infect as it has no rights to install itself.

He wrote a quick and simple article on it as well but it's not on our website, unfortunately. Wouldn't mind sharing it if it were.

Conclusion is we have no doubt that reducing user rights to a minimum would greatly reduce infections but then, the flaw of this quick study is that only 1 malware was used......
Anonymous said…
Yes dropping right of administraotr will be safe so that installtion of malwares is impossible.Operating computer with Guest account far more safe since they don't have administrative right to modify registry and system files and install programs as malwares also couldn't do these things without user logged in with administrative rights.
Anonymous said…
We've just performed a global discovery of users privileges and rights across all our environment with Quest's Reporter .

We were able to find and remove a lot of users with administrative privileges and access to some resources who don't have to have such rights according to our implemented security policies.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics