Benefits of Removing Administrator Access in Windows

I think most security people advocate removing administrator rights for normal Windows users, but I enjoy reading even a cursory analysis of this "best practice" as published by BeyondTrust and reported by ComputerWorld. From the press release:

BeyondTrust’s findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft’s security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

Other key findings from BeyondTrust’s report show that removing administrator rights will better protect companies against the exploitation of:

* 94 percent of Microsoft Office vulnerabilities reported in 2008
* 89 percent of Internet Explorer vulnerabilities reported in 2008
* 53 percent of Microsoft Windows vulnerabilities reported in 2008.

I'd like to take this a step further. Let's compare a system operated by a user with no administrator rights -- but no antivirus -- against a system operated by an administrator *with* antivirus. I believe the no administrator rights system would survive more often, albeit not without some failures. Anyone know of a study like that?

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Comments

Michael Janke said…
I've switched my home computers to 'no anti-virus, no administrator' mode a while ago, without any evidence or data to support the switch, other than a gut feel that if it's a trojan that is dangerous enough to hurt me, it'll be sophisticated enough to evade AV anyway.

The absence of AV certainly gives me a faster, more enjoyable user experience.
9:37 PM
Crazy Computer Dad said…
I have seen the AV 2009 virus group infect a computer right in front of me where the user had no elevated rights, was fully patched, and fully up to date AV definitions. It came in and disabled the AV and the user couldn't have done that themselves either.

I haven't seen any studies, but what I see on a daily basis would support that. Malware is just able to shift too fast for AV to keep up. Running as admin can be like using flammable liquids to put out a fire.
9:58 PM
Crazy Computer Dad said…
I will say that I wish Microsoft would come up with an administrator mode, vice runas or UAC. Something where I can put in the password once, do my administrative functions, and then shut it down...kind of like a shell within the unprivileged shell. Something where I can install software, and other things without necessarily interrupting the other processes I may have running as the standard user and something where I don't have to log out.
10:08 PM
Anonymous said…
Here is the closest thing to this type of study that I ever remember seeing in the public:

http://www.eweek.com/c/a/Security/Is-System-Lockdown-the-Secret-Weapon/

Read the "Fight for (fewer) rights" section.

Another site summarized the results in table form:
http://nonadmin.editme.com/WhyNonAdmin
1:01 AM
Roman said…
*nix users have been running no admin, no A/V for years. That should indicate something towards what you're proposing. I realize the number of viruses written against *nix platforms are much less.. but they are using the model described.

@Crazy Computer Dad - For an administrative "shell", just runas the command prompt. From there, you can even runas Explorer.exe to get an admin explorer window. (On XP anyway)
2:58 AM
Crazy Computer Dad said…
Roman,
That is what I do, but I am comfortable with the command line in windows and unix. End users that run as admin are some of my biggest problems. They "need" admin and have the rank to force it, but there is no way I would be able to get them to runas anything.

A nice gui shell where they have temporary isolated privilege and access to the icons they need would be nice. It would be even better if it was like sudo and I could limit the controls they had access to. :-)

Now that I have written it out it gives me a few ideas...
7:11 AM
jbmoore said…
If the malware is running using the System account, it already has Administrator privileges. Game over. It doesn't matter what privileges the user account had when the malware was introduced.(http://alieneyes.wordpress.com/2006/10/23/how-to-gain-access-to-system-account-the-most-powerful-account-in-windows/) Vista's a bit better, so what?
7:51 AM
Tyler said…
I don't know of any studies off the top of my head, but I do have personal experience which shows that removing admin right significantly reduces (note I didn't say eliminates) the risk from malware.

In a previous job, the only people in the company that had desktop admin rights were IT - everyone else had them removed. I was in charge of monitoring (AV included) and guess where 90% of the infections occured? Thats right, IT.
8:46 AM
Morgan Storey said…
The problem is *nix's programs have been written to be installed as root and run as user, a lot of Windows programs still don't run properly as a standard user, even stuff like outlook has issues running as a non-priveldged user.
1:11 AM
Anonymous said…
I had one of my guys do a quick test using the STORM worm. One PC was running in admin mode and another was running as a normal user (all in XP). No surprise that the worm failed to infect as it has no rights to install itself.

He wrote a quick and simple article on it as well but it's not on our website, unfortunately. Wouldn't mind sharing it if it were.

Conclusion is we have no doubt that reducing user rights to a minimum would greatly reduce infections but then, the flaw of this quick study is that only 1 malware was used......
3:49 AM
Anonymous said…
Yes dropping right of administraotr will be safe so that installtion of malwares is impossible.Operating computer with Guest account far more safe since they don't have administrative right to modify registry and system files and install programs as malwares also couldn't do these things without user logged in with administrative rights.
7:01 AM
Anonymous said…
We've just performed a global discovery of users privileges and rights across all our environment with Quest's Reporter .

We were able to find and remove a lot of users with administrative privileges and access to some resources who don't have to have such rights according to our implemented security policies.
10:33 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more