Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Removing admin rights can stem Microsoft exploits

More than four out of five remote code vulnerabilities that were addressed last year by Microsoft patches could avoid being exploited by simply stripping user's administrator rights, a new study has found.

Specifically, 92 percent of vulnerabilities in Microsoft products listed as "critical," and 69 percent of all published vulnerabilities -- totaling more than 150, could avoid exploitation by removing administrator privileges from users' machines, according to a recent study by access control solutions provider BeyondTrust.

“The only people that should be logging in with administrative privileges are network administrators and they should only be logging in there when they need to do something on the network that would require administrator rights,” John Moyer, CEO of BeyondTrust, told Thursday.

BeyondTrust found that most of the bulletins Microsoft issued last year to address flaws contained wording saying that users would be less impacted if they had accounts configured to have fewer rights.

For Microsoft Office, 94 percent of vulnerabilities would be mitigated by removing administrator privileges, along with 89 percent in Internet Explorer and 53 percent in Microsoft Windows, the study showed.

Of 119 bugs that could enable an attacker to remotely run unauthorized software or install malicious programs, 87 percent could be stopped by limiting user privileges, the study revealed.

“The most effective way to secure a system against malware is to run with standard user privileges,” Jon DeVaan, who works on the Microsoft Windows User Access Control (UAC) team, wrote in a recent blog post about the engineering of Windows 7.

However, removing privileged accounts can be problematic because, depending on the organization, any number of legacy or custom-built applications can only be accessed with administrator rights.

“Most companies are aware that it's a good idea to remove administrator rights, but the vast majority of organizations do allow their users to run with full administrator privileges,” Peter Beauregard, a BeyondTrust product manager, told

Joel Esler, a SANS Internet Storm Center handler who specializes in Mac security, said Windows platforms traditionally have granted users administror privileges by default, meaning they can easily install malware.

Windows Vista and Windows 7, however, were created with a User Access Control (UAC) system that enables administrators to set rights so users can run most applications with limited privileges. Admins can then only elevate rights when necessary for users to perform specific tasks such as installing new software, a Microsoft spokeswoman told Thursday in an email.

“This helps reduce the likelihood of machine-level malware, the installation of unauthorized software and unapproved system changes,” she said.

Esler said the problem of default admin rights is not present in the Mac OS X and UNIX operating systems because users do not, by default, have full administrative privileges. So every time users want to install something, they are prompted to enter the system's password.  

For businesses running Windows, Esler said he recommends providing employees with only the access they need to do their jobs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.