Article: Removing user Admin Rights to Mitigate Most Microsoft Flaws
-
<got this in email today>
From the article:
A staggering 97% of critical Microsoft vulnerabilities reported over the past year could be mitigated by simply removing admin rights from user accounts, according to new research from security vendor Avecto.
The firm analyzed all the security bulletins released by Redmond during 2014 and found that taking away admin rights would mitigate 80% of all 242 flaws discovered during the period.
The figure rose to 98% for critical vulnerabilities affecting Windows operating systems, 95% for critical Office flaws and 99.5% for vulnerabilities in Internet Explorer, the firm claimed.
-
I am slowly doing this right now on my network. I would do it in one go but we have a piece of software that "requires" admin privileges.
-
@coliver said:
I am slowly doing this right now on my network. I would do it in one go but we have a piece of software that "requires" admin privileges.
There is always that one piece of software that doesn't play well in a more secure network. As my organization works includes a Head Start component they use a software (Child Plus). install it as the Admin and you can't find it as any user. It has to be installed as the user.. It's a pain - I have had a computer or two that I have installed it on, only to not have it fail - needing some other bit of software updated first - and it never tells you what.
-
@g.jacobse said:
@coliver said:
I am slowly doing this right now on my network. I would do it in one go but we have a piece of software that "requires" admin privileges.
There is always that one piece of software that doesn't play well in a more secure network. As my organization works includes a Head Start component they use a software (Child Plus). install it as the Admin and you can't find it as any user. It has to be installed as the user.. It's a pain - I have had a computer or two that I have installed it on, only to not have it fail - needing some other bit of software updated first - and it never tells you what.
Yep, I have a workaround for this software but it takes a bit to do and requires UAC to be enabled, which for some reason isn't on the majority of our systems. I am working on that slowly too.
-
I've always used process monitor and modified group policy to make file/registry permission that are only absoluelty necessary.
-
That's just standard guidance and if that removes the vulnerability then it wasn't really a vulnerability, was it? That's like saying, most security holes would vanish if users stopped telling strangers their passwords.
-
@g.jacobse said:
A staggering 97% of critical Microsoft vulnerabilities reported over the past year could be mitigated by simply removing admin rights from user accounts, according to new research from security vendor Avecto.
Suddenly tons of crappy EHRs and PoSes stop working because they all require local admin rights to load a GUI and contact remotely to some crappy SQL Server
-
And but EHRs, you mean "vulnerabilities."
-
When posting links please remove the tracking part of it:
Everything starting with the ? can be removed
http://www.infosecurity-magazine.com/news/remove-admin-rights-mitigate-most/
-
@Aaron-Studer said:
When posting links please remove the tracking part of it:
Everything starting with the ? can be removed
http://www.infosecurity-magazine.com/news/remove-admin-rights-mitigate-most/
That's just a CTR tracking thing, it's not like it's a session ID or anything unique to anyone.
-
@tonyshowoff I know, but it still should be removed.
-
@Aaron-Studer said:
@tonyshowoff I know, but it still should be removed.
Well, I'd agree it certainly is less ugly, especially the ones that are ridiculously long
