Article: Removing user Admin Rights to Mitigate Most Microsoft Flaws

coliver

I am slowly doing this right now on my network. I would do it in one go but we have a piece of software that "requires" admin privileges.

gjacobse

@coliver said:

I am slowly doing this right now on my network. I would do it in one go but we have a piece of software that "requires" admin privileges.

There is always that one piece of software that doesn't play well in a more secure network. As my organization works includes a Head Start component they use a software (Child Plus). install it as the Admin and you can't find it as any user. It has to be installed as the user.. It's a pain - I have had a computer or two that I have installed it on, only to not have it fail - needing some other bit of software updated first - and it never tells you what.

coliver

@g.jacobse said:

@coliver said:

I am slowly doing this right now on my network. I would do it in one go but we have a piece of software that "requires" admin privileges.

There is always that one piece of software that doesn't play well in a more secure network. As my organization works includes a Head Start component they use a software (Child Plus). install it as the Admin and you can't find it as any user. It has to be installed as the user.. It's a pain - I have had a computer or two that I have installed it on, only to not have it fail - needing some other bit of software updated first - and it never tells you what.

Yep, I have a workaround for this software but it takes a bit to do and requires UAC to be enabled, which for some reason isn't on the majority of our systems. I am working on that slowly too.

A Former User

I've always used process monitor and modified group policy to make file/registry permission that are only absoluelty necessary.

scottalanmiller

That's just standard guidance and if that removes the vulnerability then it wasn't really a vulnerability, was it? That's like saying, most security holes would vanish if users stopped telling strangers their passwords.

tonyshowoff

@g.jacobse said:

A staggering 97% of critical Microsoft vulnerabilities reported over the past year could be mitigated by simply removing admin rights from user accounts, according to new research from security vendor Avecto.

Suddenly tons of crappy EHRs and PoSes stop working because they all require local admin rights to load a GUI and contact remotely to some crappy SQL Server

scottalanmiller

And but EHRs, you mean "vulnerabilities."

A Former User

When posting links please remove the tracking part of it:

Everything starting with the ? can be removed

http://www.infosecurity-magazine.com/news/remove-admin-rights-mitigate-most/

tonyshowoff

@Aaron-Studer said:

When posting links please remove the tracking part of it:

Everything starting with the ? can be removed

http://www.infosecurity-magazine.com/news/remove-admin-rights-mitigate-most/

That's just a CTR tracking thing, it's not like it's a session ID or anything unique to anyone.

A Former User

@tonyshowoff I know, but it still should be removed.

tonyshowoff

@Aaron-Studer said:

@tonyshowoff I know, but it still should be removed.

Well, I'd agree it certainly is less ugly, especially the ones that are ridiculously long