Ninety percent of critical Microsoft Windows 7 vulnerabilities can be mitigated by configuring the operating system for standard user rather than administrator, according to a new
report released on Monday.
Removing administrator rights would also protect against exploitation of all of the Office holes reported last year, 94 percent of Internet Explorer flaws and 100 percent of IE 8 flaws reported last year, and 64 percent of all Microsoft vulnerabilities reported in that time period, according to BeyondTrust’s 2009 Microsoft Vulnerability Analysis (PDF) .
There are trade-offs to removing administrator rights. For instance, standard users typically can’t install software and use applications that require elevated privileges, said Saurabh Bhatnagar, vice president of product management at BeyondTrust.
Microsoft added User Account Control (UAC) technologies in Vista to limit applications to standard user privileges unless an administrator opts to elevate the privileges.
“When you encounter something that requires elevated privileges it will prompt you for your admin login credentials, but standard users don’t have admin logins in most corporate settings,” said Scott McCarley, BeyondTrust marketing director. Recent changes to UAC in Windows 7 do not affect standard users, he added.
BeyondTrust offers a product called Privilege Manager that allows a user to run processes that normally require elevated privileges without needing admin rights.
Asked to comment on the conclusions of the report, Paul Cooke, director of Windows Client Product Management at Microsoft, said the company had enabled additional Windows operations that users perform often to work without administrative rights.
“We believe that running users as standard users is good for Windows, the ecosystem, and all of our users,” he said. “It is our hope that with the help of UAC that ISVs (independent software vendors) will continue to adapt their software to work well with standard user rights.”
For the report, BeyondTrust analyzed the nearly 75 security bulletins Microsoft published last year that provided patches for nearly 200 vulnerabilities.