Not that we necessarily needed a report to tell us this, but the fewer privileges you afford yourself as a Windows user, the more secure your operating system becomes. Such is the conclusion of a new report from BeyondTrust, a company that -- surprise, surprise -- sells software for "privileged access management." The only way
we use
Windows 7 is as admins and we've never had a moment's bother, but some of you like stats, and others among you might be involved in business, which tends to make people a little more antsy about these things. So for your collective sake, let there be pie charts! The report looks into vulnerabilities disclosed by Microsoft during 2009 and concludes that
all 55 reported Microsoft Office issues and 94 percent of the 33 listed for IE could be prevented by simply running a standard user account. Or using
better software, presumably. Hit the PDF source for more info -- go on, it's not like you have anything better to do while waiting for
the Large Hadron Collider to go boom.
posted March 30th 2010 6:44AM
I'm not giving up my admin rights.
@Kris91
Me either. I don't believe I even want to try using a limited user account on my computer.
Even as an administrator i still have to click YES I WANT THIS FILE I JUST CLICKED ON THAT I JUST DOWNLOADED IN FIREFOX TO OPEN
@Kris91
Of course. Restricted access is only for the majority of computer users who when faced with a popup that says "Urgent: Your computer has been found to have a virus and is under threat. Please download this software." click yes.
@Kris91
You're not giving up your right, you're just not allowing someone access to your computer if somehow, you manage to do so (phishing site, exe etc)
I've run as a regular user on my Mac for a while now. It's just good practice I think. Especially when you like to script- you don't want to screw up your machine because you made a simple mistake. Remember to keep a strong password even IF you're the only one to use your computer.
@(Unverified) LOL, or the porn pop-ups...
Common sense, we are our own worst enemy.
@(Unverified) Or it makes it so a virus is unable to change vital files.
@Kris91 Windows 7 is safer when the admin HAS A F*CKING CLUE.
Fixed the title for you guys...
@Kris91
Stay out of the admin account unless you actually need to play administrator. That just makes so much sense, even if you are tech savvy. I prefer to do the user tasks from a user account, typing in my admin password when prompted - which doesn't happen often enough to be a bother. Peace of mind I guess.
Of course I don't use IE, but still....
@Kris91 If you worked for a company, you don't have a choice in the matter :) Not having admin rights is a really good thing for computer management in a company. If you can get away with it, do it.
@(Unverified)
Not true. If a legitimate website you visit frequently doesn't have proper security on their back-end and a malicious user exploits that back-end to inject malware that then propagates out to all of that page's visitors, then you can get infected simply by going to a legitimate site that you visit every day, whereas if you'd visited that site without being an admin you would've been ok. I agree most infections happen because users are careless or simply uneducated, but even power users can get hit in the way I described.
I agree a limited user account on XP is pretty frustrating because you have to switch users rather than temporarily authenticating, but Vista/7 has made living without full-time admin rights much easier.
@Kris91
This is something that users of unix based operating systems have known forever... you don't perform daily tasks as root.
@Kris91
I used to run my home computer in admin mode all the time. I learned my lesson the hard way. Now I always run as a user and just have to type in my admin password to make changes when I need it. It's a bit of a hassle, but at least I won't have to reformat my computer every couple months.
@Kris91 Fore real. I am admin on my mom's PC, although she doesn't know. I have things to install. Plus, I'm the one who fixes the computer anyway, so it's vital for me to have access to the registry.
@The Madman Agreed. The computer at my office job is still on Windowsx XP SP1 using IE.
This only applies to people who simply don't know how to surf the web... Even if you had the least amount of privileges in your OS and the best AV software out there, clicking on any link that is sprung on you and installing the "flash player update" in order to watch that Pamela Anderson sex tape WILL get you screwed...
@(Unverified)
The best AV/AS Software is Common Sense 2011.
Unless you're running as a user that can't install stuff.
@Gamecheater I thought that was discontinued around 2001.
@Gamecheater aside from Common Sense 2010 you can use.... No-Porn-You-Perv Firewall.
@TikiTeko
Take the porn away and you can take most people's Internet away :).
@JamesR PornTube, YouPorn, RedTube etc. How about using these? Instead of downloading crap on your computer. Do people actually watch the same porn movie twice? I can't even get beyond 10 minutes. Instead of reducing my privileges as a user, how about learning how to surf the web? Or get a gf...
@Rodiak
And if you happen to go to a legitimate site whose back-end has been compromised because they didn't have sufficient security on their database, then what? You didn't do anything risky but you still run the risk of getting infected. Running without admin rights on a daily basis is still best practice because you simply don't need them available all the time. UNIX has known this forever with per-task elevation, and Microsoft has finally adopted this model in Vista/7. It boggles my mind when people turn UAC off because it's "annoying" and then complain when they get infected.
It is not a surprise or news that it is poor procedure to run as an admin day-to-day.
What is an ongoing surprise is how unfriendly windows is to run in a situation like this.
It is unfortunate that it drives many extremely basic users to run 'cowboy' as it is simply too confusing for them to deal with the issues otherwise.
@savagemike
+1 on good practice. No need to stay Super User all day.
That's just standard security on any OS.
The best security really is common sense most of the time, I've not run any 3rd party AV or firewall other than whats built into windows 7, couple with firefox and a decent knowledge of what "you must scan your pc now for viruses" websites really get up to, I've not had a problem for years now!
These guys sent me an email the other day that I glanced at with interest. Forgot about it, though. Glad you brought it up, because this is something I am seriously interested in for my office. We have a number of (sad to say NOT legacy) apps that require admin privileges on the machine in order to function/update. This translates to lots of rogue antivirus apps being installed *bangs head*.
I think users should get educated on surfing the web.
"Not that we necessarily needed a report to tell us this, but..."
sounds like the kind of article starter you could have used for the so called "braking" news of apple developing a new iphone
@mrqs
"Braking" news? Is the Apple news around here slowing down? Not likely considering this is Engadget!
(I think you meant "Breaking"...)
You don't have to run as a regular user... All administrators in win7 are "Protected Administrators". That is the whole idea of UAC. As a PA, you basically ARE running as a regular user. Before ANYthing important is changed on a windows 7 system, you just have to be intelligent enough to read the UAC prompt first. These guys are obviously just trying to sell software. Come on, Engadget... Do your research first!
@B3nt
the last UAC prompt i saw was the one asking me if i was sure i wanted to turn UAC off.
@psychoterror
Judging by your comment, you probably are the sort to click on those penis enlargement ads. You had better turn UAC back on.... just asking for trouble
I despise pointless crap like this. Let's waste money doing research to conlude the obvious, yay us.
Reminds me of another piece of research (I foget who by) that cost millions to conclude that if you don't use a computer you're "digitally disadvantaged" compared to those that do. No, really?
@ilh Well judging from the comments on this article, the obvious indeed had to be stated. I really can't believe that so many smartasses still work with administrative rights …
@Yoshi1080 Not only does the obvious need to be stated, but we need a pie-chart to proportionally represent this obviousness. Ah, Pie-Chart, how you mock us with your innate ability to emphasize a point.
@ilh
the purpose of a study like that is to find out exactly HOW someone is disadvantaged, not *whether* they are disadvantaged.
I cant do much without admin right
Running as a regular user is fine in both Vista and Win7, whenever you need to install something you just give it your password. It's really not a bother.
What is annoying is that some programs will automatically put icons on the desktop without asking first, even if it's just an update and there wasn't an icon there before, which means you have to type in a password to get rid of something you never wanted in the first place. But, yeah, for that I blame the people writing that particular software (which sadly is sometimes Microsoft).
sudo rm - R /var/wine/Windows
this seems like an entirely biased statistic; 90% of the problem that presumably only occur in administrator accounts are most likely still there in standard accounts, just going unnoticed, doing their damage in the background instead of in plain view where they can be found and fixed
@PiR
Not true at all. If a vulnerability works by modifying Windows system files or files in the Program Files directory, or by making system-wide registry changes, a standard user account would be unable to do those things and therefore the vulnerability would not be able to get injected into the system. There is still some malware that can hose up that user's account pretty well by installing applications into non-standard folders (like the user's Application Data folder) and mess with the user's data, but it won't be able to make system-wide changes. It's not just a matter of the same damage being done and simply going "unnoticed".
if you dont have the keys to the city...its much hard to get in...duh
Hehe.. you said vunerabilities
I prefer the Ubuntu model for managing admin privileges. If Windows worked in a similar way, it would probably save a lot of heartache.
Wow... I must admit I'm amazed by some of the comments for this story. It serves as a reminder of exactly why locking down admin rights is so important in the Windows environment (and any other for that matter). It is also an explanation of why so many users have so many problems with their computers.
If you are looking at this as being an issue of your rights being violated (as if it was a human right to run as admin 100% of the time) you are so beyond wrong in your thinking. It is exactly thinking like that which has helped foster such severe security problems on the Windows side of the fence.
Unix users know that it is idiotic to run as root (the equivalent of administrator) 100% of the time. Root privilege is only needed when doing true administrative tasks on the computer, like adding new hardware or software, or changing key system settings. This is the major reason Unix operating systems are so resistant to infection. If something demands root access and you didn't call it you know it's likely something bad. And that something bad is heavily restricted in the damage it can do because it is not running as root.
This problem has its beginnings in the days of DOS, an OS that gave unrestricted access to both hardware and software to any application running. This meant it was solely the programmer's responsibility to ensure there application did not misbehave and, let's say, nuke your disk's MBR. There was simply no oversight from the operating system to intercept bad decisions being made by bad code. Remember, even the best coders make mistakes. They are only human.
This problem was inherited from DOS to consumer versions of Windows (NT fixed this early on, but was rarely used outside of business). People wonder why Windows has had so many stability issues, and the answer is simple: You. It is your fault. Consumers demand compatibility with older applications, which has forced Microsoft time and again to maintain that backward compatibility at the expense of security. This is why XP defaults to creating an admin account every time you make a new user account. Microsoft knew that limited/standard accounts would break many applications, and this was more than an average consumer could deal with. Outside of a professionally supported IT environment (like enterprise) limited accounts don't work for consumers.
Think about how many people complain that their work computer won't allow them to install what they want, because the "evil" IT guys won't let them. If that person is you, they have good reason to not let you install stuff. Averages consumers simply don't get the need to limit admin access on corporate machines. That selfish thinking is why they will install shit like Pointcast even if it brings down the entire company's network. If you haven't heard of Pointcast, here's some history for you:
http://en.wikipedia.org/wiki/PointCast_%28dotcom%29
Consumers bitch and whine about stability of Windows and in the same breath bitch and whine that their shitty app from 10 years ago doesn't work on a newer version of Windows (like Vista). They think Windows is the problem, when in reality the app programmer is at fault for their use of undocumented features or bad coding practices.
The latest great example of this is UAC.Yes it broke compatibility with some apps, but those apps were poorly written to start with. And let's face it, Microsoft's implementation of Cancel/Allow didn't help user perception of the technology. But think for a moment: outside of system utilities, how many applications really need (and by need, I mean a rational explanation behind the behaviour) admin rights?
Even so-called IT professionals are telling people to disable UAC because "it's a hassle" or "it prompts too much" or "I should be able to be an admin all the time" or "I know enough to not get into trouble running as admin 100% of the time"... the list of idiotic reasons go on and on. UAC has it's flaws but running as a standard user under its model is infinitely better than running as admin 100% of the time. If anything, UAC highlighted how terribly broken some programs were, and to be frank, it's better to ditch the shitty apps then disable UAC.
If you want to get educated on why running as admin is plain idiotic Coding Horror has a good article on the subject:
http://www.codinghorror.com/blog/2007/06/the-windows-security-epidemic-dont-run-as-an-administrator.html
There are numerous other resources on the subject. Any discussion on the treatment of root accounts under Unix is a good starting point as to why running as admin 100% of the time is plain stupid.
@Razor
-Microsoft is not guilty of the vulnerabilities and crash, the guilty are the programs and their programmers.
also
-Office (any version) is plagued with troubles and subsequents patch.
and
-since Office is faulty and Office was developed by Microsoft
then
-Microsoft is guilty.
Corollary UAC fail miserably even in MS products.
@magallanes
Your first point I already said, so I don't know why you are repeating it. I personally don't have crashes and issues with Office. That said, I was not talking about Office.
And UAC has worked quite well for my Windows Vista and 7 systems. It does what it is supposed to do: restrict admin privileges when using an admin-level account.
On modern machines (2001+), my experience has been that most crashes/infections/problems people have with their computers are their fault. That includes buying substandard hardware and software.
A computer's condition is reflective of the individual who uses it. Any technician worth their salt knows this. It's no different than the condition of your house, your car, or cell phone... whatever property you have. If you take care of your shit, it will take care of you. True accidents in computing are rare. There is a logical explanation for just about any type of computer problem.
In other news.... Computers not connected to the internet are much safer from zombie attacks!