3

I heard in a podcast a while back (I believe it was Steve Gibson's Security Now) that running Windows as standard user vs. administrator mitigates 99% of Windows vulnerabilities (I think that was the correct percentage I heard). Anyone have a source to back this up? Also, what is the best way to configure this? What I did on my machine is enable the local admin account and added a strong password to it. I then changed my Microsoft account to standard user. Whenever I need admin permissions, I need to enter the password of the admin account I enabled. Is this the most secure way to enable this?

Also, anyone have any ideas why this is not always configured within. organizations? I worked in security for a large consulting company, and this never came up. Users always run as admin vs. having to type a password. It seems like this would be the simplest way to drastically improve the security posture of the organization.

jay-charles
  • 1,219
  • 1
  • 11
  • 14

1 Answers1

2

In an enterprise environment only a small subset of users should ever have local admin rights if you want the systems to remain secure.

Thankfully, Windows 10 has mitigated some of these issues slightly but even so, the key thing here is that a user with local admin rights has the ability to make changes to the operating system including the installation of new software, changes to existing software and changes to the registry.

When running as a standard user, Windows 10 will not simply throw up a warning box that you have to acknowledge but will throw up a login box into which you have to supply an administrative ID and password.

This dramatically reduces the opportunities for malware to activate or install itself on a system. Which is the main answer to your question.

In addition, running as a standard user in an enterprise environment prevents users from bypassing security controls and generally making a mess of the PC which typically dramatically reduces support costs.

Any organisation running the majority of users with local admin rights is asking for trouble and in regulated industries such as health and finance, this would cause a major audit failure.

Julian Knight
  • 7,102
  • 18
  • 23
  • I would also add that requring CTRL+ALT+DEL at login can be useful. See [these](http://security.stackexchange.com/questions/34972/whats-the-rationale-behind-ctrl-alt-del-for-login) [questions](http://security.stackexchange.com/questions/116023/ctrl-alt-del-on-windows-8-8-1-10). – A. Darwin Oct 01 '16 at 13:36
  • @A.Darwin: Yes, that is standard but then there are a large number of other recommended settings for securing enterprise desktop systems. Not part of the Q though. – Julian Knight Oct 01 '16 at 13:45
  • In the professional services would, you need to give your users local admin. You have consultants in the field working for other organizations. They often times need to install customers' software and change the configurations of their machines. Without local admin, it would be nearly impossible to many configuring consultants machines at a client site. – jay-charles Oct 02 '16 at 13:17
  • Thanks Jay, yes there are always exceptions. We give them to devs and some power users but there are risks and responsibilities that come with the rights that our users have to sign up to. With Win10, you could also use MS InTune to apply MDM style constraints too which tend to be more flexible. – Julian Knight Oct 02 '16 at 13:21
  • In particular, users with local admin are made aware that if there are any problems with the PC, it will automatically be rebuilt back to standard. No discussion. – Julian Knight Oct 02 '16 at 13:22
  • @julianKnight Agreed. I still don't understand why, if anyone is given admin access, organizations would not let the user run _everything_ as admin. Would it not make more sense to allow them to run as standard user, activate the local admin user, then allow the standard user to configure the password of local admin and type that password in when admin is required? Seems that would mitigate many vulnerabilities. My guess is that it's a lot more overhead to manage for enterprises. – jay-charles Oct 02 '16 at 15:03
  • @jay-charles: It is certainly a drag to do since Windows just isn't architected with that in mind. Also, it can cause issues with licensing too, particularly with traditional Enterprise Agreement (EA) licensing. – Julian Knight Oct 02 '16 at 15:25