Those of us in the computer security world have been telling businesses not to give users admin rights in Windows and now we have some very strong evidence to support that claim.
Avecto, a company that makes security software, analyzes Microsoft’s patches each year and here is what they came up with for 2015:
- Of the 251 vulnerabilities in 2015 with a critical rating, 86% would be mitigated by removing administrator rights
- 99.5% of all vulnerabilities affecting Internet Explorer could be mitigated by removing admin rights. Remember that even if you don’t use IE, it is still installed – it is almost impossible to remove – and many of those vulnerabilities still work even if you are not using IE as your browser.
- 82% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
- 85% of Remote Code Execution vulnerabilities could be mitigated by removing admin rights
- 82% of Critical vulnerabilities affecting Windows 10 could be mitigated by removing admin rights.
- 63% of all Microsoft vulnerabilities reported in 2015 could be mitigated by removing admin rights.
So if you were getting push back from your users or your management on removing admin rights up until now, this is some pretty strong support that removing these permissions.
Is being able to mitigate 63% of all vulnerabilities, 99+% of vulnerabilities related to IE or 82% of the vulnerabilities affecting Office a worthwhile exchange for losing admin rights?
That may mean that you have to find workarounds to solve some legitimate issues or it may mean that some people will still need admin rights, but that is a whole lot smaller attack surface to deal with.
From a cyber risk standpoint, what you want to be able to do is reduce the attack surface so that you can focus your limited resources on what is left. Getting rid of admin rights does that.
If you are still not sure, think about this. There was this guy at the NSA a couple of years ago that had admin rights.
His name was Edward Snowden.
And whether you think Snowden was a criminal or a patriot, I think everyone can agree that which ever side you are on for that case, the abuse of admin rights – either by an insider or by an attacker – cannot always work to your advantage.
Likely, more times than not, it will work to your detriment.
Remove admin rights except in those cases where there is a legitimate business need, and in those cases, add compensating controls.
Information for this post came from Avecto.