Sign in with
Sign up | Sign in

To Make Windows 7 Safer: Remove Admin Rights

By - Source: Tom's Hardware US | B 34 comments

Windows 7 is hard to hack if the user account doesn't have administrator rights.

Windows 7 is the safest and most secure desktop operating system from Microsoft yet, but it's still not impervious to attacks. But according to IT solutions firm BeyondTrust, 90-percent of critical Windows 7 vulnerabilities can be mitigated by the removal of administrator rights from Windows users

Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

  • 90-percent of critical Windows 7 vulnerabilities reported to date
  • 100-percent of Microsoft Office vulnerabilities reported in 2009
  • 94-percent of Internet Explorer and 100 percent of Internet Explorer 8 vulnerabilities reported in 2009
  • 64-percent of all Microsoft vulnerabilities reported in 2009

The findings aren't earth shattering by any imagination. Even Microsoft shares this best practice advice in the "Mitigating Factors" portion of Microsoft’s security bulletins: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

While most readers of Tom's Hardware may prefer to operate in their Windows 7 environment with admin rights, those in charge of computers for a group or enterprise should without a doubt configure user accounts without administrative rights.

Read more about the report at Ars Technica.

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 17 Hide
    Anonymous , April 2, 2010 2:19 AM
    wait i thought this was a no brainer...
  • 12 Hide
    saint19 , April 2, 2010 12:49 AM
    In other words, don't disable the UAC.
  • 12 Hide
    XD_dued , April 2, 2010 12:56 AM
    So instead of malware disabling the abilities of my computer, I should disable them?
Other Comments
    Display all 34 comments.
  • 12 Hide
    saint19 , April 2, 2010 12:49 AM
    In other words, don't disable the UAC.
  • 12 Hide
    XD_dued , April 2, 2010 12:56 AM
    So instead of malware disabling the abilities of my computer, I should disable them?
  • 4 Hide
    Rancifer7 , April 2, 2010 1:22 AM
    As long as the effected users aren't installing things, or editing certain types of files, its fine...
  • 4 Hide
    jhansonxi , April 2, 2010 1:50 AM
    Yet another recommendation from the blatantly obvious IT security practices department.
  • 4 Hide
    digiex , April 2, 2010 2:10 AM
    Even XP will be safer if the user have no admin right, the problem is most software require admin rights to run. M$ must have done something about this longtime ago advising software developer to create software which will run even with limited rights.
  • 17 Hide
    Anonymous , April 2, 2010 2:19 AM
    wait i thought this was a no brainer...
  • 1 Hide
    Regulas , April 2, 2010 2:33 AM
    Trying to catch up with Linux, Ubuntu uses the sudo command to gain access. That's what it seems like to me.
  • 1 Hide
    JohnnyLucky , April 2, 2010 3:09 AM
    Nothing new. Friends of mine have restricted access on the pc's where they work. Its been that way for a long time.
  • 0 Hide
    anamaniac , April 2, 2010 6:33 AM
    saint19In other words, don't disable the UAC.

    Running with UAC on and admin turned off?
    No way in hell will that ever happen bud. I like to be able to use my OS.
    JohnnyLuckyNothing new. Friends of mine have restricted access on the pc's where they work. Its been that way for a long time.

    I'd bring my own PC to work. If they said no, I'd run their PC and my laptop side by side, doing all work on the laptop and just transferring whatever data I need...
  • 2 Hide
    masterjaw , April 2, 2010 6:45 AM
    This would be effective for companies especially with those employees that has limited knowledge on PCs. As for me, it would affect my productivity as it would be annoying and frustrating to not be able to control my PC in my own accord.
  • 1 Hide
    palladin9479 , April 2, 2010 6:58 AM
    Wait ... stop, seriously STOP.

    Securing elevated privileges is the FIRST thing any competent systems administrator does. You NEVER EVER EVER do day-to-day business / work / operations with an account that holds elevated privileges. Instead you use a "normal" user account to do everything, browse internet / check email / play games, and only login with "administrative rights" to update drivers / install software. Heck this goes right up there with renaming the local administrator account and disabling the local guest account. Ohh and f*ck UAC, its just Window's method of attempting to do sudo. My view is that if your account doesn't have rights to do it, then do NOT do it with that account. Instead login with the admin account and install / update whatever it is you were doing, then log the f*ck out.

    If someone can not do this, then they deserve to be attacked by malware.

    Really ... doesn't anyone read DISA STIGS anymore...
  • 1 Hide
    nebun , April 2, 2010 7:03 AM
    admin right refers to other user account, but if you are the owner of the machine you will need to keep it enabled, otherwise you can't do anything other than just turn the machine on and surf the web, lol
  • 5 Hide
    anamaniac , April 2, 2010 7:27 AM
    palladin9479Wait ... stop, seriously STOP.Securing elevated privileges is the FIRST thing any competent systems administrator does. You NEVER EVER EVER do day-to-day business / work / operations with an account that holds elevated privileges. Instead you use a "normal" user account to do everything, browse internet / check email / play games, and only login with "administrative rights" to update drivers / install software. Heck this goes right up there with renaming the local administrator account and disabling the local guest account. Ohh and f*ck UAC, its just Window's method of attempting to do sudo. My view is that if your account doesn't have rights to do it, then do NOT do it with that account. Instead login with the admin account and install / update whatever it is you were doing, then log the f*ck out.If someone can not do this, then they deserve to be attacked by malware.Really ... doesn't anyone read DISA STIGS anymore...

    Not everyone intends to be switching accounts 20 times a day. I am constantly making changes, thus the choice for me is to use admin rights for day to day use.
    Last I checked, the only way someone illicitly got to my banking info was the old fashioned way. Not involving a computer at all.
    Now if you excuse me, I'm going to do a driver update, without logging off.
  • 0 Hide
    randomizer , April 2, 2010 7:58 AM
    Quote:
    admin right refers to other user account, but if you are the owner of the machine you will need to keep it enabled, otherwise you can't do anything other than just turn the machine on and surf the web, lol

    That's why any decent OS has this amazing new technology called elevation of privileges. Even administrators don't need to run with administrator privileges all the time, and should either use a limited access account or run with lowered privileges by default.

    No user should run with higher privileges than they need. It's security 101 and MS didn't learn it until they developed Vista (recall that the default XP account is Admin). Sadly, their implementation of elevation (UAC) is poor. A password should be required so that if the computer "administrator" is logged in a random family member can't come along and elevate themselves so that they can install software. UAC is a step in the right direction, but only in concept.
  • 0 Hide
    mitch074 , April 2, 2010 9:40 AM
    @anamaniac: your logic baffles me.

    Updating the driver requires a reboot, so you actually need to log off anyway - what does running with scissors - er, running as admin saves you from?

    On another note, software certified 'designed for Windows XP' entails that it must be tested to be perfectly and completely usable on a simple user account, except for software that requires admin rights for admin jobs - which must warn the user at start time.

    Current games, for example, can perfectly be installed as an admin and played as a limited rights user.

    Moreover, bringing your own machine to work and storing company data on it could be considered data theft. As far as I know, this is liable to have your contract terminated, you prosecuted and put in jail with a heavy fine.

    And that would be perfectly normal, even outside the brain-dead US legal system.

    @hollowtek: UAC is a bit more than sudo. It is more a combination of sudo (which allows a user limited rights escalation) and the POSIX user rights system, which allows a user to access a process that doesn't run in its user space (provided the user identified correctly). It is a good idea, done in the best way one can think of.

    It is however, due to its after-the-fact implementation, a heavy drain on resources (UAC actually has to control a software's influence and monitor any attempt by the process to do stuff outside a normal user's parameter range), that's why disabling UAC on Vista/7 is annoying - because the Linux way (opening a terminal, running su to become root, start an app in the root space, do whatever, then close it, the whole thing without leaving your user session screen) is rather hard to emulate in Windows: you need at the very least to switch session with fast user switching, which is slow, prevents stuff such as the clipboard to work, and doesn't allow you to have, say, a user-mode web browser window open and an admin-mode app open at its side to administer your system.

    So yes, UAC is useful. No, running as a normal user when you spend a lot of time doing REAL admin work is impractical.

    What it comes down to.

    - if you typically spend your time doing 'normal' user stuff: browsing, chatting, gaming, office work, then you can shut down UAC and set up a password-protected account and a normal user account. That will save 5-20% CPU time and 100 Mb of RAM. Just remember to sometime log in as admin, do all your software updates and system management and you're done.

    - if you typically do admin stuff on your machine (you're a software developer): keep default settings. I'd recommend increasing UAC levels to max in 7, to replicate what Vista does (which is, actually, more secure than 7 by default).
  • 0 Hide
    spanspace , April 2, 2010 12:21 PM
    Remove admin and most games and apps will not work correctly. As good as Windows 7 runs they failed on application support.
  • 0 Hide
    bahr , April 2, 2010 12:23 PM
    Nice to know I'm doing the right thing. I've always browsing and downloading with limited user account. I only the admin account to install software or to play games, but never use it to connect to the internet.
  • 0 Hide
    Hilarion , April 2, 2010 12:41 PM
    I've had problems running games installed as the admin when I'm logged in as a limited user. But, then again, I don't game while connected to the internet.
  • -1 Hide
    ceteras , April 2, 2010 12:52 PM
    You can't make win7 safer. You have to educate the users instead.
  • 0 Hide
    smashley , April 2, 2010 1:25 PM
    Best practice is to use a normal user account and use the 'run as administrator' option for those applications that require it. Heck, in vista at least you even need to use run as when logged into an administrator account half the time, so how different would it really be. Most of us here know better than to visit sketchy sites/open strange emails anyway, but for the majority of 'users' out there, they should certainly not be using an admin account for day-to-day operations. UAC's effectiveness relies on the user being prompted to understand what they're doing, but most users don't read warnings, they just click whatever they have to so it goes away, and continue on their merry way/downward spiral.
Display more comments