After tabulating all the vulnerabilities published in Microsoft’s 2009 Security Bulletins, it turns out 90 percent of the vulnerabilities can be mitigated by configuring users to operate without administrator rights, according to a report by BeyondTrust. As for the published Windows 7 vulnerabilities through March 2010, 57 percent are no longer applicable after removing administrator rights. By comparison, Windows 2000 is at 53 percent, Windows XP is at 62 percent, Windows Server 2003 is at 55 percent, Windows Vista is at 54 percent, and Windows Server 2008 is at 53 percent. The two biggest exploited Microsoft applications also fare well: 100 percent of Microsoft Office flaws and 94 percent of Internet Explorer flaws (and 100 percent of IE8 flaws) no longer work.
This is good news for IT departments because it means they can significantly reduce the risk of a security breach by configuring the operating system for standard users rather than an administrator. Despite unpredictable and evolving attacks, companies can very easily protect themselves or at least reduce the effects of a newly discovered threat, as long as they’re OK with their users not installing software or using many applications that require elevated privileges.
“We believe that running users as standard users is good for Windows, the ecosystem, and all of our users,” Paul Cooke, Director Windows Client Enterprise Security, told Ars. “Configuring users as standard users enables parents to more securely share family computers with their children and enterprise administrators to configure standard user accounts for employees, lowering TCO and improving security. It is our hope that with the help of UAC that ISVs will continue to adapt their software to work well with standard user rights.”
In total, 64 percent of all Microsoft vulnerabilities reported last year are mitigated by removing administrator rights. That number increases to 81 percent if you only consider security issues marked Critical, the highest rating Redmond gives out, and goes even higher to 87 percent if you look at just Remote Code Execution flaws. Microsoft published 74 Security Bulletins in 2009, spanning around 160 vulnerabilities (133 of those were for Microsoft operating systems). The report, linked below, has a list of all of them, which software they affect, and which ones are mitigated by removing admin rights.