Home > Security > Removing Administrator Rights

Removing Administrator Rights

February 6th, 2009 admin Leave a comment Go to comments

An interesting whitepaper was released by Beyond Trust (found via TaoSecurity) entitled “Reducing the Threat from Microsoft Vulnerabilities” (PDF)  Here are some of the key findings from the study:

  • 92% of Critical Microsoft vulnerabilities are mitigated by configuring  users to operate without administrator rights.
  • By removing administrator rights companies will be better protected  against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities.
  • 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights.
  • Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights.

If those stats don’t make you want to take away administrator rights from your users, I don’t know what will.  Coming from a scientific background, I love to see statistics, numbers, and facts.  In the past when discussing admin rights with users, I used an Eweek article entitled “Is System Lockdown the Secret Weapon” to drive home my point.  In short, they basically visited some nefarious websites using three separate computers.  One with Administrator rights, one with Power User rights, and one with User rights.  They then ran a malware/spyware scan afterwords and found that the computer with Administrator and Power User rights had 19 threats and over 2000 registry keys installed.  The computer with User rights had a single threat that was in the browser cache.  A single threat people!

In academia, removal of admin rights has been met with much resistance (by both faculty/staff and IT staff).  We have been making it work in our area by doing the following:

  1. Working with the faculty and staff to find out their needs for computing.  Assuring them that they will continue to function in the same capacity they were able to with Admin rights.
  2. Knowing that applications will need to be installed, we are very prompt when these requests arise to limit possible downtime.
  3. Developing practices for our “road warriors” that keep them safe, but allow for emergency admin rights if necessary.
  4. Set an example by having IT staff run as users when we are not performing tasks that require administrative rights and elevate our rights when necessary.

Following these steps, over 95% of our faculty/staff perform their jobs without admin rights.  It is getting to the point where this is going to have to be reality in academia.  Free and Open education can exist when having user rights and many places around the University (including us) have proven that and make it work.  The sad part is that I hardly ever hear it mentioned when trying to explain to faculty and staff about removing rights.

Related posts:

  1. Bookmarks for February 7th through February 14th
  2. Security Breaches in Academia
  3. Do we need a new internet?
Categories: Security Tags: , , , ,
blog comments powered by Disqus