Avecto has released an analysis of Microsoft’s security lapses and patches over the last few years. It makes interesting reading even though the headline conclusion hasn’t been well understood.
Administrator Rights problem
Most media have focused on a quote from the report that says
“94% of Critical Microsoft vulnerabilities would be mitigated by removing admin rights across an organization”
Which suggests that removing administrator rights will solve many Windows and Office security problems.
Oh, how we wish it where that simple.
In medium and large organizations, the IT department can and should limit administrative level access to only those users who really need it.
But that’s often not practical for smaller firms, families and individuals. Happily, Microsoft has protections in place to reduce the risk.
User Access Control
Many home and small business accounts have administrator access. That’s because you’re regularly installing/updating software or changing settings which need admin access. Switching from a standard account to different Administrator account is a pain.
In years past, many people had Adminstrator access all the time. With that came the real risk of being infected because any virus could immediately run with high level access.
The solution in modern Windows is User Access Control (UAC). Even an administrator level account normally runs with Standard user permissions only. When something with higher level access is required, you get a UAC prompt that the more risky access level will be used.
Over familiarity can become a problem. It’s a trap to simply click Yes every time you see a UAC prompt without considering what caused the prompt to appear.
For anyone who doesn’t need full admin access, consider making them a Standard user. Go to Control Panel | User Accounts | Manage another account. Select the user then ‘Change the account type’.
For users with administrative access, you can change when the UAC prompt appears. At Control Panel |User Accounts choose ‘Change User Account Control settings’.
The default is to notify when programs try to make changes to the computer but not when you change Windows settings.
For better security, but more UAC prompts, raise the slider to the top ‘Always notify’ level.
This won’t protect you from Windows security problems, but it makes the hackers job a little harder.