#TBT : Be Safer–Run as Standard User


tbt-jeffjones-security-blog-2010For #ThrowBackThursday, I thought it would be good to pull out an oldie but goodie.  The original post was on the “Jeff Jones Security Blog” back before the blog evolved into the Microsoft Security Blog.

I’m including the full original text below, but this guidance applies today to whatever PC you are running.  I hope you enjoy and welcome any comments you might have here or on @securityjones.

Best regards, Jeff

Be Safer – Run as Standard User

I do my work as standard user on Windows 7, just as I did with Windows Vista.  It is not a burden.  When I need to do an admin task, I put on my “admin” hat by switching to my admin account specifically and doing my admin thing and then logging off.  I don’t browse, I don’t download stuff, and beyond the first week or so when I set up a new machine, I don’t really need to do it that often.  I think it is a best practice.  Combine it with the improvements in Win7 and IE8 and we’ve come a long way from where we started…

Here is a news story that provides some supporting evidence for my best practice.

(Dark Reading) Taking away the administrative rights from Microsoft Windows 7 users will lessen the risk posed by 90 percent of the critical Windows 7 vulnerabilities reported to date and 100 percent of the Microsoft Office vulnerabilities reported last year.

It will also mitigate the risk of 94 percent of vulnerabilities reported in all versions of Internet Explorer in 2009 and 100 percent of the vulnerabilities reported in Internet Explorer 8 during the same time period.

Finally, it will reduce the danger posed by 64 percent of all Microsoft vulnerabilities reported last year.

These findings come from a study conducted by BeyondTrust, which perhaps unsurprisingly sells software that restricts administrative privileges.

The company argues that companies need its software to protect themselves, particularly during the time between Microsoft's publication of vulnerability information and the application of Microsoft's fixes.

[read the full article from Dark Reading, Windows 7 Less Vulnerable Without Admin Rights]

Cross-posted to the Microsoft Security Blog (link)

Comments (5)

  1. Yes, Alex that’s right. Windows RT still has admin and standard user, just that particular page that you point to talks about using certain desktop apps to perform a task that aren’t available on Windows RT. When you edit user types on RT, you can still
    specify standard or admin.

  2. Alex – I’m pretty sure you can do it on all versions of Windows, even the RT versions. One of the details is that the first account created is made an admin account, so your first account should be "alex_admin" or something – from which you then add standard
    accounts. I’m going to post a step-by-step post this month with my guidance on the key security things that a ‘home admin’ should consider when first setting up.

  3. Alex George says:

    Jeff, yes, tried and tested! (However I thought you could not do this on some of the "home" versions of the OS. Which is where – not to type-cast – where the demographics matches the highest risk.)

  4. Alex George says:

    Jeff, I was not looking for the how-to — I agree with you and have been using this strategy. (Though, it would be very good for you to add it for those that need to make use of this!)

    What I am saying is "user groups" I don’t believe are supported in Home Basic and Home Premium, in Windows 7.

    http://windows.microsoft.com/en-us/windows/user-groups#1TC=windows-7

    (Unfortunately I don’t have one of those editions installed to share the behavior!)

  5. susan says:

    Home users still have the concept of user and admin. I think you are thinking of Group policy mmc as it does not have a group policy console to set certain settings.