| /Home /Professional /Papers /LUA |
|
I have long recommended and practiced the use of (LUA) Limited User Accounts. It is rare to need administrator rights so don't leave them on all the time! When you need it, log into an administrator account. This has been the proper way to use Windows ever since Windows NT, Windows 2000, and Windows XP. Windows makes it easy to use administrator rights temporarily (UAC) starting with Windows Vista.
Furthermore, you should never access or share files using an administrator password! These articles explain why LUA and UAC (User Account Control) is a good idea. Anyone or anything that tells you how to disable UAC is doing you a severe disservice. |
|
http://news.yahoo.com/stop-malware-restrict-user-accounts-191502911.html (The article has since been removed.)
Tuesday, February 18, 2014 A new report confirms what many security professionals have long presumed: Removing administrator rights from everyday Windows user accounts slows down or stops almost all critical malware infections. "Ninety-two percent of all vulnerabilities reported by Microsoft with a critical severity rating can be mitigated by removing admin rights," states the enterprise-security firm Avecto, of Manchester, England, in a new report. "Removing admin rights would mitigate 96 percent of critical vulnerabilities affecting Windows operating systems, 91 percent of critical vulnerabilities affecting Microsoft Office and 100 percent of vulnerabilities in Internet Explorer," Avecto said. That may sounds complicated, but it's not. There are two kinds of user accounts in Windows machines: Administrator accounts, which can add, alter or remove software and change system-wide settings, and standard accounts, which can't do any of that. Most malware can do only as much damage as the active user is permitted to do, and malware that infects standard users can't install, alter or delete other software packages. In other words, limiting your own abilities also limits what malware can do. There are exceptions to these rules — Google Chrome permits user-specific installations for standard users, for example, and some malware can perform "escalations of privilege" to gain administrative rights from a standard account. But nearly all malware that meets the Microsoft definition of "critical" — i.e., that can remotely execute code without the legitimate user's permission — can be hindered or stopped by use of standard accounts. Hence, it's best to perform everyday computer work — Web surfing, emailing, Photoshopping, Microsoft Office work — as a standard user, even if you're the only user for a particular machine. (Windows 7 and 8 standard users can perform administrative tasks if they input the password for an admin account.) Almost anything nasty that gets in through a Web browser or email attachment will be limited to that account alone and can't damage the rest of the machine. Unfortunately, most home computers, and even many computers in business or other enterprise environments, are set up so that the primary user has administrative privileges. "If malware infects a user with admin rights, it can cause incredible damage locally, as well as on a wider network," Avecto states. "Additionally, employees with admin rights have access to install, modify and delete software and files as well as change system settings." To protect your home computer, create a separate administrator account, give it a strong password and use it only to install or update software. Don't sign into the administrator account for everyday computer use. Then, use that admin account to downgrade your own primary account, as well as those of other users, to standard (and make sure those accounts have passwords too). |
|
http://www.avecto.com/news-events/press-releases/removing-admin-rights-mitigates-92-percent-of-critical-microsoft-vulnerabilities (The article has since been removed.)
Tuesday, February 18, 2014 MANCHESTER, U.K., and Boston, MA New analysis of "Patch Tuesday" bulletins shows benefits of stripping admin rights 92% of all vulnerabilities reported by Microsoft with a critical severity rating can be mitigated by removing admin rights, according to new research from Avecto. The market leading privilege management firm analyzed data from security bulletins issued by Microsoft throughout 2013. The results also revealed that removing admin rights would mitigate 96% of critical vulnerabilities affecting Windows operating systems, 91% critical vulnerabilities affecting Microsoft Office and 100% of vulnerabilities in Internet Explorer. Microsoft bulletins are issued on the second Tuesday of each month, a date known commonly as Patch Tuesday, and provide fixes for known security issues. If malware infects a user with admin rights, it can cause incredible damage locally, as well as on a wider network. Additionally, employees with admin rights have access to install, modify and delete software and files as well as change system settings. Paul Kenyon, co-founder and EVP of Avecto said: "It's astounding just how many vulnerabilities can be overcome by the removal of admin rights. "The dangers of admin rights have been well documented for some time, but what's more concerning is the number of enterprises we talk to that are still not fully aware of how many admin users they have. Without clear visibility and control, they are facing an unknown and unquantified security threat." "Awareness of the importance of privilege management is growing, but we need to get to the point where it's a standard measure for all organizations. These findings make it clear that it's a critical element of an endpoint security strategy that just cannot be ignored." Paul concluded: "This analysis focuses purely on known vulnerabilities, and cyber criminals will be quick to take advantage of bugs that are unknown to vendors. Defending against these unknown threats is difficult, but removing admin rights is the most effective way to do so." |
|
Revised 2015-06-03 |