04 Jul Non-admin accounts mitigate 94% of critical Windows vulnerabilities
A new report suggests that Windows admins and users could mitigate 94% of all critical vulnerabilities automatically by running non-admin accounts.
It is common sense that using standard user accounts on Windows, opposed to accounts with elevated privileges, is a good security practice.
The main reason behind this practice is simple: if a user cannot perform certain operations due to limited rights, so can’t malware that attacks the system.
The recently released Microsoft Vulnerabilities Report 2016 by Avecto highlights how much of an impact the switch from admin to non-admin accounts could make on Windows systems
According to the report, 36% of all Windows vulnerabilities that Microsoft released patches for in 2016 were rated with the highest severity rating of critical. A whooping 94% of those would be mitigated by removing admin rights and running Windows with standard user accounts.
The figure is even better for Microsoft Edge and Internet Explorer vulnerabilities. Avecto reports that all, that means 100%, of Internet Explorer or Edge vulnerabilities are mitigated in a non-admin user scenario.
For Microsoft’s newest operating system Windows 10, it would mean that 93% of all reported vulnerabilities would be mitigated by removing admin rights.
Avecto notes that Windows 10, dubbed the most secure operating system ever by Microsoft, had the largest total number of reported vulnerabilities of all supported versions of Windows. Windows 10 was affected by 395 different vulnerabilities, compared to 265 for Windows 8.1 for instance.
A simple change, switching a user account from administrator to standard, or creating a second user account with standard rights and using it predominantly, has a huge impact on computer security.
While the mileage differs from year to year, last year saw a mitigation percentage of “just” 85% for instance, it is clear that standard user accounts will mitigate a large percentage of attacks.
Configuring user accounts
You can switch any user account from administrator or standard in Windows, provided that you have access to an admin account.
I suggest you keep the admin account, and create a secondary user account that runs with standard privileges. You may also want to change the rights for any other user on the system from administrator to standard, if you have not done so already.
You can manage accounts in the following way:
- Use the Windows-Pause shortcut to open the System Control Panel applet.
- Select Control Panel Home, and on the next page User Accounts.
- Select “change your account type” if you want to change the account type of the signed in user, or “manage another account” if you want to change the account type of other user accounts on the PC.
- The second option lists all accounts on the next page. Select one, and then “change the account type” afterwards to switch from administrator to standard.
- You may create other user accounts as well. Either directly in the Control Panel, or by clicking on “add a new user in PC settings” if you run Windows 10 for instance.
Rule of thumb is that all user accounts that are used actively, e.g. by different family members or yourself, are standard accounts. You should keep an admin account around that you can use to make changes to the operating system that standard accounts cannot though.