Admin rights to blame for 97% of Windows flaws

[viking60]

It has been disputed but according to Microsoft's tests the admin rights are to blame for 97 % of the flaws people experience with Windows.
There are two sides to this coin since you actually want to install software on you computer from time to time.

But in general Microsoft recommends to do the daily work with an account without admin rights.
Basically you should only use the Admin account when you need it. Windows needs and always comes with an admin account.
We have described how to activate it earlier:

viewtopic.php?f=25&t=544
viewtopic.php?f=15&t=3496#p19541

In Linux it has been the rule to do most work as a normal user for a long time.

More here

[Snorkasaurus]

I don't buy this at all.
S.

[R_Head]

I do, is what I recommend to all users to do. But since MS does not want to be bother is easier to blame the users; is not MS job to show the users on how to use their OS. However.... for a hefty fee the will teach the user.

That is one of MS users gripe when moving to Linux... "Why I cannot install this or that, in MS is click and install".

[Snorkasaurus]

Actually, there is plenty wrong with the original statement.

...but according to Microsoft's tests

The link provided says that the tests were done by "UK-based security firm Avecto" and not Microsoft.

...admin rights are to blame for 97 % of the flaws people experience with Windows.

According to the link, the tests were done on "Microsoft Patch Tuesday bulletins" not "user experience".

Basically you should only use the Admin account when you need it.

I have been logging on to Microsoft OS's as admin accounts since early DOS versions and not once has anything bad happened to any of them that would have been solved by logging in as a limited privilege account.

In Linux it has been the rule to do most work as a normal user for a long time.

See previous quote, as stated... it is the same in Microsoft OS's. I have also been logging in to Linux boxes as root since the early 90's and not once has anything bad ever happened that would have been solved by logging in as a limited privilege account.

The cake is a lie.
S.

[viking60]

Actually, there is plenty wrong with the original statement.

...but according to Microsoft's tests

The link provided says that the tests were done by "UK-based security firm Avecto" and not Microsoft.

Not plenty wrong; Microsoft was tested it can refer to the tester or the testee I am not sure how this is relevant for buying it or not though.
I guess questioning Avecto might be the relevance?

...admin rights are to blame for 97 % of the flaws people experience with Windows.

According to the link, the tests were done on "Microsoft Patch Tuesday bulletins" not "user experience".

True it was tested on Microsoft Patch Tuesday bulletins - which of course have nothing to do with "user experience" ?
In any case I admit this could be clearer.
The important point is that
Out of the 240 critical vulnerabilities reported in 2014, you could protect yourself against 97 percent of them by removing the admin-rights.

Basically you should only use the Admin account when you need it.

I have been logging on to Microsoft OS's as admin accounts since early DOS versions and not once has anything bad happened to any of them that would have been solved by logging in as a limited privilege account.

Not particularly relevant regarding the "wrongs" of the original statement.
But the beauty of it is that you are entitled to be wrong - dead wrong Freedom is the freedom to be wrong too...

In Linux it has been the rule to do most work as a normal user for a long time.

See previous quote, as stated... it is the same in Microsoft OS's. I have also been logging in to Linux boxes as root since the early 90's and not once has anything bad ever happened that would have been solved by logging in as a limited privilege account.

The cake is a lie.

Darned lying cakes (or cookies).
It is a bit like smokers claiming that they have been smoking for years - and they are not dead yet....They will be you know.
Everybody was an admin in the 90's Windows XP came with Admin as default I believe.
The world is moving fast and the exploits keep coming faster and faster so what was good in the 90'es need not be good today.

Tech people might well handle Admin rights just fine. I believe that I do.. and that everything I do is flawless. I just use a normal account anyway because I don't need admin rights all the time .. and for the unlikely chance that I might be occasionally wrong
At least in Linux I see no reason to be admin all the time.

It is also true that you could avoid 100 % of the flaws by disconnecting from the internet - so the internet is to blame more than the admin rights

PS:
I do believe that different views on this is healthy though - nothing is worse that than "undisputed eternal truths".
Arguments in both directions are welcome; statements regarding one or the other being wrong are subjective - of course.

This Article makes a case for not being Admin all the time - references to articles with the opposite content are welcome.
Personal experience is important and I have to admit that I have not had much negative experience with being admin all the time in the past.
Then I got that conficker infection.....
(Big network with thousands of computers - and it spread through the network so it was vital to pull the plug, remove it, and not reconnect until all others in the network had done the same. I had it removed within 3h in my network but co-workers in other countries connected to the same network, spent 3 days. ).

[Snorkasaurus]

It seems that the report's appendix 1 states:

Appendix 1: Detailed Methodology
Data source
This report has been compiled following analysis of the Security
bulletins published in 2014 by Microsoft. Each bulletin issued
contains an Executive Summary with general information regarding
that bulletin. If the sentence “Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights” is contained
within the Executive Summary, it is assumed that all vulnerabilities
within that bulletin could be mitigated by removing admin rights
from users.
N.B: There is no vulnerability-specific information on privilege
mitigation within the bulletin.

1. Avecto did no actual research on any of these vulnerabilities, they simply counted how many bulletins had that sentence.
2. That sentence is clearly a standard disclaimer that Microsoft puts on all of its security bulletins.
3. Avecto clearly states that none of the bulletins actually indicates that being non-admin mitigates anything.

Perhaps someone can also explain how Microsoft's listing of security bulletins shows only 85 bulletins for 2014 and not 240. Am I doing something wrong by searching that chart for "ms14"?

Ultimately the intent is obviously to imply that logging in to Windows as a limited priv user will shield people from 97% of vulnerabilities, and this is simply not true. Typical users are far more likely to experience computer problems because of malware, fake Microsoft phone calls, and power surges than any of these bulletins.

S.

[viking60]

Perhaps someone can also explain how Microsoft's listing of security bulletins shows only 85 bulletins for 2014 and not 240. Am I doing something wrong by searching that chart for "ms14"?

I dunno I have not checked You must be since Avecto say there are 240 ('ll see if I can find out....

Ultimately the intent is obviously to imply that logging in to Windows as a limited priv user will shield people from 97% of vulnerabilities, and this is simply not true. Typical users are far more likely to experience computer problems because of malware, fake Microsoft phone calls, and power surges than any of these bulletins.

Malware probably will do better with admin rights so it is relevant there too. Those fake callers need a good spanking with our without Admin rights and yes they are a security problem for common users. But most of those calls are about you installing some remote control software that needs admin rights...

A sensible user would probably avoid all of that with or without admin rights on a single computer. But on a network there needs to be a policy.

I do agree that the message is that you would avoid 97 % of the vulnerabilities without Admin rights. And that is a bit theoretical without regard to the admins good or bad judgement.
So it would pretty much be the worst admin in the world that avoided that much.

It is simply true that you can do more - including more damage - with admin rights.

[viking60]

Hmm I get 6 pages of ms14 with 15 lines a page so that would be 90.

[Snorkasaurus]

Hmm I get 6 pages of ms14 with 15 lines a page so that would be 90.

I am trying to interpret the report and I am concerned that they may be counting bulletins multiple times when they apply to multiple products. But that doesn't make sense either because then it would be over 1000. I tried downloading the spreadsheet from Microsoft too but that doesn't add up either.


S.

[dedanna1029]

The 240 vulnerabilities would be in total, not necessarily currently. There are tons of vulnerabilities that M$ has left over from the past, as well as current (in effect making them current, too, but only in effect, so they're probably not concretely listed).

I've been trying to get my mom to stop using the Administrator user for years, just for this reason. There is too much in Windows that one does not even have to "point, click and shoot" to be installed to the Admin user (usually malware, viruses, etc)., and the Admin user is already in Microsoft's root, which infects the whole system when this happens. Microsoft's root is more vulnerable than any to these things (moreso than any other operating system), and should be avoided.

Snork, you know what you're doing with Windows. There are too many idiots out there who have no clue of these things, and they are the majority of those using Windows.

I play in root on Linux, but that is because I know what I'm doing with it. Most don't. Converts have no clue.

viking's right in this respect, I think. When it comes down to it, who cares if it's 90 or 240 vulnerabilities anyway - even one is too many, in particular with idiots who have no clue. The Admin user anyway, comparatively, runs slower than a turtle on pot I've found - unlike with a limited account, which is nowhere near as bloated.