What's new

Why you shouldn't use Admin for day-to-day usage.

Shintaro

BSOD Kernel Dump Analyst
Joined
Jun 12, 2012
Messages
175
Location
Brisbane, Australia
Just thought this study by Avecto might be of interest as to why you should not be using the Administrator account on your computer for day-to-day work.

**Note: To get the study you will need to give up your email address to them. But there are ways of creating a temp email address.

Excerpt from Security Now.


Steve:
.............. So here's the breakdown. During that year, 2013 of critical rating, so there were 147 vulnerabilities
published during 2013 with critical rating. 92, as I said, were mitigated, blocked, by
removing admin rights. I'm sorry, not 92, 92% were blocked by removing administrator
rights. 96% of critical vulnerabilities affecting the Windows operating system, so nearly
all, 96% of those vulnerabilities which affected the Windows OS were mitigated by
removing admin rights. 100% of the vulnerabilities affecting IE were mitigated by
removing admin rights.

Leo: Wow.
Steve:
100%. All you had to do is switch to a standard user. In the control panel, under
Windows Users, you have a choice, be an admin user or a standard user. And
unfortunately, by default, when you set Windows up, you're an admin user. That's what
you get. So you need to create another user, set that up as a standard user, and that's
the one you use. And then, when you need to do something that you're being blocked by,
you need to enter the admin user's password. That's the way to be safe. Not even UAC
gives you this level of safety. You need to be a standard user and then provide the admin
password when you need to switch into the admin account, essentially. 91% of
vulnerabilities affecting Microsoft Office would be blocked by removing admin rights and
100%, all of the critical remote code execution vulnerabilities, and 80% of critical
information disclosure vulnerabilities mitigated by removing admin rights.
So the takeaway here is this is really important. If you simply stop being an admin, if
history is any lesson, you're way safer. You are completely safe based on history from IE
exploits, and those are the big way things get in is through Internet Explorer, through
web browsing. And critical remote code execution is also how this stuff happens. 100%
safe if you're not an admin. So we've got 41 days to go with XP. Certainly XP users ought
to seriously consider no longer running as an administrator. Just run as a standard user,
and use admin account only when you really know you need to.


 

Patrick

Moderator, BSOD Kernel Dump Expert
Staff member
Joined
Jun 7, 2012
Messages
4,578
One of my professors stressed this over and over and over again, and now any time I am in public on a laptop, I am always signed into a different user account with non-admin permissions. If I need to do something admin related, I just quickly type my UAC info and I'm done. I'd like to make this transition even on my home computer, but to be honest, I am a little lazy in that regard :grin1:
 

jcgriff2

Site Administrator, Forum General Manager, BSOD Kernel Dump Expert
Staff member
Joined
Feb 19, 2012
Messages
17,461
Location
New Jersey Shore
I recall reading that the Hidden Admin user account (SID -500) is incapable of installing certain security related Windows Updates. I do believe this was true under Vista & Windows 7 - not sure about Windows 8/8.1

But yeah - running IE "As Administrator" whether by choice or SID-500 user account is definitely not the safest way to surf the Internet.
 
Top