The majority of Microsoft Windows attacks seen in 2010 would have been blocked if PCs were not running with admin-level access rights, according to security vendor BeyondTrust.

Mathew J. Schwartz, Contributor

April 15, 2011

3 Min Read

10 Massive Security Breaches

10 Massive Security Breaches

(click image for larger view)
Slideshow: 10 Massive Security Breaches

Eliminating administrator-level rights for regular users can stop the majority of Microsoft Windows attacks from being able to exploit the computer.

That's the claim of a report released by security vendor BeyondTrust. For the report, the company investigated all of the security bulletins released by Microsoft in 2010, which detailed a total of 256 vulnerabilities.

Looking at those 2010 vulnerabilities, BeyondTrust found that PCs that weren't running with administrator-level rights would have blocked 64% of all Microsoft vulnerabilities, 75% of critical Windows 7 vulnerabilities, and all Microsoft Office and IE vulnerabilities. In addition, removing administrator rights would have stopped 82% of remote code execution vulnerabilities, which enable an attacker to run arbitrary code on compromised systems.

The report points to a piece of best-practice advice that's often found in Microsoft's security bulletins. Namely, that "users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Not coincidentally, the company behind the report sells software that can monitor, restrict, or delegate access to root passwords on different operating systems. But is there merit in this approach as a technique for helping mitigate Windows vulnerabilities--and especially zero-day attacks that attempt to exploit never-before-seen bugs?

In an email interview, Jack Koziol, director of information security training firm Infosec Institute, said it's likely the report is accurate in its charting of the number of attacks that would have been blocked by restricting administrative-level access. "Many of the current exploits out there require you to have admin/system access on the exploited system," he said.

"There is a major caveat to that though," he said. "One of the primary concepts we teach in our penetration-testing class is that of privilege escalation. If you have non-root or non-administrator level access to a system, you must attempt to escalate privileges in order to access sensitive portions of the OS."

Accordingly, if attackers are gunning for a system that restricts administrative-level access, "exploitation becomes a two-step process instead of a single step," said Koziol. "First, you get a foothold on the box with regular user access, secondly you gain admin access via privilege escalation attack--perhaps via a kernel vulnerability."

Some approaches to managing administrative-level access might block these types of attacks, he said. But a more directed attack against a specific target, he said, don't discount an attacker finding a way around the defenses, for example by exploiting a kernel-level vulnerability.

Those caveats aside, for organizations that want to control admin-level access, there are multiple approaches--some free. According to a blog post by Neil MacDonald, a vice president and distinguished analyst at Gartner, free approaches include Microsoft's User Account Control--but it's only built into Windows 7 and Vista--as well as a community version of ScriptLogic. Meanwhile, commercial options for controlling admin-level access by application on "an exception by exception basis" include BeyondTrust, Avecto, Viewfinity, and Symantec/Altiris, he said.

But the best approach, said Koziol, would be to overhaul Windows. "The real solution to this problem is to re-engineer Windows to allow regular users to do everything they need without the possibility of compromising the [trusted computing base] of the OS. The last real OS to do this was VMS. After that--well, you know the story," he said.

On the other hand, client/server operating systems as well as cloud-based applications inherently prevent these types of attacks, he noted, because users are never granted access it to the trusted computing base.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights