Microsoft Security Bulletins: Admin Rights Make Users Vulnerable

Taking the hassle out of Patch Tuesday

“Companies face imminent danger from zero-day threats as new vulnerabilities continually crop up while patching efforts lag behind, and even worse, many threats exist undetected,” says John Moyer, CEO of BeyondTrust. Even if you're not a customer of BeyondTrust, whose security solutions enable the security practice of least privilege, your common sense should tell you that removing a user's administrative rights should make the user less vulnerable to some security threats. But how much less vulnerable? How many security threats could be mitigated by removing users' administrative rights?

To find out, BeyondTrust analyzed Microsoft security bulletins issued in 2008, classified them by severity and vulnerability type, and tallied the number of bulletins where the Mitigating Factors section read, "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." The company found that 92 percent of the critical vulnerabilities Microsoft issued bulletins for could be mitigated by configuring users to operate without administrator rights. When it came to specific types of vulnerabilities, 87 percent of remote code execution vulnerabilities could be mitigated in this way. In the case of vulnerabilities exploiting Microsoft Office, Internet Explorer (IE), and Windows, removing user administrator rights could mitigate against more than three quarters of the Office and IE vulnerabilities and more than half of the Windows vulnerabilities.

"Our findings reflect the critical role that restricting administrator rights plays in protecting against these types of threats," Moyer says about the figures, available in the company's PDF white paper. "This is achievable in one simple step—adopting a strategy of Least Privilege security."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.