Running a PC with reduced user privileges stops 92% of malware
According to a recent study by the BeyondTrust Corporation, titled "92 Percent of Critical Microsoft Vulnerabilities are Mitigated by Eliminating Admin Rights," most known and as yet unknown Windows exploit attacks will fail if the targeted PC is being operated with reduced user privileges. This means not running as an Administrator.
BeyondTrust's findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft's security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.
As far back as May, 2007, I have published blog articles professing the added security to be gained by operating a PC with reduced user privileges. Furthermore, I published a web page titled: User Account Privileges Explained, describing the differences between the various types of user accounts available in Windows 2000 and XP. That page also contains instructions for elevating reduced user privileges by using the Windows "Run as" right-click option, when installing, or launching a program that was built with the assumption that a member of the Administrators Group would be running it.
Some of the benefits derived by reducing your user privileges for your daily browsing account may include the following:
- Most viruses cannot be installed
- Most spyware cannot be installed
- Most adware cannot be installed or survive a reboot
- Browser BHOs that hijack your home page and search may not be fully installed, or survive a reboot
- Rootkits cannot be installed
- Mistakes you make by visiting compromised websites will probably fail to cause any damage
- Botnet executables cannot take control of your computer
- Fake anti virus or anti spyware popup alerts will not be installed, or survive a reboot
- System Restore, Windows Defender, the Windows Firewall and Automatic Windows Updates cannot be disabled
- Your HOSTS file cannot be poisoned
- Worms, like the Conficker Worm cannot be installed, even via AutoPlay/AutoRun exploits
- Changes cannot be made to the HKLM branch of the Windows Registry
- Some programs cannot be installed, unless you use "Run as"
- Files cannot be saved to, deleted from, or overwritten with fake copies, in the Windows and System32 directories and sub-directories
To achieve all of the above protection one should change their daily browsing account type from "Computer Administrator" to "User" or "Limited User." If you are using a computer with a "Business" or "Professional" version of Windows you can run as a "Standard User" (Windows Vista and Windows 7), or "Power User" (Windows 2000 and XP), depending on your operating system. The benefits also presume that the owner or user is not tricked into installing the malware by using the "Run as (Administrator)" command. If you download a Trojan Horse program that you think is something useful and it turns out to be malware in disguise, you can infect the computer by Running it as an/the Administrator. Common sense and a high level of suspicion, along with a judicious amount of Googling about unrecognized programs, before installing them, can save your butt.
In the security business this is known by the pet name of "practicing safe hex!" If you are now operating your Windows 2000, XP, Vista, or Windows 7 PC as an/the Administrator, stop doing it now. Create a new Administrator level account, give it a good strong password, log out of your current account and into the new Administrator level account. This sets it up in the operating system and gives it a basic desktop setup. While you are logged into the new Administrator account go to Control Panel > Users and Passwords (whatever) and open your previous account name for editing. Change the old account "type" from "(Computer) Administrator" to "User," "Standard User," or "Limited User," depending on which OS you are using. When you next log into that account it will have all of the same settings, My Documents, Bookmarks/Favorites, email, preferences, etc, but will not be a member of the "Administrators Group." The account will be among the 92% that could be protected from malware attacks purely by virtue of having reduced user privileges. In reality, you will be in the minority, until more people learn to run without Administrator privileges.
If you are running Windows 2000 or XP Professional, Vista Business, or Windows 7, you can elevate a limited user account to a Power User or Standard User account by performing the following steps from an Administrator level account. Right-click on the (My) Computer icon and (left) select "Manage." Under Computer Management click on the + next to Local Users and Groups to expand it. Click on "Groups" to display all available user groups for your computer. If you see Power User, or Standard User (and Backup Operators) on the right side, you can elevate a limited account to that level. Click on Users to open a list of users in the right pane. Find your identity that you wish to control on the right and double click on it. Click on the tab - "Member Of" and review the group(s) it belongs to. If it shows User, or Limited User then click on the "Add" button, at the bottom. Type the name of the user group you wish to add, then click on the "Check Names" button. It will fill in necessary details about that account type, or allow you to edit the group name, until you get one right. When the new group membership is correctly listed, click OK. Click Apply, then OK, to close the dialog boxes, then close the Computer Management Console.
You can also open the Computer Management Console by copying and pasting this command into your "Run" box: compmgmt.msc
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.