There are many reasons why it’s a good idea to run without admin rights, but for a recent webinar by Avecto, I narrowed it down to my top 5 reasons why it’s important to do so.
You can hear more about these on the on-demand webinar and see real examples of ethical hacking, where I show you some actual scenarios of vulnerabilities in the Windows OS.
When talking about security, I always talk about proactive and reactive measures. Both are needed, but the proactive measures are much more important. This includes things like software allow listing, managing permissions and firewalls. These protection layers keep the computer clean and efficient.
Reactive measures like anti-malware and block listing are usually late to the party – but should be layered on top of proactive prevention, just in case something gets through.
Here we’re talking about proactive measures – removal of admin rights (and the effective management of user rights using privilege management technology) to secure your business PCs – and the 5 big reasons why it can’t be avoided.
1) Keep malware off your computer
As your computer can’t differentiate between good and bad software, the only way to prevent the installation of malware is to prevent installations as a whole. So in this case, your standard everyday user shouldn’t be able to install software that affects the whole computer. Many people think that with UAC in Windows 7 and 8, there is no need to limit user admin rights. This is a myth and is far from the truth! In the on demand webinar, I demonstrate why.
I have recently seen code written by an 11 year old that configures the PC to run as a wireless access point, which can bypass UAC.
2) Keep the computer running smoothly
A limited user cannot write files or entries in places where admins can. Ultimately this means that by removing admin rights, your PCs are cleaner and more stable, with a longer lifespan. Usually people tell me that they reinstall their Windows OS every 6 months or every year to keep the machine running effectively. Without admin rights, there’s no need to do this. Less reinstallations means less help-desk impact, and less cost.
3) Keep the protection enforced
An admin user can turn off your protective measures. They can disable your firewall, antivirus, encryption, Group Policy and more. And if the admin is running malware, the malware can do the same.
Shockingly, all big zero-day attacks reported in the media from 2010-2013 required admin rights! Malware could never affect the computer in the first place without admin rights.
4) Keep computers compliant
Microsoft’s own Security Policy states that a user in the local admin group can manage the computer 100%. There is no way of controlling administrators with Group Policy. They can do what they want, full stop.
They can deny the system from reading policies – and if you deny the rules, you don’t have to obey them! Watch the webinar to see how it’s done. Removing admin rights and running with standard users removes this risk immediately.
5) Keep your network clean
Your network is only as secure as its weakest link. One computer on the domain running admin rights is a hole that compromises the entire network. I demonstrate how admins can inject bait into a PC using a security gap, run with the highest privileges and bypass UAC to gain access to the whole network.
My top tips for removing admin rights
- There is always a trade off with removing admin rights. I talk about Security vs. Cost vs. Usability. You just need to decide the approach that’s right for you.
- Admin rights need to adjust to a software-based approach, not user-based.
- UAC is mandatory – you must run with UAC on. But app compatibility and user experience means you need a solution for customization.
- Build a proof of concept – stop the process of giving out admin rights, figure out why admins have needed admin rights, and remove current admin rights. There are tools on the market to help you do this.
Sami Laiho, Windows OS & Security Expert, Senior Technical Fellow
Sami Laiho is one of the world’s leading professionals in the Windows OS and Security. Sami has been working with and teaching OS troubleshooting, management, and security since 1996.
In 2019 Sami was chosen by TiVi-magazine as one of the top 100 influencers in IT in Finland. He is the 11th most followed person in his field in Finland.
At Ignite 2018, Sami’s “Behind the Scenes: How to build a conference winning session” and “Sami Laiho: 45 Life Hacks of Windows OS in 45 minutes” sessions were ranked as #1 and #2 out of 1708 sessions!! This was the first time in the history of the conference that anyone has been able to do this.
Before that, at Ignite 2017, the world’s biggest Microsoft event, Sami was evaluated as the Best External Speaker! Also, Sami’s sessions were evaluated as the Best session in TechEd North America, Europe and Australia in 2014, and Nordic Infrastructure Conference in 2016, 2017 and 2019.
