Most Windows Security Flaws Mitigated By 'Removing Admin Rights'

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
According to a new report, almost ninety percent of vulnerabilities targeting Windows last year could have been prevented by removing administrative rights.

The report, released on Thursday by security firm Avecto said a total of 85 percent of critical flaws affecting the operating system could've been stopped at the gate, and prevented from spreading deep into system files. Administrator accounts are common among consumer and home PCs, because they give users access to everything on the computer. But malware, when it strikes, also gets the same privileges. That means malware or hackers can modify core Windows files, and steal or destroy data.
 
Duh...

I've been telling everyone for years that most sure way to avoid getting hit with something is to use the computer without admin rights. I even show them how or set it up for them. Most of the time, they're too fucking lazy or stupid to be able to run in that way. I know, I know...it's really difficult to key in a password when you're installing new software or changing a system setting.

I don't know what I was thinking. :rolleyes:
 
And yet we still have software that requires admin access to fun... usually just due to poor design (config/temp files in program directories etc).

Heck our 911 systems REQUIRE 32bit OS still... Our dental software also won't support .net 4.6 until next late this year, maybe next...

To those with normal offices you got it easy... I have worked in health care and government which have a number of niche services and software products that almost have you over a barrel and when asked about simple crap like 64bit support or non-admin support they ignore you... cause they know you don't have too many choices.

I could understand for XP, but common.. UAC and 64bit are common these days there are not excuses other than we don't give a shit.
 
First make it so that 90% of the applications don't require administrator level user to be installed. While a few still require it for day to day usage.

And I Don't get it anyway. The system folders are not writable by the user even with admin status. Unless you take ownership of the folders and manually give yourself rights to them. Then it seems to me that the only point of not having rights to those folders is to annoy the user. Since malware can get trough all the same.

Anyway 99% of malware can be stopped with using antivirus software, and I don't mean windows defender.
 
PrincessDie said:
Duh...

I've been telling everyone for years that most sure way to avoid getting hit with something is to use the computer without admin rights. I even show them how or set it up for them. Most of the time, they're too fucking lazy or stupid to be able to run in that way. I know, I know...it's really difficult to key in a password when you're installing new software or changing a system setting.

I don't know what I was thinking. :rolleyes:
Click to expand...

Its because most people think they know what they're doing. I'm guilty of running as an admin, though.
 
OEM said:
Its because most people think they know what they're doing. I'm guilty of running as an admin, though.
Click to expand...

And that the truth!!!!!

Our team is one of the few that still does... though we are planning on changing that.

A few years back (think it was conficker) at another place I worked a network admin got the virus and since they all used their normal accounts for everything all the servers got infected.

They must have cleaned most twice before they figured out it was their own accounts and access. They ended up literally shutting down ALL servers and keeping them down as they cleaned and blocked processes on workstations etc.

The next week they got smart and created server admin accounts to prevent this from happening again...

The following week after that I watched a network admin (who we called FNG after 2+ years lol) login to his workstation with said server admin account... :confused::eek:
 
M76 said:
First make it so that 90% of the applications don't require administrator level user to be installed. While a few still require it for day to day usage.

And I Don't get it anyway. The system folders are not writable by the user even with admin status. Unless you take ownership of the folders and manually give yourself rights to them. Then it seems to me that the only point of not having rights to those folders is to annoy the user. Since malware can get trough all the same.

Anyway 99% of malware can be stopped with using antivirus software, and I don't mean windows defender.
Click to expand...

You can actually get around this. It isn't precisely that the applications need "administrative" rights to run. That's a common misconception. Rather, the areas of the registry, or certain files and folders aren't configured by default to allow non-admin access to them. If you understand the Windows permission set you can create a batch file, leveraging the calcs command to deal with most of it. You can use a registry monitor to determine what parts of the registry are used by a given piece of software, and then alter the permissions where you need to.

The problem is, that doing this requires a lot of work in advance by the person administrating these systems to do this ahead of time. I've made AutoCAD, 3D Studio Max, Lightwave, and even most of the entire Adobe Suite run under normal user accounts. I've even managed to do it with several games. Counterstrike being one of them.
 
dandirk said:
And that the truth!!!!!

Our team is one of the few that still does... though we are planning on changing that.

A few years back (think it was conficker) at another place I worked a network admin got the virus and since they all used their normal accounts for everything all the servers got infected.

They must have cleaned most twice before they figured out it was their own accounts and access. They ended up literally shutting down ALL servers and keeping them down as they cleaned and blocked processes on workstations etc.

The next week they got smart and created server admin accounts to prevent this from happening again...

The following week after that I watched a network admin (who we called FNG after 2+ years lol) login to his workstation with said server admin account... :confused::eek:
Click to expand...

And that is why you should have the server admin account locked down to only be able to log into the server. It is a single setting in AD under the user account.
 
Dan_D said:
You can actually get around this. It isn't precisely that the applications need "administrative" rights to run. That's a common misconception. Rather, the areas of the registry, or certain files and folders aren't configured by default to allow non-admin access to them. If you understand the Windows permission set you can create a batch file, leveraging the calcs command to deal with most of it. You can use a registry monitor to determine what parts of the registry are used by a given piece of software, and then alter the permissions where you need to.
Click to expand...

Any recommendation?
 
dandirk said:
And that the truth!!!!!

Our team is one of the few that still does... though we are planning on changing that.

A few years back (think it was conficker) at another place I worked a network admin got the virus and since they all used their normal accounts for everything all the servers got infected.

They must have cleaned most twice before they figured out it was their own accounts and access. They ended up literally shutting down ALL servers and keeping them down as they cleaned and blocked processes on workstations etc.

The next week they got smart and created server admin accounts to prevent this from happening again...

The following week after that I watched a network admin (who we called FNG after 2+ years lol) login to his workstation with said server admin account... :confused::eek:
Click to expand...

The last couple of places I've worked, even the IT staff lacks administrative privileges outside of non-production environments. You have to check out an admin account via an enterprise password vault to do anything. Only managers can approve that.
 
Simple fact is, backwards compatibility is going to trump security any day of the week. Even with UAC enabled, folks may not pay attention to what they are doing and install something anyways. Or, look at it like this: When Vista came out with the then new security setup, programs started having major issues that used to work without a problem.

Folks on this forum and others got all upset when a UAC prompt would ask them if they wanted to install that program or not. Then the FUD flew and folks claimed that UAC would come up every time you ran any program at all or just sneezed at the computer. :rolleyes: The security issue is the fault of the program providers and nothing else. Microsoft cannot force these things to occur because it would just end up breaking way to many things.

Yes, Linux was built with a least common denominator user built in. However, the programs are created with that from the start but, backwards compatibility is also hurt in the process. We have what we have because of the way we wanted things to be, deal with it.
 
We use PowerBroker. Don't get me started on that one.....
 
Almost any business that is running old software will have this problem.

I'd love to restrict admin access for the general office users, but we still have a couple old application that require local admin access. It was a challenge to get them working on 32 bit Windows 7, as they where originally written for Windows 2000, but at least I managed to get rid of the old XP systems.
 
nutzo said:
Almost any business that is running old software will have this problem.

I'd love to restrict admin access for the general office users, but we still have a couple old application that require local admin access. It was a challenge to get them working on 32 bit Windows 7, as they where originally written for Windows 2000, but at least I managed to get rid of the old XP systems.
Click to expand...

The age of the software has little to do with it. Many if not most modern applications require access to certain folders or registry keys which are normally restricted for standard users.

But those applications do NOT require admin rights. That's a myth. If you granted the user's permissions to the areas of the registry and folders those applications call to, they could run without admin access.
 
PrincessDie said:
Duh...

I've been telling everyone for years that most sure way to avoid getting hit with something is to use the computer without admin rights. I even show them how or set it up for them. Most of the time, they're too fucking lazy or stupid to be able to run in that way. I know, I know...it's really difficult to key in a password when you're installing new software or changing a system setting.

I don't know what I was thinking. :rolleyes:
Click to expand...

There's a lot more to it than that. It's not just a matter of installing new software. There are a LOT of programs that pretty much demand to have admin rights in order to operate. These programs change settings in files in their own folders instead of using the user level registry, thus they can't operate unless the user has admin rights. Also, there are update functions in many programs that need admin rights. These are modern programs that have come out since Windows 7, some of them even have come out since Windows 10. Before the Battle.net client, WoW's updater would require admin rights to run the game. Windows 7's UAC would actually stop the game from running when it first came out. We had to turn it off to run the game until Blizzard finally fixed that. Star Trek Online was horrible about that in Windows 8 as well.

Back in the old days, it was far, far worse. Heck, back in the XP days, there was even a Canon all-in-one print driver that demanded the user turn off system file protection to install as well as have full admin rights in order to operate. Back in the Windows 95 days, I identified 27 different versions of mfc42.dll, a main system file, that were installed from different programs that I was supposed to support that had many different functions, We had to be careful to install programs in the right order so we would get versions of system files that would allow all the different programs to run. There were some programs that simply could not coexist on the same system because of different system library files.

The first and foremost thing that needs to change is the habits of software developers. There are so many stupid-and-arrogant software developers who have horrible habits and yet think their methods are the only way to do it. Others try to tell them to do it different ways, and they refuse to change at all. I have had to deal with so many incredibly arrogant software developers who think they own the world just because they're developers. It's a culture thing, and the managers of these guys need to get them under control.

Get the developers under control, and we can get this under control and allow people to run computers without having admin rights.
 
Dan_D said:
The age of the software has little to do with it. Many if not most modern applications require access to certain folders or registry keys which are normally restricted for standard users.

But those applications do NOT require admin rights. That's a myth. If you granted the user's permissions to the areas of the registry and folders those applications call to, they could run without admin access.
Click to expand...

Wrong. In Windows 7, modifying or replacing files in any area of the C: drive except for the User folder requires UAC access, no matter the permissions. That means having to enter the admin account and password to run certain programs EVERY TIME IT WOULD RUN. Do you have any idea how annoying that is? I tried installing World of Warcraft to a different drive to bypass that, and I still had an issue unless I specifically told Windows 7 to not use user access control on that drive, which is not an easy thing to do. Star Trek Online requires three different password entries from UAC to run from the Arc client if you don't have admin rights.

Windows 8 kind of corrected that. It could allow for programs to modify other files in their own folders in the "Program Files(x86)" folder, but not outside of that. Other drives still have issues unless specifically told to not protect that drive.

There are, of course, ways programmers could avoid such things. Things Microsoft publishes as best practices with every OS release. Things like using the local data folder in a user's profile and/or using the user level registry to keep keys for settings. Many programmers simply refuse to use those.
 
Our policy is LUA. And I use that policy personally as well after seeing how many times it saved the company's ass. My home computers are not used in admin, neither are my work computers.

At work I am part network admin, part developer, and the few elevated prompts I get during a work day haven't proved all that inconvenient. It takes seconds to type in a password, it could take days to weeks to recover from being compromised.
 
dgingeri said:
Wrong. In Windows 7, modifying or replacing files in any area of the C: drive except for the User folder requires UAC access, no matter the permissions. That means having to enter the admin account and password to run certain programs EVERY TIME IT WOULD RUN. Do you have any idea how annoying that is? I tried installing World of Warcraft to a different drive to bypass that, and I still had an issue unless I specifically told Windows 7 to not use user access control on that drive, which is not an easy thing to do. Star Trek Online requires three different password entries from UAC to run from the Arc client if you don't have admin rights.

Windows 8 kind of corrected that. It could allow for programs to modify other files in their own folders in the "Program Files(x86)" folder, but not outside of that. Other drives still have issues unless specifically told to not protect that drive.

There are, of course, ways programmers could avoid such things. Things Microsoft publishes as best practices with every OS release. Things like using the local data folder in a user's profile and/or using the user level registry to keep keys for settings. Many programmers simply refuse to use those.
Click to expand...

Fair enough. I disabled the UAC on other drives besides C:\. As for developers, that's the biggest problem with software developers outside of Microsoft. They don't follow Microsoft's best practices guidelines.
 
do people run everything as root on *nix systems? of course not...so I don't get why some people run everything as admin on Windows
 
ml_paladin888 said:
do people run everything as root on *nix systems? of course not...so I don't get why some people run everything as admin on Windows
Click to expand...

Because it's an easier fix than implementing proper controls. People also bitch and whine that they can't install some bullshit freeware utility that adds emoticons to their E-Mails or some such shit and bitch until some administrator gives them what they want.
 
ml_paladin888 said:
do people run everything as root on *nix systems? of course not...so I don't get why some people run everything as admin on Windows
Click to expand...

Actually, yes, there are programs that have to be run as root in Linux, AIX, and HP-UX. (I'm the admin in a server backup software and hardware test lab. We test backup to tape libraries, disk based, and cloud based systems.) Every single backup program we test has to be run as root. It needs that access to access FC device, such as tape libraries and disk based backup programs. Also, in order to back up the system files, it needs full root access.

So, yeah, this problem does stem into the Linux and Unix arena.
 
ml_paladin888 said:
do people run everything as root on *nix systems? of course not...so I don't get why some people run everything as admin on Windows
Click to expand...

Because unlike Windows stuff works when running as non-root user where Windows and/or apps running on it gets broken in most horrible and excruciating ways.
 
dgingeri said:
Actually, yes, there are programs that have to be run as root in Linux, AIX, and HP-UX. (I'm the admin in a server backup software and hardware test lab. We test backup to tape libraries, disk based, and cloud based systems.) Every single backup program we test has to be run as root. It needs that access to access FC device, such as tape libraries and disk based backup programs. Also, in order to back up the system files, it needs full root access.

So, yeah, this problem does stem into the Linux and Unix arena.
Click to expand...

Testing something that normally runs as a cronjob hardly applies to this discussion.
 
Dan_D said:
The last couple of places I've worked, even the IT staff lacks administrative privileges outside of non-production environments. You have to check out an admin account via an enterprise password vault to do anything. Only managers can approve that.
Click to expand...
It's been the same at every place I've worked at, too. I know my dad bitches about this all the time at his job, but he still understands why the policy is in place.
 
MS has released a new version of EMET, version 5.5. However, they say its no longer needed as its all included in 10 etc.

Hmmm how come then most of it is switched off by default? Oh yes, that's right, if MS switched it all on (as they should) masses of old and improperly coded software would no longer work.

EMET is still needed as a one stop control centre to make sure its all switched on.

Microsoft Windows - Plenty of security...shame its all switched off by default.

Well we cant have all those old Counter Strike fans being disappointed can we?
 
OEM said:
Its because most people think they know what they're doing. I'm guilty of running as an admin, though.
Click to expand...

Yes but there is a difference between a home user on his personal computer using the admin account or a user account in the admin group for everything, and an Administrator logging in and using his Admin account with elevated privileges in order to check his email and update his documentation and other tasks which don't require that level of rights.
 
Dan_D said:
The age of the software has little to do with it. Many if not most modern applications require access to certain folders or registry keys which are normally restricted for standard users.

But those applications do NOT require admin rights. That's a myth. If you granted the user's permissions to the areas of the registry and folders those applications call to, they could run without admin access.
Click to expand...

Dan is right - VxWorks is a great example of this. Our version is OLD - like 98/2K old. It works fine as a standard user *IF* you give the *everyone* account complete and full access to the WindRiver registry keys, c:\TEMP and the folder it is installed in.

Realizing that required about 3 days of my time but has saved so much hassle since then.
 
JayteeBates said:
Dan is right - VxWorks is a great example of this. Our version is OLD - like 98/2K old. It works fine as a standard user *IF* you give the *everyone* account complete and full access to the WindRiver registry keys, c:\TEMP and the folder it is installed in.

Realizing that required about 3 days of my time but has saved so much hassle since then.
Click to expand...

Well, when I mentioned the point about administrator rights being a myth, I hadn't really considered UAC. dgingeri is right in that UAC adds additional complexity into the mix.
 
Dan_D said:
Well, when I mentioned the point about administrator rights being a myth, I hadn't really considered UAC. dgingeri is right in that UAC adds additional complexity into the mix.
Click to expand...

I agree Dan (great name btw) that admin perms usually can be gotten around... I still consider the vendor at fault for designing such and don't think calling them "myths" is helpful (while accurate). For the reason you stated, support etc. I still label/consider them as requiring admin rights.

Out of the 1000 or so packages my work maintains (which I have reviewed each and everyone), I would guess only a handful needed some goofy runas work around.

UAC does add a whole other layer... I am at the point where if I hear the word shim I might punch someone (don't ask me why, they just bug me). Even Win7 ADUCs has odd UAC behavior.. with admin rights it will prompt, no admin rights no prompt... both are functional.
 
JayteeBates said:
Dan is right - VxWorks is a great example of this. Our version is OLD - like 98/2K old. It works fine as a standard user *IF* you give the *everyone* account complete and full access to the WindRiver registry keys, c:\TEMP and the folder it is installed in.

Realizing that required about 3 days of my time but has saved so much hassle since then.
Click to expand...

Did you try the local users account or authenticated domain users?

I always avoid the everyone account.
 
Windows Vista fixed this and everyone bitched and cried about it. UAC forced your account into limited user mode and then requires you to give permission to programs that needed to run in admin mode. And everyone turned into whiny little cunts so they removed it to make everyone shut up
 
ml_paladin888 said:
do people run everything as root on *nix systems? of course not...so I don't get why some people run everything as admin on Windows
Click to expand...

Because they have old poorly written applications they need to run. These are custom written apps that are so old, the only choice it to find/write a new application to replace them.
So, until these old apps at the office are replace I don't have a choice.

I even had to disable a number of file system settings on Server 2003, just so I could upgrade from Server 2000.

They really are not going to have a choice but to replace the software over the next couple years. We upgraded the workstations to i3's (from old p4's) and the higher speed is causing occasional problems. They really needed to be replace due to other software they need to run. Plus, I was not able to get the software to work under 8.0 or later, so they can't use any of the newer laptops that don't support Windows 7.
 
You must log in or register to reply here.
Back
Top