logo

Practical Computing Advice and Tutorials

Fri: 22 Nov 2019


Site Content

Programming
&
Development


Technical Knowhow


Command Line Interface


Security

Admin or User

Generally speaking, a computer operating system will have two modes of operation: Administrator Mode and User Mode. These operating modes are assigned to a particular Account, which can be called "Standard Accounts" and "Administrator Accounts" or "Privileged Accounts". The names really speak for themselves, and you can have as many accounts as you need.

Today, computers are relatively inexpensive, so the notion of a shared computer is less relevant than it once was. That said, I believe that younger family members should not have Admin Accounts; Parents/Guardians should still be the Administrators' of the system.

User Accounts

With a shared computer, every user should have their own User Account. This introduces some separation between documents and settings, as each user will have their own space in which to work, which can be customised, and no user will be able to see any documents that do not belong to them or that are not being 'shared'.

Even if you are the ONLY user of the computer, you should have a minimum of two accounts: one User Account and one Admin Account. Only ever use the Admin Account for major changes to the operating system; everything else can be, and should be done from any of the User Accounts.

Administrator Accounts. (A.K.A: Admin)

If you own the computer you use and/or can alter the way that it works by installing and/or removing applications you are the "Administrator" of that system. With this title comes great power, and with great power comes great responsibility.

There is NO reason to be running a system as an Admin user if you're not doing any administrative work. Even if you are doing administrative work, such as system updates or installing a new App, this can be done from a User Account, by way of the Admin Password, when asked for by the system.

If you're administrating a system for multiple users, it's advisable to use a Admin Account when installing new Apps, so that all users have access to the Apps, if that's what you want. If not, then restrictions can be applied to Apps that you don't want other users to have access to, such as Finance Apps and the like.

Each year, starting in 2013, Avecto issues a report called "Microsoft Vulnerabilities Study: Mitigating risk by removing user privileges", with the title of each report being prefixed with the year that the report covers. These reports are compiled from security bulletins issued by Microsoft and cover vulnerabilities that could be mitigated by removing admin rights.

Key Findings

2013

  • Of the 147 vulnerabilities published by Microsoft in 2013 with a Critical rating, 92% were concluded to be mitigated by removing administrator rights
  • 96% of Critical vulnerabilities affecting Windows operating systems could be mitigated by removing admin rights
  • 100% of all vulnerabilities affecting Internet Explorer could be mitigated by removing admin rights
  • 91% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
  • 100% of Critical Remote Code Execution vulnerabilities and 80% of Critical Information Disclosure vulnerabilities could be mitigated by removing admin rights
  • 60% of all Microsoft vulnerabilities published in 2013 could be mitigated by removing admin rights

2014

  • Of the 240 vulnerabilities published by Microsoft in 2014 with a Critical rating, 97% were concluded to be mitigated by removing administrator rights
  • There has been a 63% year on year rise in Critical vulnerabilities since 2013
  • 98% of Critical vulnerabilities affecting Windows operating systems could be mitigated by removing admin rights
  • 99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights
  • 95% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
  • 97% of Critical Remote Code Execution vulnerabilities could be mitigated by removing admin rights
  • 80% of all Microsoft vulnerabilities reported by us in 2014 could be mitigated by removing admin rights.

2015

  • Of the 251 vulnerabilities in 2015 with a Critical rating, 85% were concluded to be mitigated by removing administrator rights
  • There has been a 52% year on year rise in the volume of vulnerabilities since 2014
  • 86% of Critical vulnerabilities affecting Windows could be mitigated by removing admin rights
  • 99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights
  • 82% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
  • 85% of Remote Code Execution vulnerabilities could be mitigated by removing admin rights
  • 82% Critical vulnerabilities affecting Windows 10 could be mitigated by removing admin rights
  • 63% of all Microsoft vulnerabilities reported in 2015 could be mitigated by removing admin rights

2016

  • Of the 189 vulnerabilities in 2016 with a Critical rating, 94% were concluded to be mitigated by removing administrator rights
  • 66% of all Microsoft vulnerabilities reported in 2016 could be mitigated by removing admin rights
  • There has been a 62% rise in the total volume of vulnerabilities since 2013
  • 100% of vulnerabilities impacting Microsoft’s latest browser Edge could be mitigated
  • 100% of vulnerabilities in Internet Explorer could be mitigated by removing admin rights
  • 99% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
  • Despite being labeled as the “most secure” Windows OS ever, Windows 10 had the highest proportion of vulnerabilities (395) compared to any other OS
  • The volume of Windows 10 vulnerabilities was 46% higher than Windows 8 and Windows 8.1
  • 93% Critical vulnerabilities affecting Windows 10 could be mitigated by removing admin rights
  • From 2013 to 2016, there was a 63% increase in the total number of Windows vulnerabilities reported

2017

  • In 2017, 587 vulnerabilities were reported across Windows Vista, Windows 7, Windows RT, Windows 8/8.1 and Windows 10 operating systems. This is a record high, coming in 232 vulnerabilities more than last year’s report, and marking a 132% increase on the numbers from 5 years ago.
  • Critical vulnerabilities in Microsoft browsers are up by 46% since 2013.
  • There has been a 54% increase in Critical Microsoft vulnerabilities since 2016 and 60% in five years (2013-2017).
  • The number of reported vulnerabilities has risen 111% over five years (2013-2017).
  • Removing admin rights would mitigate 80% of all Critical Microsoft vulnerabilities in 2017.
  • 95% of Critical vulnerabilities in Microsoft browsers can be mitigated by removing administrator rights.
  • There has been an 89% increase in Microsoft Office vulnerabilities in the past five years.
  • Almost two thirds of all Critical vulnerabilities in Microsoft Office products are mitigated by removing admin rights.
  • Despite being widely regarded as the most secure Windows OS ever, Windows 10 vulnerabilities rose by 64% in 2017.
  • Removing admin rights would mitigate almost 80% of Critical vulnerabilities in Windows 10 in 2017.
  • Critical vulnerabilities in Microsoft Browsers are up 46% since 2013.
  • 88% of all Critical vulnerabilities reported by Microsoft over the last five years would have been mitigated by removing admin rights.

It should be fairly clear to anyone reading this that removing admin rights is the number one way that vulnerabilities can be mitigated.

The bottom line is, if the system is running in an Admin mode, anything can be run in the background with no intervention from you. This could be malware and you'd be completely unaware of it.