A new study from BeyondTrust, a software developer focused on solutions for managing privileges in Windows, has some interesting results for organizations that have made the switch to Windows 7.
The main result shows that 90 percent of critical vulnerabilities in Windows 7 simply not standard allows users with administrator privileges runs are reduced. Windows 7, like its predecessor, Windows Vista, has a variety of security features and controls that do not exist in Windows XP. Features such as tighter control of access to the system kernel DEP (Data Execution Prevention) is ASLR (Address Space Layout Randomization) and MIL (Mandatory Integrity Level) None of these security checks a “silver bullet” defense by itself.
However ASLR with other security features such as DEP and the security aspects of UAC (User Account Control) helps Windows 7 (and Windows Vista), combined to defend itself against many threats that would be based on Windows XP and other operating systems from working. Do not confuse a “safe” with “impenetrable”, though. At the recent CanSecWest competition Pwn2Own a security expert of the situation, the ASLR and DEP circumvent security measures and take advantage of a vulnerability in Internet Explorer 8, the control of the target Windows 7 to take over a computer … ..
However, since the study shows BeyondTrust, even if an attacker can get past the Windows 7 defense, most malicious code in its tracks only by the fact that the user can not be set as an administrator. The reason for this is that malicious code usually runs with the rights and privileges of the logged-on user, then run as a standard user to the malicious code is under the standard user context rendering it does not run a critical system functions attack limit.
A press release from BeyondTrust quotes Steve Kelley, EVP of corporate development, “Enterprises continue to face imminent danger from zero-day attacks as new vulnerabilities are exploited before patches can ever be developed and deployed. Our findings reflect the critical role that restricting administrator rights, plays in protecting against these types of threats.
“As a company on Windows 7, you must migrate to be aware that improved despite security features on the new operating systems, better controls for administrative privileges are required, to reasonable protection.”
BeyondTrust study also found that the administrator remove 94 percent can weaken all Internet Explorer vulnerabilities (100 percent to Internet Explorer 8), the 100 percent of any Microsoft Office vulnerabilities and 64 percent of all Microsoft vulnerabilities reported in 2009.
This should come as a real surprise for most IT administrators. Security professionals have repeated the mantra of can run not standard user with administrator privileges because it existed. What has changed, though, is that Microsoft feedback from the field about the problems, has heard from customers, when you configure the workers as a standard user, and has implemented changes to these concerns.
You can expect user backlash-especially from executive-level management that prefer to have God-like powers to install and remove, what software you on the system to choose. However, apart from the broader legal and safety issues-as as well as support introduced by letting users have the complexity of the user administrator privileges, on balance, that simply changing Windows 7 systems can prevent standard user perform nearly two-thirds of potential attacks.
Wouldn’t you have much more time for more proactive and important tasks–and wouldn’t you sleep better at night–by implementing this one simple change?