For #ThrowBackThursday, I thought it would be good to pull out an oldie but goodie. The original post was on the “Jeff Jones Security Blog” back before the blog evolved into the Microsoft Security Blog.
I’m including the full original text below, but this guidance applies today to whatever PC you are running. I hope you enjoy and welcome any comments you might have here or on @securityjones.
Best regards, Jeff
Be Safer - Run as Standard User
I do my work as standard user on Windows 7, just as I did with Windows Vista. It is not a burden. When I need to do an admin task, I put on my “admin” hat by switching to my admin account specifically and doing my admin thing and then logging off. I don’t browse, I don’t download stuff, and beyond the first week or so when I set up a new machine, I don’t really need to do it that often. I think it is a best practice. Combine it with the improvements in Win7 and IE8 and we’ve come a long way from where we started…
Here is a news story that provides some supporting evidence for my best practice.
(Dark Reading) Taking away the administrative rights from Microsoft Windows 7 users will lessen the risk posed by 90 percent of the critical Windows 7 vulnerabilities reported to date and 100 percent of the Microsoft Office vulnerabilities reported last year.
It will also mitigate the risk of 94 percent of vulnerabilities reported in all versions of Internet Explorer in 2009 and 100 percent of the vulnerabilities reported in Internet Explorer 8 during the same time period.
Finally, it will reduce the danger posed by 64 percent of all Microsoft vulnerabilities reported last year.
These findings come from a study conducted by BeyondTrust, which perhaps unsurprisingly sells software that restricts administrative privileges.
The company argues that companies need its software to protect themselves, particularly during the time between Microsoft's publication of vulnerability information and the application of Microsoft's fixes.
[read the full article from Dark Reading, Windows 7 Less Vulnerable Without Admin Rights]