backtop


Print 31 comment(s) - last by v3rt1g0.. on Mar 31 at 11:28 PM


Don't blame Microsoft for the majority of Windows 7's security problems. According a new report, most of these problems could have been prevented if Windows administrators exercised proper rights management. Poor rights management is dangerous on any platform -- Windows, Linux, or OS X.  (Source: Apple)
Most security problems with Windows 7 are the result of administrative inexperience, not inherent flaws, study indicates

new study [PDF] by security researchers at BeyondTrust gives Microsoft's Windows 7 a thumbs up when it comes to security.  It finds that while the hundreds of thousands of active malicious users worldwide (if not millions) may be able, in some cases, to compromise the operating system, the risk of that happening can be greatly reduced with proper rights administration.

That may sound like common sense.  However, for years Windows has been the butt of jokes from the likes of Apple, Inc. and others for being "insecure" and "full of viruses".  

And to some extent some of that criticism was apt.  Windows for more than a decade has been the world's most used operating system, with over a billion active Windows users operating today.  That means that attacks from cybercriminals focused on Windows users, rather than focusing on Mac users, who enjoy a comparatively small market share, in many respects.  And while past versions of Windows, such as Windows 2000, Windows XP, and Windows Vista were relatively secure, often times they were not secure enough to safeguard users from all dangers.

Proper management of administrative rights -- regardless of the OS -- has always been a good way to minimize attacks.  On Windows 7, though, which comes packed with new memory protections, BeyondTrust says that rights management can prevent not just some, but nearly all security risks.

It found in its study that 90% of Windows 7 vulnerabilities to date and 100% of Microsoft Office vulnerabilities found last year could have been safeguarded against by taking away users' administrative rights.  Doing so would have also have protected against 94 percent of Internet Explorer vulnerabilities and 100 percent of Internet Explorer 8 vulnerabilities.  This is especially pertinent as hackers from China used flaws in Internet Explorer 6 to steal data from Google in late 2009.

Limiting administrative rights can be a bit inconvenient.  Often times power users may have to have administrative rights regranted and then taken back away under such a regime.  However, as the BeyondSecurity report indicates, the investment in time pays off.

States BeyondTrust EVP of corporate development Steve Kelley, "Enterprises continue to face imminent danger from zero-day attacks as new vulnerabilities are exploited before patches can ever be developed and deployed.  Our findings reflect the critical role that restricting administrator rights plays in protecting against these types of threats."

For what it's worth, Microsoft has been trying to preach this point for over a decade to Windows administrators.  A 1999 TechNet post from Microsoft informs, "Unauthorized or unknowledgeable people who have administrator privileges can maliciously or accidentally damage your organization if they copy or delete confidential data, spread viruses, or disable your network. It is vitally important to properly manage the users and groups that have administrative control over the servers and domain controllers in your network."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

That is great but...
By mydogfarted on 3/30/2010 10:08:39 AM , Rating: 5
The average end user is too dumb to grasp the concept of Administrator vs User rights. This is a great idea in a corporate environment, where the systems are monitored/maintained by trained professionals (in theory).




RE: That is great but...
By Marlonsm on 3/30/2010 10:25:16 AM , Rating: 5
Right, as long as you don't run files like "YourPictures.exe", disable things like autorun and keep and up-to-date antivirus, you're safe.
I've never had problems with malware.

And as the article mentioned, Windows isn't the only vulnerable OS. OSX and even Linux also can have problems with malware.

The biggest problem is between the keyboard and the chair.


RE: That is great but...
By reader1 on 3/30/10, Rating: -1
RE: That is great but...
By dgingeri on 3/30/2010 10:55:23 AM , Rating: 4
People want a gatekeeper like they want a tyrant running the government.

I'm smart enough to take care of myself. I'd rather NOT have someone decide how I run my computer for me. I'd also rather not have someone tell me I have to buy my own healthcare, get car insurance, or get trigger locks and a safe for my guns.

Stupid and lazy people get what they deserve if they don't take care in how they do things. I don't want my rights curtailed just to keep stupid and lazy people from being harmed.


RE: That is great but...
By Motoman on 3/30/2010 11:56:38 AM , Rating: 5
That's all well and good for you, and people like you who *aren't* stupid enough to download that new "screensaver" they bumbled into online and install it on their PC - thereby installing malware out the ass and potentially compromising the company's network.

The VAST majority of users in this world think of their computer as an appliance that just does stuff...an overgrown toaster. They haven't got the slightest idea of what the ramifications are of their unbridled enthusiasm to open every email and click every link they see, and install every new emoticon and cool cursor package they find.

...and they never will. NEVER. They will not EVER learn. Won't happen. Period, end of story.

Because people are idiots, companies have to protect themselves against their hired idiots. Hence, no admin rights. Those people have full reign on their home computers...if they really want to eff something up, let them do it at home. At work, their morony should be restricted.


RE: That is great but...
By dgingeri on 3/30/2010 2:29:19 PM , Rating: 3
I agree. there are many people who should have their computers locked down. I just don't want it forced on me because the general public is too stupid for their own good.

I happen to have been a desktop support tech for over 12 years. (I recently moved up to server support, and I'm back at college trying to get my degree in computer systems security.) I've had to remove viruses and fake antivirus malware repeatedly. I know that removing their admin rights would have been the best idea. For a corporate environment, that is the biggest security recommendation.

I just hope to god that MS and others don't lock down things so bad that I can't do anything anymore besides completely rebuild the machine when there's a problem. I've had to work at a place where all they did if a user had problems was just reimage the machine. That's totally mindless, boring work. It's so much better to actually fix things.

I was commenting on the post where the guy said that desktop operating systems would become totally closed systems. I hope to god that never happens.


RE: That is great but...
By bigdawg1988 on 3/30/2010 1:59:36 PM , Rating: 2
The article was a little misleading. I think they aimed this at corporate users, but didn't say so until the end. Should have said that this is for corporate administrators to apply to user computers. Admin access is rare wherever I've worked, although they finally gave me admin access when they realized I knew as much as they did and didn't do stupid stuff. That was at a relatively small company though. Larger companies ought to lock down the user pcs by default. Just think about that stupid ILUVU virus and how easy it was to spread. Yes, some people do need gatekeepers, especially in the business environment. What's worse, is that a lot of people need a gatekeeper at home too. But how do you do that? Too bad they make it where users have to login to get permission from Microsoft or someone before they can install any software. Experienced users can follow other instructions to get admin access on their computers. Maybe setup a fake website to test users. If they can't figure out the difference between good and bad links or e-mails then the admin gets locked up for a day until they learn how NOT to do dumb things. That's it! A test to prove you're eligible for admin rights! Is such a thing possible, or legal?


RE: That is great but...
By dgingeri on 3/30/2010 2:38:20 PM , Rating: 2
There is one thing that I liked about the Macs I've worked on. In order to do certain things, the root/administrator password has to be entered. I have my Windows 7 system set up that way. (It's a PITA to run WoW when a patch comes up, but that's part of the price we pay.)

To do this, first, reset the administrator password to something you would know. By default, the installer doesn't set a password for the administrator. Then remove your user account from the administrators group. really easy. Then, whenever you want to install something, it pops up and asks for the administrator password. enter it and you're good to go, mostly.

There are certain programs that won't install this way. My HP printer drivers are like that. Also, certain old games won't run without running them as admin, like Diablo II. However, I highly recommend using this.

Funny thing is, I had my whole system go down because of some "Fake.Antivirus.5" detection that happened weekend before last. I was thinking to myself "how in the heck did it get past my security? I don't have admin rights, I have updated AV, I have Spybot immunize the system weekly. What happened?!" Then I found out the following Monday, after I started rebuilding my system, that it was BitDefender falsely detecting all my .exes as that fake AV program.

My record of 5 years without a virus or any kind of spyware is still going.


RE: That is great but...
By Laitainion on 3/30/2010 3:58:44 PM , Rating: 2
Is that really necessary? Even if you just have UAC on the highest setting (so it always asks for elevation), does a password vs. yes/no dialog make any difference since, as far as I am aware, no one has managed to get round the secure desktop thing. The end result is effectively the same: anything wanting to install etc. has to ask you first which is surely the point.


RE: That is great but...
By Rhonda the Sly on 3/31/2010 6:20:32 AM , Rating: 2
The Windows 7 installer creates an Administrator level user account with UAC set to level 2 (notify on change). To do what you're doing the easy way all you have to do is create a Standard level account with UAC cranked to level 4. You do have a extra user account using up disk space but it's minimal. My Admin account is only 51MB.


RE: That is great but...
By Tony Swash on 3/30/2010 1:53:40 PM , Rating: 1
quote:
And as the article mentioned, Windows isn't the only vulnerable OS. OSX and even Linux also can have problems with malware.


Hypothetically it is proposed that they can but in the real world they actually don't.


RE: That is great but...
By Nekrik on 3/30/2010 2:57:17 PM , Rating: 2
There's nothing hypothetical about it, but they (those writing the malware) really are happy you think that way and truely hope you keep doing so.


RE: That is great but...
By Tony Swash on 3/30/2010 5:11:39 PM , Rating: 2
quote:
There's nothing hypothetical about it,


If there is nothing hypothetical about then please list any currently active MacOSX viruses that are circulating in the wild.


RE: That is great but...
By Nekrik on 3/30/2010 6:00:20 PM , Rating: 2
Go take a look around this site:
http://securitywatch.eweek.com/apple/

I'm not going to argue about semantics on what qualifies for a virus, trojan, malware, etc..., but to say OS X or Linux can only be hypothetically compromised is wrong, very wrong, but like I said, keep believing it and make the writers happy.

And reread your post, you included both OS X and Linux in you original comment, yet you responded with a OS X only comment, you have to be able to support the whole comment. They have both been compromised, end of story. And when OS X does get hit with a wide spread infection have fun watching Apple and their oh so well prepared security process go into action.


RE: That is great but...
By mathew7 on 3/31/2010 4:09:07 AM , Rating: 2
Ahem....I'm a GNU/linux fan and I KNOW it's not impossible to compromise it. It all goes to what resources are spent and what benefits do they get. And in this regards, Windows is the honey pot: high usage share and default "admin" configuration.

Believe me, GNU/linux and MacOS are hackable, but the gains of exploits are small. That is why you don't see viruses in the wild. When did you get a mail with "extract this tar and run the executable"?


RE: That is great but...
By druble on 3/30/2010 3:23:07 PM , Rating: 2
Haha, you have no clue.....Why don't you go to the Deparment of Homeland Securitys website and just see how wrong you are. OSX and Linux have all sorts of virus' and exploits. Linux has an incredibly high amount of them. Almost comparable to Windows. I have also had friends with OSX have to reload OSX from Virus'. Best educate yourself before spouting off with wild claims. There is nothing hypothetical about OSX and Linux having viruses. Heck, if you are one of the people who think they are bullet proof and don't even run a scanner, you may have one lurking around that you don't even know about. Another unknowing slave to the Apple/Linux bot nets. NO ONE IS SAFE! But smart users have little to worry about. Yes, I am a Windows user. I have Vista, 7, and XP on my computers at home. No viruses and no crashes ever. Why? Because I keep my VP and patches up to date, and don't install junk from random websites. In most cases with any operating system, it is not so much security in the OS, it is the user making poor decisions.


RE: That is great but...
By Tony Swash on 3/31/2010 6:06:23 AM , Rating: 2
quote:
Believe me, GNU/linux and MacOS are hackable, but the gains of exploits are small. That is why you don't see viruses in the wild. When did you get a mail with "extract this tar and run the executable"?


quote:
I'm not going to argue about semantics on what qualifies for a virus, trojan, malware, etc..., but to say OS X or Linux can only be hypothetically compromised is wrong, very wrong, but like I said, keep believing it and make the writers happy.


My point remains - although there is much talk about possible security problems with MacOSX, security holes that have been "discovered", vulnerabilities "that have been identified" - in the real world there are no (none, zero) viruses for MacOSX. I have run MacOSX since it was released nearly a decade ago, I have never installed any anti-virus or security software, I run the system as an administrator with the settings on the default as it comes out of the box, my system is connected to the internet via broadband 24 hours a day and I have never had the slightest security problem. I have dozens of friends and family members who have run MacOSX for years under identical conditions - the same - zero problems.

I repeat to those who claim
quote:
There is nothing hypothetical about OSX and Linux having viruses
I say again - offer me some evidence of an actual existing MacOSX virus spreading in the wild.

I know that the folks who live in the Windows world find such claims irritating and want to claim that the problems that they have and the restrictive practices that they have to endure are universal and not result of their choice of OS but sadly that is not true.

There are tens of millions of macs running MacOSX, even more running the version of MacOSX that runs on iPhones and soon on millions of iPads. We all know that if a virus writer could write a successful replicating virus for MacOSX he would immediately achieve huge fame and notoriety not to mention possible access to the personal information of a very potentially lucrative segment of the population. And yet oddly, apparently according to the safety through obscurity argument, its simply that no one bothers to write a MacOSX virus. I don't buy it. I think if they could they would, the fact is they can't.

I leave you with a quote from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI. He told Scott Granneman of SecurityFocus, "that many of the computer security folks back at FBI HQ use Macs running OS X, since those machines can do just about anything: run software for Mac, Unix, or Windows, using either a GUI or the command line. And they're secure out of the box." Horses mouth.


RE: That is great but...
By Nekrik on 3/31/2010 1:30:42 PM , Rating: 2
http://securitywatch.eweek.com/apple/dutch_attacke...
http://securitywatch.eweek.com/trojan_attacks/twit...
http://securitywatch.eweek.com/apple/trend_micro_u...
http://securitywatch.eweek.com/apple/two_new_os_x_...

A quote from that last article:
"Adding to the problem is that many Apple aficionados still believe that by merely using the company's sleek machines they are somehow immune to being targeted.

"Even though there are indeed relatively fewer Mac malware [samples] compared with Windows, many Mac users who still believe they are somehow magically immune from attacks may run the risk of encountering any of these two," he said."


RE: That is great but...
By OnyxNite on 3/30/2010 10:27:28 AM , Rating: 5
It isn't even just "The average end user". I run without admin rights on my system (UAC prompts me for the Admin password when I need to do something that requires it) but I'm the only person I know who does. Most of my friends are "computer geeks" many run linux and some are even professional solaris admins and while they would NEVER consider running as root on their linux/solaris boxes EVERY SINGLE ONE of them run with Admin rights on their Windows boxes (some with blank passwords even!?!)


RE: That is great but...
By bhieb on 3/30/2010 11:41:53 AM , Rating: 3
Yep and I bet they are the first one's to complain about how Windows security sucks, and they've never had problems with Linux, but have had viruses on windows.


RE: That is great but...
By The0ne on 3/30/2010 11:52:30 AM , Rating: 2
haha I'm guilty of this! :) Although my system is rather secure I do rarely need the admin account privileges. Thing is I'm too comfortable with the setting until something happens.


RE: That is great but...
By Smilin on 3/30/2010 12:51:49 PM , Rating: 2
LOL you're not running as a user.

UAC won't prompt for admin credentials if you're running as a user.

The only way you get a UAC prompt is if you're running as an admin and the admin portion of your split token gets accessed.

UAC settings will determine if you get an OK/Cancel or a prompt for full credentials but in both cases it means you are running as an admin.


RE: That is great but...
By MrDiSante on 3/30/2010 3:26:09 PM , Rating: 4
@Smilin
No. You're an idiot who's obviously never run Vista/7 as a user.
1) Make a user account (I'm not going to provide instructions, when you need them, look them up on the web if you're up to the challenge). Log on as that user
2) Click on the clock that is located at the bottom right of your screen
3) Press "Change date and time settings..."
4) Press "Change date and time..."
5) Enter the username/password from your user account
6) Watch it deny you
7) Enter the username/password from your admin account
8) Watch it allow you
9) Write another stupid post defending your stupidity


RE: That is great but...
By gmyx on 3/31/2010 11:08:00 AM , Rating: 1
quote:
1) Make a user account [...]
5) Enter the username/password from your user account
6) Watch it deny you
7) Enter the username/password from your admin account
8) Watch it allow you

Eh no... your still not running an admin account. You've just got an admin token from the admin account for that process. Its called impersonation.

The problem sometimes is spawned processes do not get the admin token and only get the user token.


RE: That is great but...
By v3rt1g0 on 3/31/2010 11:23:50 PM , Rating: 2
I detect large amounts of nerd rage in this sector.


RE: That is great but...
By WoWCow on 3/30/2010 11:22:15 AM , Rating: 3
Stating the obvious analogy:

Local man realizes after 20 years his home would be less of a target for burglary and theft if he closed and locked the doors as typical home owners should do.


RE: That is great but...
By Makaveli on 3/30/2010 12:08:11 PM , Rating: 1
I agree with the article %100.

I have changed my windows 7 UAC back to the vista default. Even tho I'm the only one that uses my home PC I see no reason to disable it. For the general public they should never be using an admin account, most people don't care to understand why and just bitch when their computer is broken and blame it on shitty windows....right!

I also bitch at all my friend that build pc's for people and disable UAC cause they find the prompts annoying only to have the person at their house every second week because they got a virus or did something stupid. What is even worse is parents that buy pc's for their kids and they 12 has an admin account on the home computer bad idea!


Never Ever
By tech329 on 3/30/2010 4:31:35 PM , Rating: 2
Giving users admin permissions is something I have managed to avoid for a very long time. Every admin knows it's a bad idea and regrets it if they do it. I've had some big arguments over this with some hard feelings as left overs. The thing is people will do dumb stuff no matter what. The answer is simple. Lock it down!




RE: Never Ever
By erple2 on 3/31/2010 6:01:15 PM , Rating: 1
Glad I don't work for your short-sighted company. Blanket statements like "No Admin Rights For Anyone" smells like your inability to properly manage people and assets. Taking the simple and lame attitude of "everyone's an idiot" just helps to elevate you to "that person people hate to work with".


RE: Never Ever
By v3rt1g0 on 3/31/2010 11:28:41 PM , Rating: 1
I would never work for a company that didn't give me admin rights on my workstation. That's completely asinine.


Common Sense
By Etern205 on 3/30/2010 12:15:23 PM , Rating: 2
I've build a system for my parent to use who they don't even know how to power up a computer, but I've tell them not to click on stupid things and so far not a single infection.

The average user needs to be educated, but a professional can only go so far and in the end it comes down to the using habit of that individual user.

For some users no matter how many protection they get, they'll get infected while the others even with no security install will not.

In the end those who get infected are the lazy ones who thinks if they get a infection, others will come to wipe their behinds.




"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki