• Removing Admin Rights "Fixes" 94% of All Windows Critical Vulnerabilities

    Home » Forums » Admin IT Lounge » WSUS, SCCM, Exchange and update management tools » Removing Admin Rights "Fixes" 94% of All Windows Critical Vulnerabilities


    Removing Admin Rights “Fixes” 94% of All Windows Critical Vulnerabilities

    Analysing Microsoft’s 2016 security reports reveals that 94% of critical vulnerabilities could easily be mitigated

    Feb 21, 2017 22:14 GMT · By Gabriela Vatu

    Many of Microsoft's vulnerabilities could easily be fixed

    Removing administrator rights could have helped mitigate 94% of all Windows vulnerabilities with a Critical rating, reveals a new analysis signed by global security software company Avecto.

    After taking a look at all security bulletins issued by Microsoft throughout 2016, Avecto came up with a few key findings to shed some light on the overall security problems of Windows OS. During the whole 2016, 530 vulnerabilities were reported, a small increase over the previous year. When it comes to Critical vulnerabilities, the number dropped to 189, much better than in 2014 when 240 such problems were reported.

    “Remote Code Execution vulnerabilities account for the largest proportion of total Microsoft vulnerabilities. Of these, 70% were classed as Critical. Almost 90% of total RCE vulnerabilities and 94% of Critical RCE vulnerabilities could be mitigated by removal of admin rights,” researchers note.

    Another vulnerable asset of Microsoft is Edge, the company’s latest browser. A total of 111 vulnerabilities were discovered about the browser, 68 of which were critical. All of them could be mitigated by the simple removal of admin rights. The same could be done regarding Internet Explorer, related to which Microsoft announced 109 vulnerabilities, less than half compared to the previous year.

    Office products, also vulnerable



    1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

    SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

    CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
    Graphics Radeon RX 580, RX 580 ONLY Over Clocked
    More perishable

    2xMonitors Asus DVI, Sony 55" UHD TV HDMI

    1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
    1xOS W8.1 Pro, NAS Dependent, Same Sony above.


    1 user thanked author for this post.
    Viewing 0 reply threads
    • #97149

      … and, surprise, the company that produced the report has just one product which removes all admin rights and replaces UAC: https://www.avecto.com/defendpoint

      Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

      3 users thanked author for this post.
      • #97322

        Yep, I tend to be a bit cautious on these types of reports – even when (and sometimes especially when) they agree with a stance I take with my clients.  Self serving reports only damage the perception of what for some companies is legitimate advice.

        I do think – strongly – that end users in a corporate environment should not run as admin on their workstations.  I also provide a special domain  account that’s granted admin on all workstations – but not on the domain – for them to use when they need to update something legitimately.

        At the same time, a well trained end user with a clear understanding of what risky behavior to avoid and with good technical mitigations in place can be perfectly fine running as admin.

        And training . . . much training . . .

        ~ Group "Weekend" ~

        2 users thanked author for this post.
    Viewing 0 reply threads
    Reply To: Removing Admin Rights "Fixes" 94% of All Windows Critical Vulnerabilities

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: