Feb. 25, 2014
CBS MoneyWatch - A new security study confirms something that many security experts already knew: one small change to your Windows settings can make your PC all but invulnerable to critical vulnerabilities.
Compliance and "privilege management" company Avecto has just released its 2013 Microsoft Vulnerabilities Study, and it shows that a staggering 92 percent of all Microsoft vulnerabilities rated as "critical" could be disregarded if you configure your PC so that users didn't have administrator rights.
In Windows XP and earlier, for example, admin rights were bestowed on all users by default. It wasn't until Windows Vista, and then also in Windows 7 and 8, that Microsoft changed the user model to encourage most people to get "standard user" privileges. Along with User Account Control (UAC), a Windows feature that prompted users for permission when programs attempted to make many kinds of system-setting changes, the last two versions of Windows are dramatically more secure. But only if users get standard and not admin privileges.
According to the Avecto study, Microsoft published 147 critical vulnerabilities in 2013, and all but 12 were thwarted by removing administrator privileges from the PC. That's not all. This one change would eliminate specifically 96 percent of Windows' critical vulnerabilities, 91 percent of critical vulnerabilities in Microsoft Office and every single critical issue in Internet Explorer.
Working as a standard user has a downside, of course: inconvenience. As a standard user, you can be confronted by frequent requests to enter the administrator password to perform seemingly routine tasks, like installing software and formatting media. It's a question of risk mitigation: is it worth the extra effort to so dramatically reduce the risk to your PC and your data?
Not sure what kind of user privileges you're currently running? To find out, open the Windows Control Panel and click Change Account Type under User Accounts and Family Safety (or find it by typing "account type" in the Control Panel's search box). You should see a list of all users and the type of user account they currently have.
To change an administrator to a standard user, click the entry for that account, and then click Change the Account Type. Choose Standard and click Change Account Type.
If you are the only user on the PC, you might need to create a new Admin account before you can downgrade your own account to a standard user -- your PC must have at least one administrator, even if it's an account you never use or log in with.
This report should also be a wake-up call for Windows XP users. You are highly vulnerable, and you have few ways to mitigate the risk without moving to a more modern operating system.