Restricting User Rights as an Effective Protection for Windows
The most effective protection for Windows computers still is a reasonable and comprehensively designed rights management, which will grant only those permissions that the users require for their daily work.
In a recent analysis of the software security company Avectos, which was published by Microsoft in 2016, this undoubtedly convincing fact was once again confirmed. In the "2016 Microsoft Vulnerability Study" Microsoft announced about 530 vulnerabilities for the past year, of which 36 percent were classified as "critical". According to Avecto, 94 percent of those critical vulnerabilities would have been harmless if their malicious code had not been executed with administrative privileges on the systems. An abuse of critical security vulnerabilities in Office 2016 and Internet Explorer would have been even completely prevented by omitting administrative rights.
One thing is becoming clearer: A Windows machine will be more resistant if the everyday work is done without the permissions of a local Administrator!
A systematical rights management grants the users only absolutely necessary permissions. However, many would argue that users do require administrative rights for their work, and that the implementation of a granular rights concept would be far too complicated, or simply not feasible.
This attitude may be sometimes true, but through the allocation of temporary administrative rights, the vulnerability of a system can be significantly minimized. With the help of ask:us GARDEN, a temporary or static assignment of local administrators on Windows machines is possible, and can also be centrally managed and monitored in a company Network.
A misuse of security vulnerabilities can also be minimized when applications that can only be executed with elevated rights, will be run with alternate credentials. With ask:us ASAP, applications can be configured to start with independent administrative credentials either from a local path, from a network drive, or from a Web server, and in the context of local or domain accounts. The user himself does not require any local administrative permissions and must not know name or password of a local administrative account.
Sources: WindowsPro, Avecto, ask:us