Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security No-Brainer #8: Run Users As Standard User

by Neil MacDonald  |  August 13, 2009  |  3 Comments

Mostly for legacy reasons, many of us continue to run users with administrative privileges on their Windows workstations.

Running as standard user reduces exposure to malware by preventing users from updating protected parts of the file system and registry or accessing sensitive Windows operations. An analysis by BeyondTrust showed that 92% of the critical Windows vulnerabilities issued by Microsoft in 2008 were mitigated or eliminated entirely if users were configured to run as standard users.

Windows Vista (which was not widely adopted) included a collection of technologies to help with this issue under the name of “User Account Control”. I’ve provided specific advice to clients deploying UAC here as it provides capabilities that not only help users run as standard user (for example, using file and registry redirection) but also help reduce exposure when users run with administrative rights. Good news, Windows 7 also includes this technology and some improvements have been made to reduce the number of prompts. Put this on your to do list for 2010: use the migration to Windows 7 as a catalyst to make the switch to standard user.

If Windows 7 migration is too far away, tools from vendors like Altiris, Avecto and BeyondTrust can help to make standard user usable on Windows XP and support legacy applications which require administrative rights.

Oh, and one more thing. Contractually require applications vendors that we procure from to provide applications to run correctly with users configured as standard user (and, ideally, to install correctly as standard user as well).

3 Comments »

Category: Beyond Anti-Virus Endpoint Protection Platform     Tags: , , ,

3 responses so far ↓

  • 1 Looking Ahead to Windows 7 Security   October 9, 2009 at 2:12 pm

    [...] Continue to run more users as standard user. Ideally, all of them. It doesn’t take the User Account Control capabilities of Windows Vista or [...]

  • 2 No Security (or Management) Controls are Absolute When Users run as Administrators   December 17, 2009 at 2:48 pm

    [...] their security agent couldn’t be disabled by end-users running as administrators (ideally, we’d run all users with ‘standard user’ privileges and not with administrative rights, but there are reasons why some organizations continue to [...]

  • 3 Microsoft’s Patch Tuesday – Watch This One   February 10, 2010 at 11:41 am

    [...] into running code that exploits this vulnerability to gain system-level access. Even running as standard user doesn’t necessarily protect you from single file executables executed directly from the [...]