Mostly for legacy reasons, many of us continue to run users with administrative privileges on their Windows workstations.
Running as standard user reduces exposure to malware by preventing users from updating protected parts of the file system and registry or accessing sensitive Windows operations. An analysis by BeyondTrust showed that 92% of the critical Windows vulnerabilities issued by Microsoft in 2008 were mitigated or eliminated entirely if users were configured to run as standard users.
Windows Vista (which was not widely adopted) included a collection of technologies to help with this issue under the name of “User Account Control”. I’ve provided specific advice to clients deploying UAC here as it provides capabilities that not only help users run as standard user (for example, using file and registry redirection) but also help reduce exposure when users run with administrative rights. Good news, Windows 7 also includes this technology and some improvements have been made to reduce the number of prompts. Put this on your to do list for 2010: use the migration to Windows 7 as a catalyst to make the switch to standard user.
If Windows 7 migration is too far away, tools from vendors like Altiris, Avecto and BeyondTrust can help to make standard user usable on Windows XP and support legacy applications which require administrative rights.
Oh, and one more thing. Contractually require applications vendors that we procure from to provide applications to run correctly with users configured as standard user (and, ideally, to install correctly as standard user as well).
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.