Gartner Blog Network

Security No-Brainer #8: Run Users As Standard User

by Neil MacDonald  |  August 13, 2009  |  3 Comments

Mostly for legacy reasons, many of us continue to run users with administrative privileges on their Windows workstations.

Running as standard user reduces exposure to malware by preventing users from updating protected parts of the file system and registry or accessing sensitive Windows operations. An analysis by BeyondTrust showed that 92% of the critical Windows vulnerabilities issued by Microsoft in 2008 were mitigated or eliminated entirely if users were configured to run as standard users.

Windows Vista (which was not widely adopted) included a collection of technologies to help with this issue under the name of “User Account Control”. I’ve provided specific advice to clients deploying UAC here as it provides capabilities that not only help users run as standard user (for example, using file and registry redirection) but also help reduce exposure when users run with administrative rights. Good news, Windows 7 also includes this technology and some improvements have been made to reduce the number of prompts. Put this on your to do list for 2010: use the migration to Windows 7 as a catalyst to make the switch to standard user.

If Windows 7 migration is too far away, tools from vendors like Altiris, Avecto and BeyondTrust can help to make standard user usable on Windows XP and support legacy applications which require administrative rights.

Oh, and one more thing. Contractually require applications vendors that we procure from to provide applications to run correctly with users configured as standard user (and, ideally, to install correctly as standard user as well).

Category: beyond-anti-virus  endpoint-protection-platform  

Tags: beyond-anti-virus  microsoft  microsoft-security  security-no-brainer  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Security No-Brainer #8: Run Users As Standard User

  1. […] Continue to run more users as standard user. Ideally, all of them. It doesn’t take the User Account Control capabilities of Windows Vista or […]

  2. […] their security agent couldn’t be disabled by end-users running as administrators (ideally, we’d run all users with ‘standard user’ privileges and not with administrative rights, but there are reasons why some organizations continue to […]

  3. […] into running code that exploits this vulnerability to gain system-level access. Even running as standard user doesn’t necessarily protect you from single file executables executed directly from the […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.