by Neil MacDonald | March 15, 2011 | Comments Off
The conventional wisdom is that a user who is configured with “standard user” privileges (the least possible in Windows 7) cannot install software (or malware for that matter).
This is incorrect.
Software that writes to the user’s data directory, and that doesn’t write to protected portions of the registry, can install correctly as a standard user, and an increasing number of enterprise software vendors are doing exactly this (e.g., Google Chrome and Mozilla Firefox).
If the good guys can do this, so can the bad guys. Indeed, malware writers can use the same techniques to install software targeted at stealing end-user-accessible data and personal information, even when users don’t have administrator rights.
If you really want to control what applications a user is allowed to install and execute, you will need to do more than just run them as standard users. For example, Application Control (aka whitelisting) is one approach that I frequently discuss with clients.
I talk about the ability of standard users to install software and other issues in this research note for clients that just published. In this research, my colleague, Mike Silver, and I provide a comprehensive set of best practices for removing administrator rights from end-users on Windows. In terms of “security bang for the buck” you can’t do much better than this and most organizations have specific projects underway to do exactly this using Windows 7 as the catalyst for the removal of administrator rights from end users.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.