The conventional wisdom is that a user who is configured with “standard user” privileges (the least possible in Windows 7) cannot install software (or malware for that matter).
This is incorrect.
Software that writes to the user’s data directory, and that doesn’t write to protected portions of the registry, can install correctly as a standard user, and an increasing number of enterprise software vendors are doing exactly this (e.g., Google Chrome and Mozilla Firefox).
If the good guys can do this, so can the bad guys. Indeed, malware writers can use the same techniques to install software targeted at stealing end-user-accessible data and personal information, even when users don’t have administrator rights.
If you really want to control what applications a user is allowed to install and execute, you will need to do more than just run them as standard users. For example, Application Control (aka whitelisting) is one approach that I frequently discuss with clients.
I talk about the ability of standard users to install software and other issues in this research note for clients that just published. In this research, my colleague, Mike Silver, and I provide a comprehensive set of best practices for removing administrator rights from end-users on Windows. In terms of “security bang for the buck” you can’t do much better than this and most organizations have specific projects underway to do exactly this using Windows 7 as the catalyst for the removal of administrator rights from end users.
Category: Endpoint Protection Platform Microsoft Security Windows 7 Tags: Best Practices, Defense-in-Depth, Endpoint Protection Platform, Lockdown, Microsoft Security, Reducing Cost, Whitelisting, Windows