How To Eliminate 94% of Windows Vulnerabilities Easily

Category: Security

A new report from security experts at Avecto highlights hundreds of critical vulnerabilities discovered in Microsoft Windows just in the year 2016. Any of them could allow a hacker to take full control of an unpatched PC. But one simple trick can create a roadblock to neutralize more than 94% of these threats. Read on for the scoop…

It's "Standard" Operating Procedure

Here's the short answer: All you have to do is log into Windows as a “standard” user, with limited privileges to add and remove components, change system settings, and so on. If you can’t make drastic changes to the system, neither can any malware that may find its way past your defenses.

More than 94% of the critical vulnerabilities tallied in the Avecto report require administrator privileges to exploit them. One hundred percent of critical vulnerabilities in Internet Explorer and Edge, the new Windows 10 browser, can only be exploited by malware with administrator privileges. Obviously, you should be using a standard user account except in circumstances when higher privileges are necessary.

Put up a Windows Malware Roadblock

But if you’re a typical home user, you probably have administrator privileges and all the vulnerabilities that come with that powerful status. When Windows is installed, the first user account created is an administrator account. Most home users just use it routinely, and don’t bother to create standard user accounts.

Windows 10 has been touted as the most secure version ever. But Avecto found that Windows 10 contained the most critical vulnerabilities of any version examined. A whopping 395 critical Windows 10 vulnerabilities were discovered during 2016. Ninety-three percent of these vulnerabilities are neutralized by using a standard user account. So technically, Microsoft’s “most secure version ever” claim may be true, but not by much.

Logging in with a Standard account is only the first step. Keep your shields up, by using one of my recommended Free AntiVirus Programs. See my article Downloading? Watch Out For These Danger Signs and be on guard against email phishing attacks. See Would You Click on This? to learn more about phishing.

Every system needs an administrator account occasionally. But you should create and routinely use standard user accounts that have lower privileges. Here is how to create a standard account in Windows 7:

Click Start, and in the search box enter “user account.” Among the search results, you will see “Create standard user account.” Click on that item. On the next screen, give the account a name and make sure “standard account” is selected. Click on “Create account” and you’re done - almost.

Every user account should require a password to log into it. After you create an account, it will be displayed on a page with all the other accounts on that machine. Double-click on the new user account’s icon and select “create password” in the list of actions on the left. Type the password into the next form page, confirm it by typing again, and click on the “Create password” button. Now you’re done.

Creating new user accounts is more complicated in Windows 10. Microsoft desperately wants you to create a Microsoft account so it can track you all over the Web. Finding the option to create a new standard user account on a PC without creating a matching Microsoft account is a challenge. But let’s do it:

Enter “Settings” in the search box to open that app. Click on Accounts. Click on “Family & Other People.” Click on “Add someone else to this PC.” Click on “I don’t have this person’s sign-in information.” Click on “Add a user without a Microsoft account.” Finally, you can create a standard account by naming it and giving it a password. Whew!

Occasionally, a standard user may need administrator privileges to run an app. If you get an error message saying administrator privileges are required, right-click on the app’s shortcut and select “run as administrator” from the drop-down menu.

As I mentioned up front, using a standard account mitigates 93-94% of critical vulnerabilities. But that doesn’t mean you can dispense with anti-malware protection, download software from sketchy sites, and click every link that appears in your inbox. See the sidebar above for some helpful Internet security links.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 28 Feb 2017


For Fun: Buy Bob a Snickers.

Prev Article:
Dual Monitors: Good Reasons to Upgrade

The Top Twenty
Next Article:
Geekly Update 02 26 17

Most recent comments on "How To Eliminate 94% of Windows Vulnerabilities Easily"

(See all 38 comments for this article.)

Posted by:

Jon
28 Feb 2017

Update --- As noted in the comments, use Danny G's idea. Adding a new Admin and then changing the original Admin to user keeps all functions and settings with the new safe user account. Thanks Bob and Danny.


Posted by:

Linda
28 Feb 2017

Thanks very much, Bob. Very helpful information once again!


Posted by:

Ken Dwight
28 Feb 2017

This is useful advice, but not for the main reason you stated. Malware creators figured out a long time ago how to elevate privileges, so that even a restricted user account is just as vulnerable to malware as an administrator. It's still a good idea for most users to have limited privileges, but don't be misled into thinking this is 93 or 94 percent protection against infection by malware.


Posted by:

Bob Greene
28 Feb 2017

@Joseph Hayes-- Many must run Windows XP for legacy software and other reasons. Yet, they do so with only marginal loss of security, compared to later Windows versions, because the latest ransomware and other issues are pointed at poor user security measures, not Microsoft's attempt to fortify and armor-plate later versions of Windows.

In fact, except for lower-tier exploits which continue to ding XP installations easily, XP users are now such a minority of individual users, they no longer interest professionals going after big game like corporate websites.

You will be safer than you fear if you adopt the sound practices suggested for user accounts in this Bob Rankin article. Meanwhile, find a good, general purpose security layer like Avast, or another reputable provider-- there are many worthy applications which still address XP, bless 'em all. And above all, keep your financial and personal information away from internet-facing XP machines, if you can--- a "best practice" that probably should apply to every other Windows machine, as well.


Posted by:

CT
28 Feb 2017

The easiest and safest way to change all this in Windows 10 is to create another account that is an administrator account as described above.
Then change your old account to a standard account. You can do this through the control panel (also "Settings", but more difficult). Do a Windows-R and enter "Control Panel". Go to "User Accounts". It will bring up the link "Manage another account".
That should list both accounts. Make sure the new one is admin, and change your old one to standard.
This way you don't have to move you profile over. You just have to put whatever you want to in your new admin account (that you only use when necessary).


Posted by:

Joe Dorin
28 Feb 2017

In Let’s Create your account

If you select “I don’t have this person’s sign-in information”
then you have to Get a new email address and inform your family, friends, Doctors, Banking, Social Security (I'm 83), Subscriptions and other important people in your life > then you also have to create a new password
Can’t you just change the administrator account too a STANDARD account without all this extra stuff

the other choices are
a- “If you already use a Microsoft Service, go back to sign in with that account”
Won’t that get me back to square one?

b- “Add a user without a Microsoft account”


Posted by:

Alan Miller
01 Mar 2017

I tried adding someone else and I got this error message in red "We Cannot connect to Microsoft family right now, so your family on this device might not be up to date". What the heck does that mean? Actually I am the only one on MY computer, so what does my family have to do with anything. But I do love your articles. Thanks


Posted by:

bobdeloyd
01 Mar 2017

I used to do this , but I just gotten lazy. I will start a new user id with standard settings and get doing it again :)


Posted by:

kevin
01 Mar 2017

On my new windows 10 laptop, I set up just my own user account, which naturally had to be administrator since there is no other admin enabled on the system (yet).

I have three questions about this:

1. Anytime I launch a program that requires admin permissions (or access certain system settings), I get a pop-up that reminds me that an admin is required. (I just have to click OK and then it proceeds.) My question is this: Does the roadblock that this popup presents for me effectively also prevent malware from executing (provided I don't click OK myself to approve something that I shouldn't)? Obviously, it stops even me (an administrator)and waits for am approving click, so I would hope that malware will encounter the same checkpoint but fail to get past it.

2. If I were a standard level user but clicked "run as admininistrator" to install something when needed, how do I ensure that the program will later be accessible by a user other than the admin? It seems that installations very rarely present the option to select whether the program is for "everyone" using the computer or just the current user.

3. Does the built-in administrator account (the one you can enable in the BIOs or perhaps through command line) operate any differently with respect to all the above compared to a mere user account that has been set to admin level? For example, can the built-in admin be switched to by password without having to completely log in (and then log out to drop back to the other level user?


Posted by:

Clairvaux
01 Mar 2017

All these questions and comments show that Microsoft has done a very poor job in that respect. Security is in simplicity. If working under non-admin is so important (and I tend to believe it is), then it should be obvious and easy to do so.

Microsoft first made all user accounts admin by default, then berated its users for working under admin.

Suppose you give in, recognise you've been a bad boy all along, and try to reverse your allegedly lousy habits. You then encounter of whole range of problems due a) to the way Microsoft has implemented user rights in Windows, b) to the way it explains that already imperfect technology, c) to the way software publishers often don't take into account the case of one user having two accounts and normally working under non-admin.

One typical consequence of the latter is : you are a good boy and always work under non-admin ; you install a piece of software from non-admin, elevating your rights as needed by typing your password ; you agree for a shortcut to be installed on the desktop ; you try to launch the software, but the shortcut is nowhere to be seen on the desktop. Why ? because the installer put it on the admin account's desktop.


Posted by:

Ahmad
01 Mar 2017

A relevant report for Windows 7 users (security setup is different for Windows 10, unsure how much for this case) is available here: https://answers.microsoft.com/en-us/windows/forum/windows_7-security/is-it-true-that-i-should-not-use-an-administrator/67c4da2a-f9d3-42ea-b669-92b7316320dc?msgId=7a9dfb67-4640-4017-b952-34d691e3d1ed

The important points are:

1. The privileges of Standard users, Guest users & non-elevated Admin users [Protected administrators] are the same.
2. The extra privileges of elevated Admin users [Elevated administrators], the Built-In Admin user [in its default condition] & the elevated Built-In Admin user are the same.

"Protected administrators" are the default admin accounts most users use before the "administrator permission" required to perform an action dialog box is accepted. After the acceptance, it becomes an "Elevated administrator". A basic user also becomes an "Elevated administrator" when the security dialog box is accepted (although now a password has to be entered).

It would be interesting to see why Avecto reaches the alternate conclusion.


Posted by:

Jim
01 Mar 2017

Makes me want install Linux.Used it on my old desktop and liked it very much. Once I got it set up the way I liked I never had to worry about all this Windows crap. :-)


Posted by:

Citellus
01 Mar 2017

I have been using a separate administrator account since Windows Vista. It is very simple. I do not use that account for almost anything - it has minimal programs on the desktop. I rarely even go this account. When I want to install a program in my standard account, I am told I need administrator privileges, and a box is provided to put in the administrator password. I know what I am trying to do, so I give it permission. My spouse does not have a separate account, so when she wants to install a program, it simply says it needs administrator privileges, and do I want to proceed - no password. She only has pictures, email, and word processing, so security is not a big issue - she also has continuous backups to protect against ransomware.

Most settings are not relevant for my administrator account because I seldom use it. I just turned everything off at the outset and do not fiddle with them.

I am glad to know that Bob has done the work to show the value of this approach. I thought it was a good idea, but had no evidence. Thanks Bob.


Posted by:

Kerry
02 Mar 2017

When I create this new account, what is the easiest way to get access to my other email accounts and browser favorites etc. that I always used under the admin account?
Thanks


Posted by:

A.R.Duncan-Jones
02 Mar 2017

Thanks for this - I had not realized it was quite that bad, and have finally set up a non-admin account for myself. But: can you tell me how to reproduce my desktop for the new account without having to click on every program, &c., and set up an icon ? That would be very kind - if it is possible. (I think I can just about cope with adding things to the taskbar)


Posted by:

A.R.Duncan-Jones
02 Mar 2017

Sorry about above post - my browser only showed the first two comments for some reason, and I see that my query has already been raised, along with a lot of other more pertinent ones. The suggestion of changing one's existing Admin account to Standard (and setting up a new ~Admin account for when necessary) would answer my initial query.

It would be a good idea, perhaps, to start a new post to clarify what,if any differences there are between Microsoft Admin and standard (user-created) Admin. But the point made about malware being able to elevate itself sounds a serious one, which would make the whole thing a waste of time. As so often, Micros**t really don't seem to have thought this through.


Posted by:

C Cochran
03 Mar 2017

I know when I first set up Win 10 I didn't have this info and I went through all kinds of *?!!* to get a normal account without making it into a MS account. Didn't really want a new hotmail account since I already have 2. Also didn't want to change my service provider email over. Man, they make it hard. I wish I had this article then as it makes it sound very easy. It was a pain just checking to see what type of account I have. Just had to make sure though.


Posted by:

Clairvaux
03 Mar 2017

@ A.R.Duncan-Jones

"Differences between Microsoft Admin and standard (user-created) Admin"

User-created admin is like non-admin : under normal operation, you don't have admin rights. The difference occurs when the UAC warning opens, and ask for the permission to elevate rights (in order to install a program, for instance).

In order to clear the UAC warning, you just need to click OK. Whereas under your non-admin account, you would have to type your password.

Microsoft embedded Admin account is totally UAC free, so there's no protection whatsoever.


Posted by:

Peter O
04 Mar 2017

Very apparent that Bob's post, intended to be helpful of course, when implemented, simply creates a host of unintended consequences.
Frankly I have no stomach to face this added complexity so for me things will remain just as they are.
Bob, please its plain you did not really explore this fully & your suggestions will noy suit the ordinary everyday PC user.
It's 2017, we all expect to get our work done without having to make up for MS omissions, which become disgracefully more apparent year by year.


Posted by:

Anne K
11 Mar 2017

When one, the only user of a home computer, has long been using the admin account as the working account, switching to a newly created standard account is not so simple. All setup, customization, and files created by admin are not available to the new user.
The effort to restore everything in the new standard account would be huge. Not worth it, I hope.


There's more reader feedback... See all 38 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML


Article information: AskBobRankin -- How To Eliminate 94% of Windows Vulnerabilities Easily (Posted: 28 Feb 2017)
Source: https://askbobrankin.com/how_to_eliminate_94_of_windows_vulnerabilities_easily.html
Copyright © 2005 - Bob Rankin - All Rights Reserved