Windows logo

Just by preventing access to admin accounts, a system administrator could safeguard all the computers under his watch and prevent attackers from exploiting 94% of all the critical vulnerabilities Microsoft patched during the past year.

This is the conclusion of a study carried out by cyber-security firm Avecto for the second year in a row, after, at the same time last year, it discovered that a sysadmin could mitigate 86% of all critical vulnerabilities Microsoft patched in 2015, just by taking the same action and disabling admin rights.

What this growth from 86% to 94% means is that the security of Microsoft products is getting better, if users would only start following industry best practices and stop using admin accounts for daily work.

Removing admin rights thwarts all IE, Edge, Office 2016 security threats

Even more interesting is that the Avecto 2016 report highlights that if sysadmins had forced users to utilize a low-privileged account instead of an admin-level profile, they would have mitigated 100% of all critical Internet Explorer and Microsoft Edge browser vulnerabilities patched during the past year.

The same 100% threshold also stands for Office 2016, showing the large number of security threats a system admin could mitigate just by a proper user management policy.

"Times have changed; removing admin rights and controlling applications is no longer difficult to achieve," noted Mark Austin, co-founder, and co-CEO at Avecto, an opinion he also shared with Sami Laiho, a famous Windows security expert [1, 2].

The above statistics do not include medium and low-level security flaws because their impact was already deemed insufficient to receive a "critical" classification, regardless of the user level access they needed to execute from. The chart below shows the bigger picture.

Admin rights removal stats

The simple conclusion of the Avecto report is that most companies and users would be able to avoid malware infections and network compromises if they'd only follow the example of Linux users and avoid using admin accounts as their primary profiles.