13:15 CET on the 11th April 2011 Entry written by Stefan Frei.
For years the software industry has promoted reduced privileges for user accounts as a key security best practice to prevent misuse and successful exploitation of end-point systems. Unfortunately, user accounts with reduced privileges do not provide protection from attack, misuse, or compromise.
Reduced privileges for end-users can only be regarded as one part of an effective security strategy that should not be solely relied on. Organisations should know the limitations of this approach to prevent them from getting a false sense of security and under-investing in complementary security layers.
The new Secunia Whitepaper "Cybercriminals Do Not Need Administrative Users", discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.