User accounts with reduced privileges do not provide protection from attack, misuse, or compromise.
For years the software industry has promoted reduced privileges for user accounts as a key security best practice to prevent misuse and successful exploitation of end-point systems. There are two main rationales/assumptions that back up this strategy: A) malware requires administrative access to successfully exploit and compromise a system, and B) users without administrative access are prevented from bypassing the organisation’s security policy as they cannot install and run unauthorised programs on their own.
Unfortunately, user accounts with reduced privileges do not provide protection from attack, misuse, or compromise. Reduced privileges for end-users can only be regarded as one part of an effective security strategy that should not be solely relied on. Organisations should know the limitations of this approach to prevent them from getting a false sense of security and under-investing in complementary security layers. This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.
In any organisation, staffs work on their end-points to carry out daily tasks. By definition, and irrespective of the privileges they are granted on their systems, they need and have access to all business relevant data and internal networks required to get the job done. Thus, even when working with reduced privileges, any program or process running with the same set of privileges also has full access to all of this data. This very fact highlights that the valuable information which cybercriminals are eager to "acquire" is present regardless of users’ privileges and justifies cybercriminals' interest and investment in finding ways to compromise end-users’ systems.