Level 3 enterprise VIP security configuration

Applies to

  • Windows 10

Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors.

Policies

The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using the rings methodology.

Security Template Policies

Feature Policy Setting Policy Value Description
Account Lockout Account lockout duration 15 The number of minutes a locked-out account remains locked out before automatically becoming unlocked.
Account Lockout Account lockout threshold 10 The number of failed logon attempts that causes a user account to be locked out.
Account Lockout Reset account lockout counter after 15 The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
Password Policy Maximum password age 60 The number of days that a password can be used before the system requires the user to change it.
Password Policy Minimum password age 1 The number of days that a password must be used before a user can change it.
Security Options Accounts: Administrator account status Disabled This security setting determines whether the local Administrator account is enabled or disabled.
Security Options Accounts: Limit local account use of blank passwords to console logon only Enabled This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
Security Options Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.
Security Options Domain member: Digitally encrypt or sign secure channel data (always) Enabled This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
- Domain member: Digitally encrypt secure channel data (when possible)
- Domain member: Digitally sign secure channel data (when possible)
Security Options Domain member: Digitally encrypt secure channel data (when possible) Enabled This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
Security Options Domain member: Digitally sign secure channel data (when possible) Enabled This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit.
Security Options Interactive logon: Smart card removal behavior Lock Workstation This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click Lock Workstation in the Properties for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started.
Security Options Microsoft network client: Digitally sign communications (always) Enabled This security setting determines whether packet signing is required by the SMB client component.
Security Options Microsoft network server: Digitally sign communications (always) Enabled This security setting determines whether packet signing is required by the SMB server component.
Security Options Network access: Do not allow anonymous enumeration of SAM accounts Enabled This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Security Options Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
Security Options Network access: Restrict anonymous access to Named Pipes and Shares Enabled When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
- Network access: Named pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously
Security Options Network security: Allow PKU2U authentication requests to this computer to use online identities. Disabled This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.
Security Options Network security: LDAP client signing requirements Negotiate signing This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Security Options System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.
Security Options User Account Control: Behavior of the elevation prompt for standard users Automatically deny elevation requests This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.

Computer Policies

Feature Policy Setting Policy Value Description
Control Panel / Personalization Prevent enabling lock screen camera Enabled Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen.
Control Panel / Personalization Prevent enabling lock screen slide show Enabled Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start.
Windows Defender SmartScreen / Explorer Configure App Install Control Allow apps from Store only App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
System / Device Installation / Device Installation Restrictions Prevent installation of devices that match any of these device IDs Enabled This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
System / Device Installation / Device Installation Restrictions Prevent installation of devices using drivers that match these device setup classes Enabled This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
System / Internet Communication Management / Internet Communication settings Turn off downloading of print drivers over HTTP Enabled This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP.
System / Internet Communication Management / Internet Communication settings Turn off printing over HTTP Enabled This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. if you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
System / Logon Enumerate local users on domain-joined computers Disabled This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
System / Power Management / Sleep Settings Allow standby states (S1-S3) when sleeping (on battery) Disabled This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed.
System / Power Management / Sleep Settings Allow standby states (S1-S3) when sleeping (plugged in) Disabled This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed.
Windows Components / BitLocker Drive Encryption / Operating System Drives Configure minimum PIN length for startup Enabled: 7 This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. if you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. By default, the value is 6 digits. NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
Windows Components / BitLocker Drive Encryption / Removable Data Drives Deny write access to removable drives not protected by BitLocker Enabled This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored.
Windows Components / Cloud Content Turn off Microsoft consumer experiences Enabled This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs.
Windows Components / Credential User Interface Enumerate administrator accounts on elevation Disabled This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate.
Windows Components / Microsoft Edge Configure Password Manager Disabled This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally.
Windows Components / Remote Desktop Services / Remote Desktop Do not allow drive redirection Enabled This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level.
Windows Components / RSS Feeds Prevent downloading of enclosures Enabled This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
Windows Components / Search Allow indexing of encrypted files Disabled This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.
Windows Components / Windows Ink Workspace Allow Windows Ink Workspace On, but disallow access above lock Allow Windows Ink Workspace

IE Computer Policies

Feature Policy Setting Policy Value Description
Windows Components / Internet Explorer Prevent per-user installation of ActiveX controls Enabled This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis.
Windows Components / Internet Explorer Security Zones: Do not allow users to add/delete sites Enabled Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled.
Windows Components / Internet Explorer Security Zones: Do not allow users to change policies Enabled Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.
Windows Components / Internet Explorer Security Zones: Use only machine settings Enabled Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.
Windows Components / Internet Explorer Turn off Crash Detection Enabled This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.
Windows Components / Internet Explorer Turn off the Security Settings Check feature Disabled This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled Enabled This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows Enabled This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page Turn on Enhanced Protected Mode Enabled Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
Windows Components / Internet Explorer / Internet Control Panel / Security Page Intranet Sites: Include all network paths (UNCs) Disabled This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow drag and drop or copy and paste files Enabled: Disable This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow loading of XAML files Enabled: Disable This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow only approved domains to use ActiveX controls without prompt Enabled: Enable This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow only approved domains to use the TDC ActiveX control Enabled: Enable This policy setting controls whether the user can run the TDC ActiveX control on websites.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow scripting of Internet Explorer WebBrowser controls Enabled: Disable This policy setting determines whether a page can control embedded WebBrowser controls via script.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow script-initiated windows without size or position constraints Enabled: Disable This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow scriptlets Enabled: Disable This policy setting allows you to manage whether the user can run scriptlets.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow updates to status bar via script Enabled: Disable This policy setting allows you to manage whether script can update the status bar within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Allow VBScript to run in Internet Explorer Enabled: Disable This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Download signed ActiveX controls Enabled: Disable This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Include local path when user is uploading files to a server Enabled: Disable This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Navigate windows and frames across different domains Enabled: Disable This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Web sites in less privileged Web content zones can navigate into this zone Enabled: Disable This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

IE User Policies

Feature Policy Setting Policy Value Description
Windows Components / Internet Explorer Turn on the auto-complete feature for user names and passwords on forms Disabled This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.

Controls

The controls enforced in level 3 implement complex security configuration and controls. They are likely to have a higher impact to users or to applications, enforcing a level of security commensurate with the risks facing the most targeted organizations. Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and the rings methodology for those that do not.

Feature Set Feature Description
Exploit protection Enable exploit protection Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level.
Windows Defender Application Control (WDAC) or AppLocker Configure devices to use application whitelisting using one of the following approaches:
AaronLocker (admin writeable areas) when software distribution is not always centralized
or
Managed installer when all software is pushed through software distribution
or
Explicit control when the software on a device is static and tightly controlled
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in Constrained Language Mode.

Behaviors

The behaviors recommended in level 3 represent the most sophisticated security configuration. Removing admin rights can be difficult, but it is essential to achieve a level of security commensurate with the risks facing the most targeted organizations.

Feature Set Feature Description
Remove Admin Rights Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The Desktop App Assure program can assist with these app issues
Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable