There’s no real way to know how much legacy code is still in Windows but i get it is more than anyone wants to admit. I see articles that claim windows has been rewritten but i have known for a long time that is not the case. The latest major security problem in Windows affects everything from the upcoming server 2016(based on Windows 10) all the way back to 7.
I have also seen many folks touting that removing admin access from users is the best way to stop many vulnerabilities and that is true but there’s a huge downside that folks are NOT talking about. Many programs simply are unable to install anything without admin rights. This means you have to have a way to automatically install updates without the reduced rights user needing to bug admins. It quickly get unworkable above 5 machines and many businesses less than 20 users simply cannot afford the highly expensive automated patch management systems that allow this kind of updating.
I can see folks saying, “Windows update has this capability”, yes it does but that is not the biggest threat vector anymore. It is the various third-party programs that many businesses have to use to do their operations are the ones that have the biggest issues with reduced rights users. I do admit i am going to be pushing my clients to start removing admin rights form folks but i am going to have to find an inexpensive patch management system that is secure while being affordable…that is where the challenge lies today for the micro-sized businesses I typically work with. This is my latest research project as security is always a moving target..:)