There’s no real way to know how much legacy code is still in Windows but i get it is more than anyone wants to admit.  I see articles that claim windows has been rewritten but i have known for a long time that is not the case.  The latest major security problem in Windows affects everything from the upcoming server 2016(based on Windows 10) all the way back to 7.

I have also seen many folks touting that removing admin access from users is the best way to stop many vulnerabilities and that is true but there’s a huge downside that folks are NOT talking about.  Many programs simply are unable to install anything without admin rights.  This means you have to have a way to automatically install updates without the reduced rights user needing to bug admins.  It quickly get unworkable above 5 machines and many businesses less than 20 users simply cannot afford the highly expensive automated patch management systems that allow this kind of updating.

I can see folks saying, “Windows update has this capability”,  yes it does but that is not the biggest threat vector anymore.  It is the various third-party programs that many businesses have to use to do their operations are the ones that have the biggest issues with reduced rights users.  I do admit i am going to be pushing my clients to start removing admin rights form folks but i am going to have to find an inexpensive patch management system that is secure while being affordable…that is where the challenge lies today for the micro-sized businesses I typically work with.  This is my latest research project as security is always a moving target..:)