4

A co-worker of mine insists that if a Windows PC is used exclusively by guest-accounts, then there is no need for anti-virus software to be installed. this strikes me as a bit optimistic. is this true?

Mokubai
  • 89,133
  • 25
  • 207
  • 233
Steve Goykovich
  • 141
  • 1
  • 4
  • why the downvote? not offended or anything, i just want to know for my future questions. –  Apr 23 '12 at 20:55
  • probably down voted since its not a server related question. – user33788 Apr 23 '12 at 21:14
  • 1
    You still need it. Imagine if MS introduced a bug in the network stack that allowed remote compromising the computer without logging on but just being on the LAN? If I'm not wrong, this has happened before. – hookenz Apr 23 '12 at 23:14

5 Answers5

7

No. While many infections come through the actions of privileged users, there are plenty of sources of potential infections (attack vectors) that eliminating privilege doesn't solve.

For instance, this RDP bug from last month is a remote execution nasty that could infect regardless of the user type: http://technet.microsoft.com/en-us/security/bulletin/ms12-020

This report from Microsoft lays out a lot of information about malware sources, and more for the past 10 years. http://www.microsoft.com/security/sir/story/default.aspx#!10year

uSlackr
  • 8,955
  • 31
  • 48
4

I would say it's optimistic.

A guest account is not the same as a sandboxed account. It still has access to the whole of the machine - admittedly with reduced access rights, but still access.

So while you are theoretically safe, I wouldn't count on it.

ChrisF
  • 41,278
  • 17
  • 101
  • 154
2

That's a bit of a doe eyed belief mostly because of the concept of a zero-day / unpatched threat. Privilege escalation attacks do exist and can be used to escalate an underprivileged account to admin rights. That's not common, and certainly you'll be protected against an edge case scenario, however the potential exists that even with a underprivileged account, there can be an exploit that exists.

It's all about defense in depth. If you have guest accounts, plus anti-virus, plus other checks and balances, you can be reasonable in thinking that a machine will not be compromised.

Now... if the user has physical access to the machine, all bets are off, but that's another topic altogether.

Wesley
  • 4,505
  • 2
  • 22
  • 43
0

Conficker brute forced admin accounts, often got in using the local Administrator account that was often unsecured on XP installs, and exploited vulnerabilies in the Server service. http://en.wikipedia.org/wiki/Conficker

Just posting this as a real life example of where this mode of thinking could be caught out.

Robin Gill
  • 151
  • 1
  • 1
  • 9
0

This is one of the myths we absolutely have to stop, as it does so much damage and is the cause of so many infected systems that it does nothing but create more work for those of us who get to clean up the mess.

The rule for Windows systems is really simple:

The use of a guest account reduces the risk but does not prevent it.

If the computer is freestanding and has absolutely no contact with any other system in any way whatsoever, including the inability to use removable media, then it would be safe to not have AV software. For any other situation AV software is an absolute requirement on a Windows PC or server.

It has been argued at times that if the machine is nuked and re-imaged after each use there is no requirement for AV software. That's wrong. The machine could be infected while it is in use and spread that infection to other systems. Nuking the machine afterwards in such a case makes no difference.

John Gardeniers
  • 407
  • 2
  • 6