webdoctor - 12:50 pm on Oct 25, 2009 (gmt 0)

what about if they only had guest access ? couldnt they still do stuff with a USB drive or inserting a CD ?

If someone malicious has "unrestricted physical access" to your system then there's a very good chance they can gain complete control via booting from a USB drive or CD. Guest access or admin access - or indeed not having any valid logon credentials at all - won't make that much difference.

Im sure Microsoft would object to your theories.. That only very few should be running as Admin.

Microsoft have been (quietly) pointing out for years that day-to-day use of a system as Admin is a bad idea. In 2006 they published a white paper on how to secure your XP system by applying the principle of least privilege [microsoft.com]. In the Introduction to that guide they say:

A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message

Sounds pretty clear-cut to me - and it's the official MSFT line :-)