UAC - What is your preferred User Account Control setting(s)?

Discussion in 'polls' started by WildByDesign, Jan 4, 2015.

?

UAC - What is your preferred User Account Control setting(s)?

  1. Always notify me

    43 vote(s)
    40.6%
  2. Notify me only when apps try to make changes to my computer (default)

    23 vote(s)
    21.7%
  3. Notify me only when apps try to make changes to my computer (don't dim my desktop)

    4 vote(s)
    3.8%
  4. Never notify me

    35 vote(s)
    33.0%
  5. + modified additional UAC Group Policy Settings and/or Registry Key Settings*

    8 vote(s)
    7.5%
Multiple votes are allowed.
  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It notifies me when a program wants to elevate it's privileges. I can then decide if I want to allow it or not.
    In theory: let's say a program gets exploited. An exploit needs administrator privileges to do whatever it wants. Denying program to elevate could break exploit and it might not work properly.
    That's one case scenario.
     
  2. 142395

    142395 Guest

    I don't know why you asked it again. UAC do not protect you from anything, but encourage use of LUA and consequently usage of LUA or admin in AAM restricts extent of damage in case of intrusion. As Minimalist said, sometimes it may spoil intrusion itself, but that is just an accompanied side effects.
    Once malware got admin priv, it can do almost anything and theoretically it can circumvent any security software, but if malware only have limited user priv it can well be controled by OTHER security measure.
     
  3. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    I agree. That's a good way of describing it.
     
  4. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    UAC is a warning system, not a wall.
     
  5. russ0408

    russ0408 Registered Member

    Joined:
    May 16, 2010
    Posts:
    40
    Location:
    On. Canada
    The reason I disabled my UAC is because I'm running VoodooShield, and it recommends to disable the UAC.
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I've been investigating this statement from another thread and have been doing various privilege escalation tests on different versions of Windows.

    One is to copy a random executable to the root c: drive. In a default installation of all versions of Windows through Vista, limited users can copy files to C: but not to the Program Files or Windows folders. This is easily fixed and after I correct the C: file permissions, in Xp without UAC, access to a limited user is completely denied and copying to C: results in an error message. In newer versions of Windows, the limited user is given a UAC prompt and then a password prompt with the name of the Administrator account. If anything, this is an instance where UAC makes things a bit less secure and locked down. Without UAC, there is no possibility of putting any executable file where it doesn't belong without fully logging on as an administrator while UAC gives limited users the possibility of doing so if they know or can guess the administrator password.
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @MisterB
    Copying a random EXE to C:\ won't necessarily get you increased privileges. I'm talking about shatter attacks and other exploits against system services and/or the kernel.

    e.g. a possible attack path on XP might be

    1. Internet Explorer memory exploit of some sort (there are lots of those in IE8 for XP). For e.g. Firefox a social engineering attack would probably be more reliable (but don't assume it's the only way).
    2. Service or kernel vulnerability to escalate privilege to SYSTEM. This would usually be done via a payload EXE somewhere in C:\Documents and Settings\<username>, but could also be done from within IE (or another process) depending on the vulnerability.
    3. Once SYSTEM privileges are achieved, the registry is modified to run a payload as system service. This could be the same EXE as in the user's folder - it might do different things when run with different arguments. Alternatively it could unpack the service into C:\Windows after the exploit is run.

    That said, yes, the UAC prompt sounds rather subject to social engineering hijinks.

    Edit: incidentally, today's updates to Metasploit brought in some "stageless" reverse TCP shells. If those are what they sound like, then the above is even easier; especially considering Metasploit is probably ages behind ITW exploit tools
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @MisterB
    A demonstration of this on a fully updated Windows XP SP3 VM...

    comp-1.png

    Here you can see the payload running via an IE exploit.

    comp-2.png

    A failed privilege escalation attempt...

    comp-3.png

    And a successful one.

    comp-4.png

    A compromised session is now running as SYSTEM in the background, embedded in MS Notepad.

    comp-5.png

    Persistence has been established as SYSTEM user following a reboot.

    If you look at the clock in the upper right corner, you'll see that it took me less than half an hour, using a bunch of canned attacks from last year (and a pentesting tool that I barely know my way around). Any teenager with a bit of computer skills could do this.

    And yes - obviously having security software of some kind, using a better browser, etc. would make this more difficult. The point though is that the barrier between even limited user and SYSTEM on WinXP is blurry, and will get blurrier as the OS ages.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Never notify
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Copying a random executable to C: is just a step in the exploit process. I was reading about the one you pointed out or a similar one and testing places on my system partition that an executable could be copied as part of the exploit process. What I found is that, with my custom and fairly tight NTFS permisions and a fully patched XP SP3, user to system is not easy but administrator to system is. This is a fairly old installation I'm testing on and I experimented a bit with the file permissions and was trying to make them more liberal if anything. The User folders and Temp folder are strictly read/write so any exploit payload dropped there would not be able to execute in a limited user account. My standard practice is to limit groups to Administrators, System and Users. All other groups are eliminated and file permissions are reset manually with these three groups from C: on down. Basic rule is execute and read/write are mutually exclusive for limited users. Only administrators can put any new binaries on the C: drive in a place where they can execute.

    With this particular system, I was trying for more compatibility and less security so I added Power Users to the allowed groups and made the limited user account a member of that group. I just read an article By Mark Russinovich about the weakness of this:

    http://blogs.technet.com/b/markrussinovich/archive/2006/05/01/the-power-in-power-users.aspx

    I fixed most of the issues he brought up intuitively by defining a set of permissions for Power Users that was identical to standard users. I was thinking right but didn't really know it at the time.

    The other thing I was trying was to limit Administrator privilege in the style of Mac OSX and I set up a new group called UberAdministrators that would have the full Windows administration privileges and Administrators would have much more limited privileges. That ended up being way too complicated and I never fully carried it out but I was amused to find the UberAdministrator group in my groups list.

    Back in the day, I would set the permission to full deny on IE. No longer. I trust myself not to use it and nobody else uses my old Xp laptops.

    I'm finding setting file permissions on certain folders is locked for administrators on the Windows 7 system I'm playing with and I might try an escalation to system to see if I can fully reset them and eliminate some unwanted groups. With Windows 7, MS finally started to get it right with default base file permissions but they also made it harder to change them. In Xp, it is very simple and fast. One thing I've learned with NTFS 5 file permissions is to never assume anything and always test your settings. The C: root drive write permission is in an overlay special permissions in the advanced tab that adds write and delete to the first set of read and execute. It is not at all obvious and the way to fix it is to delete the special permissions so the base ones work.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @MisterB: Oh okay, you're using ACLs to enforce a trusted path execution policy. Gotcha. In that case yeah, Metasploit application layer attacks would be largely ineffective against your setup.
     
  12. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Exactly. I've used Xp this way for some time. I did an experiment today with setting Windows 7 permissions exactly the way I do in Xp. It takes some ingenuity to alter Windows folder permissions in Windows 7. Everything else on the C: drive is accessible except the boot folder. It mostly worked but some things didn't work--some system services like event logging. Obviously, there needs to be some special permissions set on some locations deep in the Windows folder. I could have pursued it further to get a more locked down Windows 7 system that still functioned but I really didn't see any big advantage. I've already got Windows 7 pretty tightly locked down and it has more tools than Xp to do it with so I'm not so dependent on file permissions. That being said, setting them right can spare you a lot of grief.
     
  13. raemann

    raemann Registered Member

    Joined:
    Jul 6, 2015
    Posts:
    1
    Location:
    Evansville, Indiana
    We use HIPS from a well respected endpoint solution. UAC is the "poor man's" solution to risk. HIPS keeps even Domain Admins from "clicking through" to load things that are better left unloaded. Additionally, HIPS is updated at least 8 times a day with new threats. UAC is simply not viable for anyone that has administrative users on their enterprise computers.
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    That's what AD and system policies are for.
    Not sure what use HIPS has in the enterprise TBH. Admins should be testing new software out in controlled environments where no damage can be done, users should only be using tested and trusted applications.
     
  15. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    +1
     
  16. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    +1
     
  17. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    never notify - i like the idea of UAC, but it kept prompting me for the same programs like Everything Search and there is no easy way to whitelist programs (I know there's a roundabout way to whitelist, but it's inconvenient). also, i think UAC interrupted installations/updates of some programs for me causing them to fail.

    anyway, my firewall (ZoneAlarm) includes a behavior based HIPS, which is enough for me.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    Never notify, as I simply hate it, duh!
     
  19. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    When it stops prompting me every time I run a trusted app I'll consider using it. Otherwise, it's useless except perhaps the user who only checks e-mail, browses the web and nothing else (why even run Windows at that point?). Security in Windows is an afterthought...too many things need to be run as Administrator to even work.
     
  20. Hadron

    Hadron Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    2,137
    :thumb:
     
  21. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    +1
     
  22. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I haven't been using Comodo D+ v5.10 on Win7 long enough to trust that verdict with my life just yet. And have heard about newer versions even of D+ failing to notify users of certain installers even when on Paranoid. While I suspect user error in those cases strongly as of now I use both.

    For some reason I thought the UAC options I had are different, on Win7 Ult. x86. I thought I recalled seeing an option to not notify you for actions you yourself choose. That's the one I selected. It's the next to highest setting anyway. I use that & D+ on Paranoid/Untrusted, with a custom policy for every app tailored to it. No cookie cutter rule sets.
     
  23. arminius

    arminius Registered Member

    Joined:
    Aug 29, 2015
    Posts:
    4
    Location:
    United States
    Always notify me.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.