Reading Your Way Around UAC (3-Part Blog)

Discussion in 'other security issues & news' started by WildByDesign, May 26, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Reading Your Way Around UAC (3-Part Blog)
    By James Forshaw

    James Forshaw is Google's (and more specifically Project Zero / Chrome)'s sandboxing wizard. This is a pretty worthwhile read and a thorough trashing of UAC, for what it is.

    Reading Your Way Around UAC (Part 1)
    Link: https://tyranidslair.blogspot.ca/2017/05/reading-your-way-around-uac-part-1.html

    Reading Your Way Around UAC (Part 2)
    Link: https://tyranidslair.blogspot.ca/2017/05/reading-your-way-around-uac-part-2.html

    Reading Your Way Around UAC (Part 3)
    Link: https://tyranidslair.blogspot.ca/2017/05/reading-your-way-around-uac-part-3.html

     
  2. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    The design and goals behind UAC has been mentioned very early on by Mark Russinovich. Basically, UAC technologies exist to make Windows more standard-user friendly by balancing usability with security. UAC elevations are a convenience and not a security boundary.









    https://blogs.technet.microsoft.com...user-account-control-and-security-boundaries/
     
    Last edited: May 26, 2017
  3. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    https://technet.microsoft.com/en-us/library/2007.06.uac.aspx
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Strong recommendations from James Forshaw for using Standard account instead of default split-token Admin accounts relying upon UAC but also suggesting to avoid over-the-shoulder elevation which was quite often my preferred method.


    Some key takeaways from the article after having read all 3 parts now:

     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    I agree regarding the use of a separate standard user account.

    Unfortunately, there are bound to be forum members here who will get the wrong takeaway and use this as an excuse to talk thrash of UAC and disable it altogether. My 2 posts above was just to highlight the fact that the "broken by design" part was already acknowledged and explained in 2007 by Mark Russinovich. Microsoft is aware of the limitations yet they design it that way as a trade-off to balance between security and usability.
     
  6. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    From "The Long-Term Impact of User Account Control"

     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The reason to disable it, is because it's annoying as hell, and with default setting quite easy to bypass. Nothing more and nothing less, I don't even know why he bothered to write such an article.
     
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Have you read the article? The purpose is to highlight the limitations of UAC and how standard user account mitigates against those limitations. Annoying or not is a different topic altogether...one that we have already discussed to death previously.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    No I haven't read it all, too complex and not interesting enough. The point that I'm trying to make is that everyone already knows that UAC won't always help to block malware when used in a "protected admin" account in medium mode, and that's how most people will use it. They won't bother to change settings. And the reason why people disable UAC is not because they think it's not secure, but because it's annoying.
     
  10. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    @Rasheed

    I think you've already made that point across plenty of times especially whenever UAC is mentioned in any thread. To use your own words, I don't even know why you bother repeating the same point when "everybody" knows UAC is annoying.

    If people choose to disable UAC because it's annoying, no one is saying they can't. The option to do so is available. I believe there are far better fruitful discussions that can be made for those who wish to understand what UAC is or isn't. Would you not at least agree with me on that?
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's the thing, if I trash-talk UAC it's not because I think it's badly designed. I believe UAC is a perfectly fine system for what it's designed to do. Well, except for the fact that there is no white-listing. But I just think it's not needed. And it seems like once a month researchers come up with some UAC bypassing tool, and then people keep providing the same solution, it's old news and 90% of the world doesn't care about SUA. My advice to this researcher is to look for more interesting topics to investigate, but that's just me.
     
  12. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    You are giving advice to a researcher on what topics he should be investigating when it's clear that vulnerability research is what he's interested in and doing for a living? Do you know how laughable that is? Seriously, why not you take your own advise and stop pulluting UAC threads when you have nothing useful to contribute. There are plenty of other topics you can "investigate".
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The thing is, we already know that UAC with default settings is insecure. So no, my advice is not laughable. What is laughable is that you were clearly worried about people taking the chance to trash-talk your precious UAC. So that's how I ended up in this thread. :D
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    I was half-expecting you were going to response in this thread. Yet, I gave the benefit of the doubt and thought "perhaps" just once you could bother to read before commenting nonsense. I guess the saying is true...you can only lead a horse to water but you can't make it drink. :p
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Nonsense? Even James Forshaw and Mark Russinovich have both acknowledged that UAC is "broken by design". :D
     
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Yet, Mark Russinivich explained why it is and James Forshaw recommended what the best practice is. As usual, you would dismiss that and put forth "nonsense" as the de-facto argument.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I didn't dismiss it, I said it's old news. :thumb:
     
  18. guest

    guest Guest

    Honestly, you shouldn't talk here unless to learn. You just sound like a Troll...

    You just forgot corporate environments where SUA is a "Must Do"
     
    Last edited by a moderator: May 28, 2017
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm the one who is acting like a troll? You know damn well we are talking about home user environments, in general we don't discuss corporate setups who use way more advanced tools than we do, and have to manage complex networks, you even said it yourself. :thumb:
     
  20. guest

    guest Guest

    I wanted to point that SUA is still useful for home users. and please make the effort to read the article, or if you don't, dont mention it lol, people won't take you seriously. ;)
    I know, i just mentioned it as example of the usefulness of SUA in general, if it was useless, they won't use it (sound logic to me)
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's useful, but in the real world not a lot of people are probably using it, that's what I mean with people don't care. It will be interesting to see if M$ will decide to make "UAC at Max" the default level. I wonder if it will become "the Win Vista fiasco" part 2. And BTW, I did read the end conclusion. :D
     
  22. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
    Ok, we got it. Let who is interested in UAC comment now. We understand your point.

    There are many other interesting points to discuss.

    Thanks!
     
  23. guest

    guest Guest

    it is why it must be promoted and even enforced.

    not default, the unique level :D
    Now they can , Win10 Home is "free" , and im sure they will do it , like enforcing EMET on the next build. Before people had to pay to use Vista so they had to "backtrack" , now they don't have to.

    :argh:
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Let's hope others have finally understood my point. :thumb: What other interesting points are there to discuss? What's your take on all of this, I mean about the article.
     
  25. guest

    guest Guest

    I always regretted that UAC was implemented the way it was...
    i rather prefer MS remove it, and enforce a true separated SUA as default account (like in Linux).
    But maybe i ask too much lol.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.