Testing Windows 7 UAC

User Account Control (UAC) in Windows 7 purports to alert when there is an attempt to make changes to the system. Let's see what happens.

Not having Windows 7, I asked aigle to test.

The test uses a malicious RTF file which has an embedded executable (.scr) as a Package Object:

​

UAC displays this prompt:

​

As aigle notes, clicking "No" stops the exploit. This is the first time I've been able to observe UAC in action, and it would appear to be an effective deterrent to something wanting to make changes to the system.

From my perspective, however, it fails to meet my standard, that any unauthorized action from the outside should be Denied by Default, rather than prompting the user for a decision.

Compare Software Restriction Policies (screenshot courtesy of tlu):

Windows cannot open this program because it has been prevented by a Software Restriction Policy...​

And Anti-executable: (I tested on Win2K)

​

While most people on the forums would click "No" for the UAC Prompt, I'm thinking of the typical home situation where there might be confusion at seeing such a prompt.

The problem, it seems to me, is that UAC wants to do too many things, thus, the complaints about unnecessary prompts.

Whereas, a simple White List approach can Alert/Deny by default only when something not already installed attempts to intrude.

Microsoft has attempted to make UAC in Windows 7 less bothersome than in Vista, and this is admirable. However, it will always remain with me as a flawed design.

Thanks to aigle and tlu for taking time to test and make screenshots!

----
rich

 

Good post and interesting testing. UAC can stop certain attacks, and help security in so doing. The problem will always be that a lot of people consider it annoying.

I agree that default-deny is far superior to asking the user. Asking the user a question nearly always leads to the user giving the wrong answer. (About 99 % of world's computer users don't know anything about computer security, so yeah, "nearly always." The 1 % of people who do know are a small minority. And yes, I did just make these numbers up in my head, but they're not too far from the truth. )

I prefer how SRP works, although when trying to protect against a novice user who for some reason has been given the admin password, it's not that great either:

Any operating system would be plagued by malware if it had the same userbase that Windows has. If somebody could erase Windows from history and replace it with, say, Linux or Mac OS X, but the users and their thought patterns (or lack thereof) stayed the same, then all we would be hearing would be endless complaints about how Linux or OS X is just so insecure and crappy.

 

I don't know about that. For one, Linux distros (as well as BSD and Solaris) have package managers. This mitigates a lot of risk from the user surfing the web randomly looking for stuff to install (as is the case with Windows).

Number two, Linux puts the user on a limited account by default, and this account is basically as you describe as automatically blacklisting everything. It essentially forbids the user from writing to any directory/file outside of /home by default. This, of course, means that no malicious program the user downloads will be able to leave or write to anything outside of /home. Now, it's true a malicious script could do some damage to /home if the user was dumb enough to go and make it executable (chmod a+x) and then run it. As you say, there is no defense against stupidity. However, as Unix/Linux has proven over the years, viruses are nearly impossible to spread, so any future damage done by malware will have to be socially engineered and isolated.

Number three, it isn't true that Linux has a weak market share. The Unix/Linux market share on servers is more than 50% and has been at least that for many years. Servers are higher value targets than Joe Sixpack's home machine. If viruses and the like were so easy to spread, then why haven't we seen them on *nix servers?

Number four: There are various MAC/RBAC implementations that can be used on Linux (and BSD/Solaris). SELinux and TOMOYO are both part of the Linux kernel itself, and AppArmor and Grsecurity can be added as patches. Many distros are now coming with these enabled by default with policies that lock down all network facing daemons. Fedora, for instance, has SELinux enabled with the targeted profile and Ubuntu has AppArmor out of the box (though with only a CUPS profile but they will probably add more later). The guy who created AppArmor was hired by M$ a couple years ago.

So, bottom line: Desktop *nixes are fairly darn safe, even by default. They can be easily made much more safe with MAC/RBAC policies and with things like ASLR, ESP, SSP, and other memory hardening features. The main security issues are almost always with servers and when they are compromised it's almost always by direct attacks. For instance, someone brute forces SSH, or the admin is dumb and is running a 4 year old kernel or an outdated Apache (yeah that kind of thing really happens).

 

@chronomatic: Good post, couldn't agree more.

 

Chronomatic, you raise good points - and I certainly don't mean to say that there is no difference out-of-the-box between Unix-based systems and Windows NT. I would be willing to bet my posterior, though, that even with the more secure defaults of Unix style operating systems the malware plague would be very great in a scenario where everyone runs not-Windows. Human stupidity is one of the greatest forces in the universe, I'm afraid. I will look at some of the points you raise as examples:

1) Package managers? If they don't have some fancy software or codec that this nice-looking site says is a must have, then the user will just not use the package manager and will download from a third party, anyway. A package manager might decrease the amount of infections a little, but I do not believe it would make a huge difference.

2) Limited user by default? Oh well, as long as a root account exists, the expert newbie will use that. And if you prevent them from using that, then they'll just sudo everything, always. Vista's UAC is a really fine example of this. "Security features" annoy people, and they turn them off, or complain loudly if they can't figure out how.

3) Server market share is irrelevant. Servers as a rule are operated by people that know at least something about what they are doing. They aren't the average home user. And really, considering that few servers are used to do browsing or normal workstation computing, how is a virus going to get in, without exploiting a vulnerability in the server software or the server admin screwing up something bad? Now, if the server admin used the server to read his email and open every attachment, executing everything from emails as well as random porn sites, then yeah, we might see actual virus infections on servers, in addition to other malware.

There is, of course, some proof that my "theory" is at least somewhat correct. We all know there are some clueless Unix admins that have their servers regularly owned by even trivially simple attacks. Operative word here is clueless. In Unix world the clueless are the minority, in the Windows world the clueless are the majority. If Windows were to be automagically replaced with Unix, then the clueless would be running Unix, and Unix would get owned a million times a day due to user incompetence, no matter how brilliant the security was out of the box.

The only solution I can see is educating the users, which is of course just about impossible to actually do. But if that somehow succeeded, then sure, people would be very safe running Unix. On the other hand, then they would also have the knowledge to run safe in Windows, just as well, so...

Windows has always had trouble with insecure default settings, and this is where Unix-based systems have had far less trouble. But the largest trouble still comes from outside the computer and inside the skull of a human. The best security system can be made ineffective by an incompetent user who has the root password.

I largely see computer security for the average user a hopeless battle - because there just aren't enough people around to hands-on educate the average users, and no security system on any OS strong enough to defend against user ignorance. This may sound very pessimistic, but really, is there any proof at all that suggests I'm wrong?

That said, I'm sure we can all agree that MS should work on much more secure defaults. How about LUA as default, for starters.

 

Windows has its own "secure repositories" as well: download sites like Download.com, Softpedia etc. The problem is that people don't use them, perhaps because they don't host cracks, keygens, porn, or some such.

Please read Windchild's post. His/her point was more about inexperienced users disabling Windows UAC on purpose. As long as they know the admin password, no amount of technological sophistry is going to protect users from their own stupidity.

Viruses and the like were so easy to spread because users are stupid. You'd be surprised at how conditions have to be met beforehand these days for the average malware to successfully install and trigger itself. I think it's safe to make the assumption that server admins are generally smart and are unlikely to fall for the tricks that home users would.

Nobody is saying they aren't. But the truth is, so is Windows. Unfortunately, when you introduce the user variable into the equation, a lot of whatever theoretical super-strength that any software has on paper often goes right out of the window.

 

If *nix had the games, I wonder how many would port over to it. If *nix had the software, the actual software, like Excel, which peeps know how to use, how many would port over? If *nix had a much larger market share of the software that peeps use on windows, I wonder how many would port over?

If there were no internet, no outside force to worry about, and things stand as they currently are, how many would port over to *nix. If you could play a game on windows, do work (spreadsheet, database, graphic, audio, etc) on windows, be entertained on windows, how many would need to port over to *nix? How many would want to?

I wish, upon wish, upon wish, that everyone I know would port over to *nix. It would, could, should force them to not be just another button clicker. It wish the peeps at work would learn more, so we could port to *nix. I would love to use *nix daily for everything. But, there is no return in my investment ATM because of whom I support. Maybe that will change one day.

I agree with Rmus, UAC being what it is, will only help those in the know, and as I already see, simply confuses those that don't know. Who can blame them though? I want to know as much about lung infections as my doctor does about security exploits lol.

Sul.

 

Yes, this is exactly what I was aiming to say. Out of the box, most Linux distros undeniably have far, far safer default settings than, say, Windows XP did. That is all well and good, and something worth aiming for - and Microsoft should certainly, in my opinion, continue to tighten up the defaults as they have slowly done over the years since NT was first published. They should do it faster and more brutally, too, again in my opinion, going right for making limited accounts the default in the next Windows version after 7, or even in 7 SP 1 or something. But no matter what Microsoft, or any software vendor, does to the default settings of the OS, the problem with "insecure users" will remain. Code is easy, people difficult. That's why I think switching Windows dominance to Unix dominance in the home user OS market would not make the malware plague we're experiencing go away.

 

I can't say I disagree. However, most people who switch from Windows to Linux usually end up in the support forums about some small issue ("I downloaded the Nvidia drivers from the Nvidia website and I don't know how to install a tar.gz. How do I get my Nvidia drivers installed?") and people are always quick to tell them "always download them from the repositories and not from the nvidia website!" A lot of noobs don't understand the concept of a single central repository, but they are quickly taught. Sure, the nvidia website is probably safe, but packages in the distro repos are GPG signed and automatically verified upon download. Not only that but the repos make life much simpler (sudo apt-get install nvidia-drivers and you're done, thus no need for compiling code). Secondly, it's more secure to get everything from one place. Thirdly, the repos also have the advantage of updating one's entire system at the click of the mouse, not just the core OS. It would be akin to Windows updates including Firefox, Winamp, IRC clients, etc.).

I know that I always drill this into the noobs' heads as often as I can. Perhaps it wont stop them all from being stupid, but I think it does have some impact.

Well, Linux has a head start on Windows. One of the big problems with LUA on XP and UAC on Vista is that the third-party developers are still stuck in 1995 and code their apps to need unnecessary admin privileges. Linux devs don't do this and thus there are very few bothersome root prompts. I can't recall the last time I was prompted for admin privileges when I was running an app that was not some sort of obvious administration app. Furthermore, most apps that need admin privileges in Linux automatically set the SUID bit on the file's permissions. This means an unprivileged user can run a privileged app without being prompted for root passwords. This helps a lot because it doesn't constantly annoy new users. However, SUID apps can be security risks, but I see them as a necessary evil. It's especially important to be sure no SUID apps are network facing, or if they are, that they are firewalled.

Most server installs on *nix are headless and have no X server running (no GUI). To my knowledge this is not possible on Windows (correct me if I am wrong) which kind of sucks because it encourages inexperienced admins to use the machine for surfing, etc.

I'm not in total disagreement, but I might differ as to the degree of pwned the *nix world would be if it had 90% share on desktops.

I ran across a guy the other day in a Fedora forum that was having AVC denials from SELinux (SELinux will throw warnings and log strange behavior that is not a part of its policy). I looked at the log and it was npviewer.bin (part of Firefox) that was wanting access to /root. I told him how to allow it to do what SELinux was preventing it from doing. I then asked him if he was running as root and he said "yeah, so?" I just let him be and didn't even try to lecture the idiot. SELinux was doing its job, but to him it was an annoyance. (It should be pointed out here that the Fedora devs write the policy for SELinux so that it will not throw denials at every little thing. In other words it's not nearly as annoying as UAC. I can go weeks without seeing a single denial because I don't try and do stupid stuff).

No, there's not. I suppose until the user has his credit card number stolen and a bunch of stuff bought from E-Bay and shipped to Russia will he take security seriously.

I like to bash M$, but they are only partly to blame. Other non-M$ developers need to stop giving unnecessary admin privileges to their apps that don't have any business needing them. And MS should make a LUA the default, I agree.


Now, in response to Eice:

I don't equate those sites to a central Linux distro repository with a GUI where one can point and click and install about 30,000 cryptographically signed packages. Or, if you use the command line, you can type one command and install a package. The Linux repos make it much easier and safer, imo.

Perhaps most viruses. But there's a lot of Windows malware out there that doesn't necessarily require any user interaction (other than, say, clicking on a link). As a Linux user, it would be next to impossible to affect my machine with such a tactic, even if there was a vulnerability in Firefox. Why? Limited accounts (and also the fact I have FF locked down with AppArmor so even if the virus had root, it couldn't do anything). Granted, Windows also has LUA, but most people don't use them and that's a problem.

As I said above, I can't disagree that users are a problem. I just think they have to work harder at destroying their *nix machine than they would on a default Windows install.

 

All of the MS vs Unix stuff is interesting but irrelevant to whether or not UAC is effective in stopping malware. The impetus for checking this out came from Vista days when UAC emerged, and many were talking about UAC as a malware stopper in drive-by (remote code execution) attacks.

However, if you followed the Microsoft blogs during the development stages of Win 7, you would have seen this:

http://blogs.msdn.com/e7/archive/2009/02/05/update-on-uac.aspx

However, I've been rather impressed with UAC in a couple of other tests in addition to this one: it alerts when malware attempts to write to disk or make other changes. Not having Win 7, I cannot test further myself.

But in any case: UAC is not the stopper: the user is the stopper by means of making a decision -- the correct one. For the general population, prompt for decision is not acceptable, in my view, for the remote code execution exploit. I had the same complaint about ProcessGuard:

​

Hence, my conclusion that a Default-Deny solution is requisite for the most secure protection in these types of exploits.

----
rich

 

Hi Rmus,

But wouldn't a default deny without asking cripple a lot of things? Consider the user trying to install something legit but having it fail without knowing why. That would be as annoying as the popup asking the questions I think. Maybe safer, but still somewhat defeating nevertheless.

 

Hi Kerodo,

If the program is legitimate -- the user is installing from a trusted source -- the user disables the protection and there is no alert.

Upon installation, the protection is re-enabled.

I have not had a problem with people using such a set up

----
rich

 

I hope you will agree that solving problems at large begins with addressing those locally.

Or: "Just because someone else's shoes are too tight, why should my feet hurt?"

For every average user that those with knowledge can reach -- giving them shoes that are not too tight -- that is one less person in the problem at large.

It's not difficult to find a family member, friend, who will listen.

Bill Castner, who helps at DSLR forums, includes in his posts,

"Users helping users."

----
rich

 

That might be fine for you or I, but I think for the average user, that'd be far too much trouble.... But in principle, that's fine.

 

It was actually the average user I had in mind years ago. In family situations especially, where all share one computer. Setting up individual accounts was not always practical, and sometimes caused problems.

With a program like ProcessGuard, Anti-executable, and others, parents could control what gets installed, and also prevent remote code execution attacks. I chose AE because it was the only simple, Default-Deny program at the time.

Password protected, only the parents or principle user can install anything. Parents check/appove games, for instance, disable AE, install the game, re-enable AE and the game is put on the White List.

It's very quick and easy.

I'm not convinced that with such a set up, UAC is necessary.

----
rich

 

It's a tough situation. I agree that giving the user the choice with prompts is a recipe for disaster most of the time.. I'm not sure what the answer is really, except that the more educated the user is, the better off they are.

 

Now, if somehow they can just get educated...!

----
rich

 

Stealth malware installs are one of those things that have more or less become a legend. Assuming you're not running horribly out-of-date software, they're a thing of the past as well. But I guess it's still an easy - if inaccurate - way to bash Windows...

Not really. Download malware. Elevate privileges. Bam. Pretty much the same procedure as Windows.

 

hey chronomatic,
I agree on pretty much all of your points.
btw windows server 2008 can run semi headless. it has the standard windows login screen but when you login all you have is what looks like a cmd prompt.
it also has limited server roles.
windows server 2008 R2 is meant to be able to run completely without a GUI.
I haven't tested it thou.

until Vista running as a standard user is a pain in the ass. having to switch account to do any admin task is a nightmare imo...
I can run standard user account pretty much all the time with a few exceptions, opera 9 upgrade(if i install on limited user account it tries to install the application for admin and not limited user so i have to change my account to admin install upgrade then change account back...) hopefully fixed with 10 final. stardock applications only install on admin accounts and not limited user with UAC.

I would like the point out that stealth malware can still happern on windows xp since most users run admin accounts and still use IE6.
im not sure about the comparison to download.com and Linux repos.

lets hope average users dont find out about Nautilus run as admin right click menu in the repos.

If we compare windows to OSX both running standard user accounts which do you think is safer?
windows has UAC and OSX uses Sudo. a user could download a file on eiether and give the file there password = game over.
I was quite shocked to find out the user account that was default on max was admin. i dont know how much rights it has but i got my friend to change the account to standard user and have just one admin account with a strong password. he hasn't had any issues with that.

the main point is that no matter how secure a system is if a stupid user is given the root password its game-over.

the problem with default deny is surely sometimes it will block the wrong thing and stop a legit a program or legit plug-in working?
People don't know how many risks there is to having a computer on the Internet. As soon as they use the computer they leave their brains behind.

 

Sure, I agree. I can see helping a single organization or a small number of those, and a small number of home users. You could consider it winning some battles - small ones - in the overall war for a more secure world of computing. The small battles go towards the goal of winning the whole war, of course, but I don't think it really can be won, as, like I said, there are too few people around to educate people, and a vast number of uneducated people will always, it seems, remain to be exploited. But then again, just because something probably can't be done does not mean we should not try, if it's for a good cause. And certainly helping a few guys is better than not helping anyone at all. In that sense, perhaps my ranting about "insecure users" is somewhat pointless, and more a sign of personal frustration than anything else. It is rather frustrating, in all honesty, to have set up one user for decent security and ease of use, only to be flooded by twenty other guys being owned in every way imaginable.

The most reasonable thing to do, I guess, is simply work towards relatively simple and quick solutions that can be used to protect the so called average user, and as large a number of those users as is possible. I prefer to set up LUAs with very tight whitelist SRPs. Because, as you've said, I do believe default-deny is the superior mode, as compared to asking the user who doesn't necessarily now anywhere near enough to make a reasonable judgment of whether to allow or disallow. Some raise the issue that this approach would limit the user too much, but that really depends on the user.

For example, I have set up a tight whitelist SRP & LUA for one person who uses his computer for little more than browsing the web and email, MS Office, listening to music and watching DVDs, and sometimes playing a game of chess against the computer. This is a man who does stock trading as a "hobby" in his retirement, and is thoughtful enough to be afraid that someone or something might attack his system and do all kinds of nasty things. After I went through setting up LUA and SRP for him and gave him a quick crash course in what not to do, and he got back to using his system as usual, he just said that he couldn't even notice I did anything to the computer, except that it's faster now. It didn't really limit anything that he does, at all - and this was the kind of default deny policy that we like. His security improved by about a zillion times, and if he ever gets infected with anything again I'll eat my hat.

The more challenging cases are those people who do lots of stuff that actually requires admin rights, like installing a load of software for the whole system. These are usually the ones that don't like to be slowed down the tiniest bit by password prompts and such. Sometimes they can take a lot of convincing, and sometimes nothing helps. And these are exactly the people that either answer yes everytime UAC would ask something, or just disable the whole thing.

Kerodo raised the point that having a legit software install blocked by SRP would be annoying. To some, it really is extremely annoying. SRP does tells you when it's blocked something, and also what did the blocking (it says software restriction policy in that pop-up SRP produces when blocking something the user tried to initiate). People just need to realize that security and ease-of-use go different ways: for increased security, you have to give up something in the ease-of-use category. It is always a tradeoff. As an example, if you run an AV, you're giving up some memory and CPU speed as well as system stability. If you run LUA, you're giving up the convenience of just doubleclicking and installing without a password prompt. Our job, if we consider ourselves security enthusiasts, is to convince people that trading some ease-of-use for better security is more than worth it. Because it is.

In my experience, people who switch to Linux are more educated than average when it comes to computing. Many are Linux newbs, but somewhat experts or at least intermediates in Windows. That is to say, they are already smarter than the average Windows user, and at least know when to ask someone for help. They aren't really the average Joe that doesn't even know Linux exists. If the vast mass of Joe Users tried to switch to Linux, the mess would be a big one. They would get annoyed and give up very quickly. Some of them might ask a couple of questions on a forum, even a huge flood of questions, but when they still couldn't get it right, they'd just quit, go back to Windows, or start doing things on Linux the newb way, equaling disaster.

What you said about developers is of course painfully true - many Windows devs still act as if we were stuck in Windows 9x. Or in other words, it's not only that the average Linux user is smarter than the average Windows user - it's also that the average Linux developer is smarter than the average Windows developer. If we made those Linux guys run Windows, they would do a lot better job at it than the average Windows user. And this is coming from someone who does run Linux on some systems.

Oh, I certainly agree with you that the more secure defaults in *nix would help, and less systems would be pwned and less deeply than they are now in Win. I just think the difference wouldn't be so vast that it would mean putting any kind of end to the malware plague. Because, as said, those pesky users can unravel even the mightiest security system by the power of ignorance. You gave a great example of that yourself:

More secure software with more secure defaults is a goal worth aggressively pursuing. But while we're doing that, we should also remember that the real problem is the uneducated userbase, and they will bypass any security system possible, unless they are somehow educated.


Sorry for the long post guys, and the somewhat OT Windows vs Unix thread hijack.

 

Windows 7 UAC is less secure than Vista UAC:
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

Mark Russinovich:
Inside Windows 7 User Account Control

 

I agree, but in these cases SuRun is a an excellent solution. It also works very well under Vista. I recommend to disable UAC and use a limited account with SuRun instead.

 

This will only be my personally opinion, but I believe that not everyone is like that. I mean, some people do think: What is this? I didn't start it! So, I'll cancel it.

I believe, sometimes, people tend to compare UAC to HIPS.

A HIPS, by it's very nature, will prompt the user for pretty much every action, unless we're talking about a HIPS with a tremendous whitelisting and is set to automatically create rules for those applications.

UAC, will only prompt the user, if the user started something, and that something is requiring high privileges. Of course, running pirated software, etc., will defeat the purpose of UAC. But, it will also completely bypass the purpose of SRP.

The problems are not UAC nor SRP. The problems are the users. I agree that some consider this very annoying because they want to run XYZ application or game, that they just downloaded from the Internet, and happen to be pirated versions. So, this means they will run them, no matter what security measure has been implemented in their systems. They're doomed. Their problem. Their conscience.

Now, there's also a great % of people who are aware that there's a real danger in pirated software, etc. If they don't download this sort of contents, and they only install software from trustworthy sources, and if out of nowhere they see some UAC alert asking them if they want to proceed or cancel, well, they will cancel, if they know UAC will only prompt them when they start something.

The problem is that pretty much everywhere in the Internet, these users, are advised to disable UAC, because these "technical" folks think its annoying. Well, the annoyances are them, and not UAC. They're the ones who should be disabled.

Of course, Microsoft also failed here. Why didn't Microsoft set Windows Vista, and now 7, installations, so that when it leads to the Desktop, upon installation it gives users tips on what UAC is and how it behaves?

The problem is, most don't know what UAC is and how it works. This is the real problem.

Now, about the Windows vs the rest, well, if Windows didn't exist, computer world wouldn't be today what it is. No matter on how much one may hate Microsoft...

The same way Linux wouldn't be what it became, without Minex. Mac OS without BSD. Well...

 

Not really. *nix malware - where from? It's hard to find them. And why should I download them in the first place considering that the repositories normally offer various alternative packages for every purpose? Yes, it's possible to infect *nix (there is no medicine against stupidity) but chronomatic is right in saying that it's much, much harder compared to Windows. - But I suggest to stop this discussion here - Rmus is right that this has nothing to do with UAC.

 

That depends entirely on how the whitelist has been configured, and how you install software. Let's assume the usual SRP default deny policy, where everything in the Windows or Program Files directories is allowed to execute, and absolutely everything else is not allowed. This type of policy will never stop a legit program or plugin, as long as you install your legit software into whitelisted directories. Which is of course where you are supposed to install them - the general idea in NT is that programs meant to be used by all users go to Program Files, and their settings go to the users' profile folders.

But let's assume a case where SRP stops something legit. When that happens, SRP gives you a warning message pop-up and/or logs the event in the software event log where you can find the details of what was blocked, why, and when. Then you just adjust rules accordingly, or install the software into a better place. This of course isn't what novice users would consider easy, but then, SRP wasn't designed for novice users, as has been stated. For novice users to be able to use SRP, either 1) you have to teach them how and set it up for them or 2) they have to make the effort to read and learn, which most are highly unwilling to do.