"Admin Approval Mode", Could be an way to turn on automatically?

Discussion in 'other security issues & news' started by Heng, Aug 16, 2019.

  1. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    I was working recently as a IT Support, and a problem appear:

    Error 0x80070522;

    I couldn't create, save or load any document in the computer. It happened between 5 ~ 6 hours ago.
    I search and look everywhere about the error and found onte the Local Security Policy, and this (User Account Control: Run all administrators in Admin Approval Mode) was enable.

    Could it, in someway, turn on by itself or by some software?
     
  2. guest

    guest Guest

    Normally, It is enabled by default when you install Windows .

    And if you disabled it, indeed some softs or tweaking batch files may reenabled it, but you should would be aware of it.
     
  3. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    Oh, i got it.

    But, if some sort of softwares or batch can re-enable some assets and functions of windows, there are any program that can i use to control this?
     
  4. guest

    guest Guest

    NoVirusThanks SystemHardener has options for it. But I suggest you to read its thread here beforehand.
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I want to make sure it i understood what is being asked. Are we looking to disable Admin Approval Mode? If so the outcome will be this:
    Taken from here:
    https://docs.microsoft.com/en-us/wi...l-mode-for-the-built-in-administrator-account
    If this is the intention then fine. Just understand this will make the device considerably less secure.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Will also add this article dates to 2017. Microsoft has removed the hidden full admin account in later Win 10 versions; at least on the Home versions as I recollect.
     
  7. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    Sorry for the misunderstanding. English isn't my native language.
    I already solve the Admin Approval Mode. The question is:
    "If it can turn on by ano sort of batch files or software, how can i manage this and others Windows config to don't change that easily? And an easy way to know if it has changed."
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Nothing for you to be sorry for, I just want to make sure you are getting the correct answer.
    Are you asking if these settings are easily exploited and if so can you monitor for such changes? Anything that does run at admin level can change any setting. An easy way to know if it has changed? Not an easy way that I am aware of. You would probably just have to check it regularly if it is of concern. If someone has an easy way feel free to post it.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You never mentioned what Win OS you are using? For the following comments, I assume you are using Win 7.

    You originally asked:
    Assuming an attacker was able to gain local admin privileges, he could just run the following commands in a batch script:
    Next you asked:
    Yes. Remove the hidden admin account in Win 7 as follows:
    My standard disclaimer. Do the above at your own risk.
     
  10. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    I use Win 10 Pro.
    Like xxJackxx said, i can check regularly, it's a simple response for this, but, our IT Team onto my workspace is too little, and we've much other importants things to do.
    For example, i run an installer of a antivirus/antimalware. To make what it does, he (necessairly) need admin commands to control the data collected daily and make what he is done for.

    One thing i saw recently was the urgence update from microsoft for the security breach for worm-type malware. which can infect CPU-in-LAN. And, if a simple batch can undo the Admin Approval Mode, it can do things worstier, am i right?
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  12. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    But the GPO/GPMC doesn't make me more vulnerable to take theses changes? however i'll have the monitoring of the Policies, and have the power to control them, same as the malware who invaded my domain, no?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Appears Microsoft only removed hidden admin account on the Home versions. The commands to enable it or delete it are the same ones for Win 7.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've never tried auditing those changes so can't answer you from my experience. I don't think that setting those audits will make you more vulnerable but it can give you some information about when changes happened and who made them. It won't protect you though from malware that got your domain or computer credentials.
     
  15. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    But this won't affect a user by domain? we use a domain "xxxxxxx.local" which has 2 admins (on each CPU), the personal ('cause we need to have control of all the CPUs) and a super-admin (which connect onto the TS and FS).
    (maybe i am talking poop, but i'm really curious)
     
  16. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    It's a good choice, i can't deny.
    Have a monitoring tool to know where, who, and when do something is very useful, but my fear is the vulnerability it can cause.
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Well monitoring GPO changes is just one aspect of your overall security. Malware can do a lot of bad things without ever touching your GP settings. IDK how useful it could be to you.
     
  18. Heng

    Heng Registered Member

    Joined:
    Aug 16, 2019
    Posts:
    12
    Location:
    Brasil
    (un)fortunately i know. But searching for a program which can control and detect this would be very helpful.
    Like, a ERP or something like this which can manage this settings and have a GP control, it would be great!
    If you think a little, every spot for a malware can be a crucible point.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You will have to check the devices and see if a full admin account exists. If needed, then obviously they shouldn't be removed. You most definitely should be employing GPO password logon restrictions on those devices such as 3 logon attempts w/lockout thereafter.

    Again, anyone running with full administrator privileges can do anything unimpeded.
     
  20. guest

    guest Guest

    Read my post above, i gave you the only tool I'm aware of, that let you select admin Approval options.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.