How reliable is windows 7 UAC?

Just like the question asks, how reliable is windows 7 uac against the malware field? Is it reliabke at detecting changes and then stoppung those changes from perhaps a file that was dropped through a exploit? Or is it bypassed galore?

 

Hi,

From my research, I have found that UAC is OK to use but should not be relied on as a security measure.

What exactly does UAC do?

• Prevents unauthorized changes to computer; changes require approval from the administrator
• Apps run as standard user and cannot make changes to the operating system, system files or system registry: \Program Files, \Program Files (x86), \Windows, and HKLM\Software
• Apps can change their own files and registry settings
• What requires UAC prompt...
• "People should not use an administrative account and expect UAC to protect them; it simply is unrealistic"
• "For best possible security though, use a standard account and never elevate when using it"

How is UAC bypassed?

• Defeating UAC with a two-stage malware attack and How to bypass Vista UAC in two easy steps
• Above protected by not elevating from sua or not elevating shortcuts in accounts
• Security design: Why UAC will not work
• Example of how malware could get admin rights without suspicious uac prompts (note this only works from protected admin not sua)
• Further info on the above example that suggests malware doesn't even need to use privilege escalation
• "...malware could snatch credentials entered in fake a UAC prompt, or read them from real a UAC prompt..."
• "...simple scenario of the attack is that a malicious program, running at Low IL, can wait for the user to open elevated command prompt..."

Hope that give some info but some of those links/info may be outdated now...

 

I consider UAC as additional and not main layer of protection.

 

UAC is only one of the OS defenses. On my Ultimate Windows7 it is an essential element, but is part of package. This package has not been bypassed by live / fresh malware samples since early 2010. Only once a sample was able to do some harm which was partly corrected by windows protected files. This resulted in being unable to install/update ANY program. The bypass was related to hole microsoft intensionally designed to bypass AppLocker.

 

I only use UAC as privilege limiter and elevation notifier. UAC's reliability highly depends on the user IMO. I'm not a click happy user so it plays a pretty big role in my setup (though I don't rely on it too much).

I still don't understand at why did Microsoft designed SRP and AppLocker with such design flaw. To me it feels like you're riding an armored tank in the middle of a battlefield with an opening hatch.

 

AppLocker, but they provided an optional fix after receiving complaints. Making things easier for scripts used by companies (large corporations ease of central management versus security). Same with UAC, Vista default is Windows 7 max (user complaints useability versus security)

 

An optional-underrated-barely-published-so-not-everyone-knows-about-it-unless-you-dig-info-about-it beta hotfix.

 

In addition to the links provided by sthmptn, you also have to be aware of these:

Why Windows 7's Default UAC Is Insecure
Windows 7 UAC whitelist: Code-injection Issue (and more)
Bypassing User Activation Controls

Recommended: Set UAC to the highest setting (Always Notify).
Better still: Run as LUA/SUA

To sum it up:

UAC is no security boundary. It just makes it easier for the masses to run with least privilege compared to XP and its predecessors. Default settings are just to quieten down the noise level by consumers. The logic is one of a compromise - both technically and marketing-wise. Slightly better security is better than nothing (users disabling UAC)

LUA is better (helps against the elevation issues linked by sthmptn as elevation occurs in a different user context). However, fact remains malware can run just fine with limited rights.

SRP/AppLocker can help against most malware nowadays (inc. LUA-compatible ones). That's why Kees/Windows_Security can get pass against all those malware samples. However, SRP/AppLocker come with stupid "by-design" holes (hotfix only for Win7 -thanks a lot MS ). They also do nothing against memory-only execution.

EMET should be your primary bet to counter exploits at it's early stages on Windows. To get the most out of it, 64-bit Windows recommended for better ASLR.

Here's a good guide by our member HungryMan (although I prefer to go with path rules for Applocker for convenience)
Windows Hardening Guide

 

How to check if I've already installed this Applocker hotfix?

 

Just found in installed Win updates

 

1. UAC
True, I have it on max with a deny elevate for unsigned software, also added NSA advices for group policy to deny installation of all sorts of unsigned binaries (drivers, activeX, powerscripts,etc). Simply because there are so many ways to get executable binaries on/in your system.

2. SRP/Applocker helps prevent, but LUA is better
I like the default level run as basic user, to stop all high risk file extensions from executing in user space. When you want to lock down your PC, Applocker offers more granular control (with SRP basic user, I still am able to right click install).

3. EMET
Closes down memory intrusion when with Vista or higher (ASLR in Win7 is better than Vista, Win8 beter than Win7) to a mimimum.

4. Malware in user land
That is why I locked (through GPO) user accessible autorun entries. Have added Outlook, Chromium policy templates to prevent user form changing important settings (installing add-ons).

UAC does not protect against side by side attacks, therefore it is important that all risky touch points/internat threatgates run with low integrity (e.g. Chrome sandbox, Chrome's extra control with PPAPI flash and own PDF reader). That is why I use a browser with low rights (and use Chrome's PPAPI flash with chromium). On top of that I have set a deny execute file access (ACL) on all download, media, e-mail (drive by folders) and deny autorun and execute access to USB drives (GPO)

5. Windows hardening
With GPO you should disable all remote services and dynamic desktop like functionality. I disabled 60 windows services (not for performance, but security attack surface reduction).


With this (safe_admin) mix, the 'admin door' is still available. When running LUA as safeguy says (with deny elevation for basic users), that door is not accessible anymore.

Regards Kees

 

Did you install it manually or through Windows update?

Too bad home users of Windows 8 can't make use of AppLocker. You can create rules but can't enforce it (just like 7 Pro), which is pointless. I prefer it over SRP actually.

Anyway, to derail it a bit further (lol), is using SRP/AppLocker still recommended? And does whitelisting mode and blacklisting mode make any differences in terms of all those bypasses?

 

Manually. I just wanted to check as I jump between snapshots of EazFix and could lose it.

 

I have it off. I prefer other 3rd party solutions that are less intrusive in their pop ups.

 

Could you specify how to do this?

 

This should give you a decent starting point. Just type "services.msc" into the start menu and it should pop up. This is all of the services running on your computer.

 

Yep, you nailed it. First disable as many options in Group Policy using NSA templates, next use black vipre's advice for ultimate/professional version of your OS (this one is for Windows 7). I used mix between safe and tweaked (mostly tweaked, rest on safe e.g. for Wireless and NAS-device).

 

Thanks, guys.

 

How reliable? Well there's no better alternative if you want anything like sudo on Windows. If you're looking at it from just a malware prevention perspective, you're far from seeing the whole picture.

 

I've just applied the same. The only difference is that I had to make "WLAN AutoConfig" to Automatic as my PC didn't connect to my WiFi Router if it were in Manual.

As I often jump between snapshots with my Eaz-Fix I have to find the way to quickly store and deploy the services settings back. The only solution that I found is the corresponding feature of "Advanced Uninstaller". It also can compare the existing service config with the one you want to load. What helped me to figure out the problem with the router.
Doesn't there exist native windows-7 mechanisms for that?

 

There is a better alternative. It's called Surun.

 

Can't anywhere find the templates. Can somebody give direct link?

 

How is it better (especially in terms of reliability) than something built-in with Windows? Is it even compatible with Windows 7 64-bit?

 

I consider it just more bloatware that needs to be ripped out of the OS

 

I can't claim it is more reliable than UAC, but I can't say that it is less reliable either. What I can say is that it hasn't failed me once over many years of use. The main advantage is that its useability is far superior to the never-ending prompting that is UAC. And, yes, it is compatible with Win7 x64.