Require trusted path for credential entry

Discussion in 'other software & services' started by wat0114, Oct 18, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Something interesting I just discovered in Win7 Ultimate Group Policy Editor: Computer Configuration-> Administrative Templates-> Windows Components-> Credential User Interface:

    • Require trusted path for credential entry

    It looks to add more security, although at the cost of convenience, when using the "Run as administrator" context menu option. The first two prompts shown in the screenshots have to be answered before the secured login prompt appears.

    I'm guessing MrBrian might approve of this ;)
     

    Attached Files:

    Last edited by a moderator: Oct 18, 2011
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you for posting about this wat0114 :). I have tried something similar before -see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx#BKMK_AdminPromptBehavior. Perhaps this setting covers more than UAC though?

    Unfortunately, the extra steps need to be performed even when in a protected admin account. Another thing to remember is that malware needn't tell you to press Ctrl+Alt+Del (the aspect that ensures you're really on the secure desktop) first if it's presenting a fake credentials screen.
     
  3. wat0114

    wat0114 Guest

    You're welcome MrBrian. I'm not sure how it works, except that according to the explanation, it prevents setaling of credentials by a malicious process, so it must add some additional security, I guess. If malware presents a fake credentials screen, then it stands to reason it would then have to present the aditional prompts this gpedit setting produces, if it's going to trick a user.

    BTW, thanks for that MS link. It's been a while since I've ventured in that part of the policy editor. My UAC settings are shown below. Maybe the setting "Detect application installations and prompt for elevation" should be disabled to accomplish a bit better security level without imposing any inconvenience?
     

    Attached Files:

  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://en.wikipedia.org/wiki/Control-Alt-Delete:
    That's the reason for the added security. However, malware needn't remind you to press Ctrl+Alt+Delete.

    The other setting that you mentioned is for your own convenience.
     
  5. wat0114

    wat0114 Guest

    Okay, thanks. So you mean to say that even with those two additional prompts, malware could still generate a fake secured desktop UAC prompt and steal the user's credentials? I realize the system could be infected already, if that's what you're infering by saying malware needn't remind to press Ctr+Alt+Del.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes, because if you don't press Ctrl+Alt+Delete first then you might be typing credentials into a fake screen.
     
  7. wat0114

    wat0114 Guest

    So then this setting should at least prevent stolen credentials even if the system is already infected? That's how I perceive it, anyway.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No, once infected the malware could possibly still intercept the CTRL ALT DELETE. This is assuming you're on a clean machine, I'd think.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Or not. haha
     
  11. wat0114

    wat0114 Guest

    Okay, I think I understand it now. Kind of slow tonight :doubt: Thanks again!
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  13. wat0114

    wat0114 Guest

    Right, I remember that thread :)
     
  14. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I have always been using this for more than a year :)
    I think its enabled if you use MSCM's baseline security templates.
     
Loading...
Thread Status:
Not open for further replies.