Standard Account vs Admin Account

To All,

Thanks for a fascinating discussion on Vista's UAC and standard accounts. I'm going to try and digest the new info by MrBrian and Rmus. Lot's of great stuff here. Thanks guys.

 

You're welcome and thanks also .

The info presented here also helped clarify the situation for me. From my last post, it seems there is good reason to use a standard account in Vista instead of an administrator account.

 

Thanks for those links. I'm building a "reading file" and it's quite overwhelming at first to sort out what VISTA and UAC really do!

If knowledgeable people here are searching to understand all of this, I don't know how the average Mr. and Mrs. Smith, upgrading to VISTA, can know what to do, how to configure, etc.

--

 

You're welcome . The Microsoft source I cited is as definitive of a source as you will find, and it helped answer my own questions too.

 

I'd suspect that in a home environment most will use the default settings.

 

Whether to virtualize file and registry writes is a setting you can control. See here for this and the other UAC settings you can control.

 

Suppose someone wants to install programABC.exe from a shareware site.

The user scans the download and it comes up clean.

But, it is really infected.

The user gives permission to install.

As I understand what I've read, once you give permission to install, then VISTA has no way of telling whether or not the file is not clean.

--

 

From my understanding, yes that's correct. I'd disagree with some others that this is not an issue. For example, 3 of the top 10 results in a Google search for 'screensaver' are questionable links, according to scandoo.

 

I found a Microsoft article that verifies this:

Post #25 contains an official source for the Internet Explorer protected mode statement.

 

In that case, what does it matter in which account a user runs?

==> In either, UAC will alert to any attempt at a drive-by or otherwise method to sneak in malware.

==> In either, the user has to make the ultimate decision to install a program.

In these two scenarios, how is VISTA any improvement in security over someone with Win98 and ProcessGuard?

(This is not directed just to you, but to all others struggling with how to configure VISTA)

--

 

Yes, UAC is not a HIPS or a malware detector. AFAIK that is a problem in every OS I guess (but windows is more at risk since it is the most popular target for the malware creators) If a malware gets past your security software in [input optional OS here] and you give it "root" access, it can do whatever it wants. Unless you have a HIPS that gives a prompt for every move the installer does and you know exactly what that specific installer is allowed to do, then you´re pretty safe...

One security degrading factor in UAC is, as the experts point out, that every software installation requires an elevation to admin. It is good that you get alerted when something wants to install, but it is no good that even software installs that doesnt need the admin rights (ie write to sensitive areas, like windows- or system32 folder for example) also gets full access to the senisitive areas. But I guess it is difficult for UAC to determine what software wont write to sensitive areas.

 

Consider a buffer overflow exploit targeting a media player, for example. If this happens in an administrator account, the malware would have a greater surface area to attack (without triggering an elevation prompt), as compared to the same thing happening in a standard account. Also, if you get an elevation prompt during such an exploit, it would hopefully trigger the user's suspicion. This example can be generalized to any malicious code that's able to run, whether it's via a buffer overflow exploit or via other means.

 

That's why I wanted to know how virtualization/security worked in Vista with a standard account. I'm still working through reading all the new info, but I was under the hazy impression that a standard user account created a security barrier not present with the administrator (UAC on), and this difference kept the entire system from being corrupted. Kind of minimized the damage. Pardon me for being slow on this subject, but there's much to digest which I'm slowly doing.

 

Those who use HIPS might find them handy during installations in Vista because of this issue. I have an installer policy in my HIPS that allows common actions such as writing to Program Files but prompts on other actions such as writing to Windows directory, autostart locations, etc.

 

OK, that's making sense to me and well said. I think I see the sun breaking from behind the clouds.

 

From post #25, you indeed are better off using a standard user account than an administrative account, assuming UAC is on. Of course, if you elevate malware itself, then in either type of account you could be totally compromised.

 

Regarding installing of programs that might be infected:

Would you put one's choice of of a media file to play in the same category as one's choice of a screen saver?

Also, do you have any links to test a media file exploit? I've even tried some PoC examples but none have run on my system.

The only write up I've seen which had a link (dead when tried) showed that the payload was an attempt to install a trojan dropper - would be blocked by my example above with PG and Win98.

--

 

I found a nice 57 slide PowerPoint document by the same author as the Microsoft article from post #25. It covers much the same territory, but also has some additional information. The document is WLC404 User Account Control Internals and Impact on Future Malware.

 

IMHO, no, because most users wouldn't know that playing a media file could cause malicious executable code to run.

I don't have any links offhand, sorry. That was just a particular example. I meant the most general case to be what malware could do in an account without needing elevation. You could substitute any program that you run without elevation.

 

Yeah, HIPS are great in that sense. But they require that the user knows which of those prompts are malware related and which isnt. Even though a good HIPS gives tips on why it prompts it still prompts for mostly legit operations during software installation.
I used HIPS for several years but I wasnt skilled enough to differentiate them so for me they where a waste of time (well not entirely, they where good education on what happens during software installations).
But nowadays many HIPS has whitelisted many software and that is a good thing that makes them less intrusive.

 

The following comes from the WLC404 User Account Control Internals and Impact on Future Malware document.

"Windows will evolve further to promote standard user:

Per-user installations

Secure elevations"


So I guess in some ways I thought Vista security a little more evolved than it actually is especially on these two points. I was hoping the standard account isolated "bad" installations. Once past the UAC, the user is successfully infiltrated. (assuming no AV, AS, etc.)

 

Also, even without needing administrative priviliges, malicious code run in even a standard account can start automatically in the account, tamper with or steal your data, steal your keystrokes, hide itself from the user, etc.

 

OK. That sounds like a good reason not to run in an Administrator Account.

My reason for examples is I like to know what specific attacks are doing so as to know what to prepare for and how to protect.

Security advisories are usually pretty general about vulnerability impacts, since they have to cover all bases. An example:

http://www.securityfocus.com/archive/1/493849

All payloads of current buffer overflow attacks I've seen described install trojans.

For someone concerned about other "artibrary code" it would be nice to find current attacks so as to test against VISTA. Unfortunately, there aren't any. In that case, is a a real threat?

For someone who is concerned that it is a real threat, it might turn out that a product that specifically monitors for buffer overflow would be better protection.

--

 

The good thing is that I haven't had any malware or virus in a long time, but this thread makes me think I need to rethink my security setup with Vista now. I really don't like loading down the OS with tons of security software. I'm using Windows Defender, KeyScrambler plus all the software necessary for a complete recovery and have gone back to a separate standard user account now. I really don't want to run anymore external stuff.

 

Even in a standard account, you could justify the use of Anti-Executable, Software Restriction Policies, realtime antivirus, HIPS, outbound firewalls, etc.