Standard Account vs Admin Account

True, but I'm hoping to learn the limits of UAC by itself!

Not having Vista to test myself, I've had to rely on others, who are not really set up to test malware. But they've shown how UAC blocks AutoRun.inf from launching a payload, which is an indication of it's protection against the remote code execution type of exploit.

If this is so, then I don't think one needs any other type of security, since the other types of infections depend on the user consenting to install something, a decision that no security product can make!

As far as scanning a program before installing, all that proves is that on this day at this time, the scanner (or 32 at Virus Total) says it is clean. The user trusts the scanning results.

Another user trusts her/his judgment for choosing legitimate sofware from known sites.

Since neither is 100% sure, I don't see any difference in which method one chooses. It all depends on which provides the user with the most peace of mind.

The latter method means one less program to fiddle with.

If there is a concern that a mistake might be made in this situation, then a good imaging or restore solution should help with one's peace of mind!

--

 

Consider this example. You're using Vista with a standard account. You play an infected movie file with a vulnerable media player. The buffer overflow exploit code downloads and runs a program which steals all of your documents. No elevation was needed in this case. This type of damage is not recoverable with an image restore. Some of these other technologies could have prevented this though.

 

This is what I haven't been able to test: would UAC alert to the exploit code attempting to download a program?

If no, then other security is needed.

--

 

I've seen your post in another thread about the USB autorun. Thank you for posting it. The UAC alert does make it appear as if the execution itself was blocked, but I think that is not really what happened. If you look at Fig. 11 of http://technet.microsoft.com/en-us/magazine/cc138019.aspx, you'll see that that's the exact same prompt you receive when an unknown program seeks elevation. In other words, it was the elevation that caused the UAC alert. If the USB autorun hadn't required elevation, then you would have received no prompt at all. I believe it's the poorly worded alert that caused the confusion. In the example you posted, the executable contained the word 'setup'. That alone would have triggered an elevation request.

 

From what I've read, there would be no alert, unless elevation is involved.

Vista is not immune to malware. According to this study (here too) from PC Tools' ThreatFire statistics, 27% of Vista machines monitored by ThreatFire had at least one piece of malware detected during the six month period of the study. That's not necessarily an indictment of Vista, because some users turn off UAC, make poor decisions on UAC prompts, etc.

I view UAC and running as a standard user as protections against system compromise. Even without system compromise though, malware can do many undesirable things. According to Windows internals guru Mark Russinovich, "the malware author will say, 'I can live in a Vista world without needing to take over the entire box,'" he said. "They will end up thriving in the standard user environment, setting up botnets, grabbing your keystrokes." (source)

Microsoft itself recommends the following:

 

I'll have to accept that for now, not having any way of testing myself.

Thanks for your research into all of this!

--

 

I didn't test it either, but I've seen nothing to indicate otherwise.

 

Well, nothing is confirmed until testing.

In another thread, two people showed that UAC alerts to an installation CD attempting to install, and to a USB drive attempting to run an executable.

I concluded that this suggests that UAC might protect against any attempt to install a program by remote code execution.

Statements in your links indicate this might not be so. That would be a serious compromise, in my opinion.

Until I find someone who can test an exploit, I reserve making any judgment.


EDIT: sorry - I didn't see your other post until now:

Yes, I remember the comment in one of the links about 'setup.'

If this is the criteria which UAC uses to flag executables, then it is really weak indeed as far as secure protection against any remote code execution. In other words, it is not anything at all like SRP.

Regarding the other thread - the original remote code execution exploit I used (MS06-014) would not run on VISTA, so I resorted to asking them to test with CD and USB autorun.inf.

About the poorly worded Alert - I mentioned that to the two people and asked what the "Details" showed - nothing of any help.

Your thought about using additional protection with VISTA seems to be wise indeed.

--

 

I think in those cases you mention, because the word 'setup' was used in the program name, UAC figured elevation would be needed and perhaps the exe itself never ran before the UAC prompt was shown. But what if the word 'setup' was not in the program name....

 

Yes - see my Edit in previous post.

--

 

That's correct, from what I've read. Vista still has SRP, and Microsoft has recommended its use in corporate environments for high security configurations. I believe that not all versions of Vista have SRP, by the way.

 

Too bad:

http://www.mechbgon.com/srp/

 

Perhaps if you had a third-party program (such as SetSAFER in XP) that made the registry changes that the SRP user interface would have made, these editions would still enforce it. Something to look into.

 

The UAC is not that lean, relying only on key words to determine elevation. It is a part of the process, but more is involved. In one of the articles read yesterday the UAC also has access to a heuristic to determine elevation.

 

Yes you're right. I had meant to emphasize that if the magic words were not present, then code you didn't intend to run would still run. There is a list of UAC prompt triggers at http://en.wikipedia.org/wiki/User_Account_Control.

 

I've thought about this subject (standard vs protected admin account) today and have decided that my experience with Vista has to come into play with the info I've read. As I said in a previous post I've had no malware since using Vista (1.5 yrs) as protected admin, so Vista and I are doing something right.

I usually install a different virus package once a week and run a scan and so far nothing is found. Then I use FD-ISR to remove it and continue as before. If I were to find something I would not try to repair, rather I would use FD-ISR or Paragon to go back to a safe OS state.

Now I may have to consider new protection in the future when malware begins to systematically defeat the UAC, but right now I'm sticking with my current setup. The key here is flexibility on the battlefield. I'll adjust my approach when I feel the danger is coming too close to me. This has been a very interesting thread.

 

From UAC: Desert Topping, or Floor Wax?:

 

Hm, I wonder how such an attack could be performed. Although I'm running Vista in a VM I'm not a Vista or UAC expert because I hardly use it. Thus, I might overlook something - but only shatter attacks come to my mind (aside from flawed 3rd party software). However, those attacks were a problem in XP but are no longer possible in Vista as a secure desktop is used by UAC.

Another important issue is the following one mentioned here:

This alone justifies the use of a standard account in Vista, IMHO. Even if you installed software you deemed trustworthy (but isn't in reality) a standard account might prevent further damage done by this malware if started only with limited rights.

 

If I would write a trojan or virus, I would have it trigger elevation, by either the file name (install, setup or update in the name) or with a manifest in the resource of the exe. I would encrypt the virus, and give it a nice name.
I then would upload it to a shreware site.
Somebody will download it, and will run it. And he/she will allow to install it. Elevation will be triggered, and after that I can do whatever I like...

 

Disregard about Linux and other OS´s. (though if the malware producers would put their energy on the other OS´s you would have the same problem)
What is your suggestion for protection to a average user under those circumstances? How would anything prevent that kind of malware?
Lets say malware that steals your private data or makes a bot of your machine?

 

I disagree. Most Windows users neglect the fact that Linux users hardly ever have to download software from 3rd party websites since virtually any software they ever need (including security updates for these apps) are offered by the official repositories for the respective distro. This is one major reason why Linux is more secure than Windows.

 

Sorry for the OT

 

Before We get any further OT, let's do remember what this thread concerns, Standard Account vs Admin Account in a Windows environment. Those that wish to discuss Linux, Please do so in an appropriate thread.

 

Please see post #25.

The author of that quote is right but, when you read all of the author's words at that link, doesn't seem to understand the practical difference between the user being given the choice to elevate vs. automatically elevating. By the way, the same risk is present if you elevate from a standard account. One advantage of a standard account is to lower the risk of system-level changes without a UAC prompt. Another advantage of a standard account over an admin account is that malware can access only data available to the standard user's account, instead of accessing data available in any user account on the computer.

I believe that even when using an admin account, malware cannot, for example, write to the Windows folder in Vista without a UAC prompt, due to the use of integrity levels.

Malware can do those two things without even needing admin privileges, which is a good illustration that other security measures are justified in Vista even if you're using a standard account.

 

That's right. Even with the admin account, you get an UAC prompt when you try to write to the Windows or program Files folder.

The admin account is a limited admin account, the real admin account is a hidden account.

A problem for me is, that almost every program you want to install will install into the "program files" folder, and for that, you need to allow it. Once allowed, the program (which could be a virus or other malware) can do whatever it want to do...

It does not matter whether you run under limited user or limited admin user account. Once the UAC popup, nd you allow the installation, it can be too late.

I am myself a programmer, and some of my programs need to install DLL's etc., so I added a manifest which force windows to popup the UAC. If I would be bad, I would hide a virus inside my installer. Once the user confirm the UAC popup, I could take over the system.