Standard user disabling security software without UAC support

Discussion in 'other anti-malware software' started by diginsight, Aug 31, 2010.

Thread Status:
Not open for further replies.
  1. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I'm currently working on a security configuration for W7X64 Pro using local group policies, UAC and standard user accounts.

    I had composed a shortlist with security programs I already evaluated using the administrative user account.

    For security software I use the following principle: the security product should prevent regular end users from disabling the product.

    I discovered that after I installed various security programs using the administrative user account, a standard user account can click on the systray icon and disable or reconfigure the product.

    Some programs did support passwords, but I still prefer UAC support.

    During my limited testing I found that Microsoft Security Essentials, NOD32 and Windows Firewall support UAC. Using these products standard users are not allowed to disable or configure these programs without an UAC prompt.

    I would like to know if I did overlook something in my testing or is it actually possible to disable/reconfigure various security software as standard user?
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    yes. Also Windows Defender Spynet Advanced Membership features does not work properly under Standard/Limited User. :(
    I go back from Windows 7 to XP so I can have SuRun instead of UAC.

    Don't get me wrong. I like UAC as much as I like Win7's firewall and the DirectX 11. :D
    UAC needs flexibility. Such as remembering password for automatically 'running as admin' a specific app.
     
    Last edited: Aug 31, 2010
  3. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    My goal is to separate standard user and administrative user. Standard user can perform daily tasks and the administrative user can install software or configure system settings.

    I don't want standard users having full access to security software installed by the administrative user. They should be prompted by UAC for privilege escalation.

    I could't reproduce this issue with Windows Defender. I can access it, but trying to disable the product via Tools > Options > Administrator > "Use this program" is protected by privilege escalation through UAC.
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    i was talking about the windows defender feature that will notify you about changes made by unclassified software.

    you cannot make decision whether to permit/deny changes made by an unclassified software when Windows Defender prompts about it. that is under LUA/Standard user :'(
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I don't know if this will help or not, but did you try to make those security applications start under the Administrator credentials, rather than the standard user?

    Security software should come with a password setting to prevent tampering.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's how it should work. Don't forget that Windows Defender doesn't exist only for home users, or that every home user is the Administrator of that system. In these cases, the Administrator is the one who should make the decisions, not the standard users.
     
  7. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    your principle is good. ^_^
    I hope your security software will also help improve my scores in Belarc Advisor. o_O


    but i know the admin password.
    I can't install the unclassified program correctly even after Running as Admin. because I cant permit changes in windows defender.

    :<
     
    Last edited: Aug 31, 2010
  8. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I installed them under the administrative user. Logged off. Logged in as standard user. The security applications GUI part were started through autorun and accessible to the standard user via the systray. Once the GUI part was accessed by the standard user, he was permitted to disable/reconfigure the security program.

    Agreed, but some didn't or were not easy to locate. With UAC programs are automatically protected.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OK. And, under the Administrator account, can you do it just fine? Have you tried to post your issue in Microsoft forums?
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I meant, have you tried to remove the autorun entries for the standard user accounts, and then create tasks to start those very same programs as Administrator? I should had said it clearly, sorry.

    I'm not sure if will work, though. It's a long shot, but who knows?
     
  11. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Yes. No. I think this is not the right place to ask about suggestion for WD no? Thanks.


    @diginsight
    So you're using UAC to protect your security app? how about ASLR?
    https://www.wilderssecurity.com/showpost.php?p=1722669&postcount=1
     
  12. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    And if you remove the registry key starting the tray icon and identify the main executable (that permit access to the UI) and change in properties=> Compatibilty=> Run this program as administrator?

    I tried here in Avast and worked.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That wasn't my intention, but, for what I've seen so far, not so many people is using Windows Defender. They've moved on to Microsoft Security Essentials, that I could find doesn't have that same ability has Windows Defender.

    So, perhaps, you'd find more issues like the one you have on the Microsoft forums, and find the help you need, I guess.

    This was my only intent, when suggesting you to go check at Microsoft's forums.

    Sorry, if somehow, I made you think you couldn't be helped here. I'm no one to say you can't be helped here. :)
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's even a better approach than the one I suggested! Sometimes, simpler solutions are in front of our eyes, but we do tend to complicate, don't we?

    Thanks for sharing.
     
  15. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Glad i could help!

    @ diginsight

    I think this behaviour occur by design to not bother limited users with to much prompts. I not found the thread but i remember reading that the a-squared antimalware 4x have that service running only to permit start it under a standard user account without a prompt. If you disable the service, it ask you for ADM privileges.

    Another one that ask for ADM privileges to show GUI is Shadow Defender.
     
  16. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    lol. Don't worry I didnt misunderstand you at all :D
    I dont use WD now and I feel lazy to go to MS forums anyway :D
     
  17. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Actually the principle is from Roger Grimes' Professional Windows Desktop and Server Hardening, which I consider to be one of the best books written on this topic.

    Didn't know about the Belarc Advisor. After reviewing information it could be useful to benchmark the configuration. For building W7 security configuration I'm also using CIS Benchmark for Windows 7. Surprisingly Belarc supports Windows 7, but doesn't mention the CIS W7 Benchmark.
    I like the UAC concept for privilege escalation. I took it a bit further and enabled a policy that denies privilege escalation to standard users. This in effect will prevent standard users from being prompted to provide credentials for an admin account. Instead they receive an error message when they try to access UAC protected functions. The goal is to prevent standard users from having to make security decisions. The administrative user, is the only user allowed to raise privileges.

    I want to apply this concept to security programs, thus preventing access from standard users and them having to make security decisions.
    The links mentions several AV products not using ASRL nor DEP. Off course MSE supports both. I'm not convinced AV on desktops is that important as an attack vector to require exploit mitigation like ASLR and DEP. For MSE, being an popular AV product, this might be a different and Microsoft certainly did well to implement it.

    As to attack vector I think the Secunia report on DEP/ASRL has more importance as vulnerabilities in popular program are also popular targets for exploits and can benefit from exploit mitigations like DEP/ASRL.
    Both excellent suggestions and easy to implement. I tried this with one program. After changing the GUI part to run as administrator it refused to start with the standard user even without having disabled the autorun. The GUI is an essential part of this program. Without it, I don't know if the program still functions. When I start the GUI part manually I'm prompted to raise elevation, which reintroduces the original problem of standard users having full access. If I want to keep using this program I guess I have to enable it's password protection.

    I still think both suggestions are excellent solutions for programs that don't rely on the GUI part to function.
    That's also my goal :)
     
  18. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi diginsight

    You sucessfull did it?
     
  19. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    I'm running out of time to finish the project. This is why I limit myself using software that supports UAC.
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Have you considered modifying reg keys or the program executeable, program directory, program dependencies (like config/ini files) to take away modify rights for specific users/groups? Most likely the process can be started with high integrity level, where a medium integrity level process (users have this) can read/execute, but not write.

    While I haven't given this much thought nor tried it, I should think one could set the rights so that an non-elevated user (those without high integrity level) could be restricted. Fallback to actual ACE for each aspect if needed.

    Some food for thought anyway. Maybe you have already investigated this avenue.

    Sul.
     
  21. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Hi Sul,

    Good thinking. I will first focus on finishing this project using WFW and either MSE or NOD32. After it's finished I'll consider if I want to add other security software and try your suggestions.
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    AVG Anti-Virus also supports UAC.
     
  23. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    Thanks for the update. Tried it with the free edition and it's also supported.

    I had a recent conversation about this with the dutch Avira distributor and told them it wasn't supported in the free or premium edition. They assured me it's supported in the enterprise edition.
     
Loading...
Thread Status:
Not open for further replies.