SUA vs. Protected Admin in Windows 7

Discussion in 'other security issues & news' started by Spysnake, Sep 20, 2011.

Thread Status:
Not open for further replies.
  1. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    I know. This must have been discussed many times earlier.

    But I'm still tweaking my setup following the principles of using security features embedded in Windows.

    I started a thread a while ago about those issues, as seen here:

    https://www.wilderssecurity.com/showthread.php?t=299077

    However, one thing was not clear, and it gathered some differing opinions. It was the difference between SUA and Protected Admin. The question is fairly simple: is Protected Admin considered as a Standard User as long as the UAC prompts don't pop up? I'm asking this as a user who has UAC settings as highest, so any system-wide modifications are met with UAC prompt.

    I'd really want to use SUA and just be okay with it, but it seems that problems like not being able to use task scheduler to give Admin priviledges to programs (https://www.wilderssecurity.com/showthread.php?t=306290), stop me from using SUA on my production computer.

    This thread could also be a centralized place to gather all the views of the subject.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's no difference between UAC on max and having a separate user and admin account except convenience.

    I believe any exploits that are priveledge escalating still work. Any malware can still inject itself into an application and wait for you to log in as an admin. Any socially engineered malware will still trick you into logging in as admin to run it.
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    What you need to do is some sleuthing to discover what rights a USER has, or does not have. They are well documented, should not be hard to find.

    UAC is a stop-gap for people. It allows you to run as a psuedo-user and pseudo-admin at the same time. The only time your admin credentials kick in is when UAC pops up, like to make a change that only an admin can do. It makes is "easier" to be an admin because rather than having to log out then log in, or use a RunAs, the OS just pops up a prompt to see if you would like to do this admin function. If you say yes, then it uses the admin portion of your security token.

    Without UAC you would have to do things the "old fashioned" way. With UAC at highest, it feels more like a standard user, although I don't know if it applies to everything or not.

    UAC is a SuRun type approach, allowing easy elevation when needed, a bit less involved, but also a bit less feature laden.

    Learn what the difference is between a User and an Administrator first. Then you can make a judgement of whether UAC is convenient for you, or if you can be a USER. I personally think it all comes down to how much you do admin functions or modify the system. Being a USER works great in a business environment where the user is not allowed to modify things. In the home environment, where the user is generally installing/modifying much more, it comes down to just what you do with your machine IMHO.

    Sul.
     
  4. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    Thank you for your replies.

    Hungry Man, I agree with you on the security aspect. There is a possibility that in case of UAC-circumventing malware, both accounts would be at risk.

    Sully, I have a pretty good understanding of User and Admin differences without UAC. The principle being that User can only affect his own space, Admin being the account which can do the rest. You told that PA only uses the Admin token when allowed by the UAC prompt. This would be very ideal for me. However, you weren't sure about the standard user feel when not prompted - could it be possible to research this further somewhere? The farthest I have got are some posts there on Wilders earlier, which tell that some permissions on some folders are different. Can't find them at the moment.
     
  5. wat0114

    wat0114 Guest

    It should be okay to run as administrator as long as UAC is at maximum setting. MrBrian explains it somewhere that the UAC-circumventing malware is not effective when UAC is at maximum.

    Users in Win7, at least, have some "Special permissions" granted to them, including the dreaded "Write data" permission :) in certain directories, for example: c:\ProgramData... c:\Windows\Temp is another such directory with these special permissions.
     

    Attached Files:

  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you undestand the restrictions on a USER, then you understand what happens when you create what is now coined SUA. It is just a regular old user, with no admin credentials in the token. On XP it was referenced as LUA. Either way, as a standard user, you have to elevate to do admin functions. This will mean logging out or using RunAs or SuRun if you don't want to log out.

    There is a fine line between having the convenience UAC offers and not having it. Setting UAC to highest gives you more prompts. You have to be prepared for that. Some other options for UAC like always asking for credentials, again give you more prompts. Many people like SuRun because you can have it "auto-magically" remember actions for specific things, and everything else is not remembered.

    What you want, that you describe as "ideal", you must make a concession for somewhere. You want the security that being a USER offers? You want to also be able to do ADMIN functions without too much hassle? UAC already does that. SuRun could do that.

    Your concessions come when you want more than what default UAC does. You must be ready for the trade-off, and that is going to be more prompts.

    Sul.
     
  7. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    wat0114, thank you for the confirmation on the malware thingie, I have to try to look for that post. Also, good to know of these "special permissions".

    Sully, I'm okay with prompts, as long as they don't get in the way of normal usage, like some HIPS products. And after all, I have been running as SUA for a while now, I'm just tired of switching back and forth when doing administrative tasks.

    I don't know why I didn't include this in the original post, but I probably forgot it: Considering that Protected Admin is apparently a normal user if no UAC prompts are provoked, how does AppLocker treat the PA account? Say that I set up rules that deny execution in user space from normal users, for admins all execution is allowed. I click the executable file in user space as Protected Admin. Does it run at all, or do I have to select "Run as Administrator", as I would have to do with SUA?

    Sorry, I can't test these things at the moment, so I have to rely on information here.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are technical differences that make a protected admin account, even with UAC at max, potentially less secure than a standard account. To what extent malware in the wild takes advantage of these technical differences, I do not know.

    Please see Windows 7 standard user vs admin for a recent thread on this topic.

    The method that I use to launch programs with admin privileges from my standard account without UAC prompts is detailed at Avoid UAC prompts by using an elevated program launcher.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    AppLocker rules for Administrators apply only for the full admin token. So your rules that deny execution in user space for normal users should also deny execution for the protected admin user when using the restricted admin token. You can right-click a program and choose "Run as administrator" to run it with admin privileges.

    Another advantage of using a standard account instead of a protected admin account is that with a standard account you can audit file permissions with AccessChk or Windows Permission Identifier.

    If you plan to use a protected admin account as your everyday account, please be aware that the default Windows UAC setting technically allows malware to elevate without a UAC prompt, as noted in this post.

    By the way, SuRun exposes you to the same class of potential security problems as running as protected admin, as detailed at SuRun elevations can allow malware to elevate in a standard account.
     
    Last edited: Sep 20, 2011
  10. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    MrBrian, all the links had some very good reading.

    So summarized, it seems that the main security difference between SUA and Protected Admin with UAC is the trick where malware installs in the PA user space and waits for an elevated process. It seems that this can't happen in SUA as elevations run in different account entirely.

    There is also that other trick which, as you told, bypasses the UAC completely on default settings.

    I plan to use AppLocker, which would have rules for denying user-space execution for normal users. The setup would also have UAC at it highest settings. (And Sandboxie and and... but I want to talk about the core now)

    Am I right if I assume that all the problems with running as Protected Admin are solved by these two changes to default Windows 7 installation? I think that the UAC-bypassing malware has no change to execute in the first place. Except if it came from a trojan embedded in a trusted installer, of course, but then it would find it's way to Program Files anyway if not detected in time.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    AppLocker doesn't protected against all forms of execution, such as shellcode, Java .jar files, Python scripts, Perl scripts, etc. And it's known that AppLocker/SRP can be circumvented by design.

    I don't know if any malware in the wild uses any of the technical issues mentioned in this thread to elevate.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I remember a user mentioning that Microsoft was going to patch that by design circumvention. Does anyone know anything about this? o_O
     
  13. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I remember that as well, but I have seen no knew information regarding this.
     
  14. wat0114

    wat0114 Guest

    Thank you MrBrian for your take on Standard vs Administator accounts, and for providing those links. It's well documented in several of my posts that I run as Standard user as I both prefer and recommend it. I felt a bit uncomfortable earlier in this thread to state that it "should be okay" to run as admin at least with UAC at maximum, even though I don't really condone it, except that it's become abundantly clear to me there are some who stubbornly refuse to run as a standard user, so I suppose if they are determined to run as administrator in Vista/7, they should do so with UAC at maximum at the very least :)

    Didn't Surun's author address these vulnerabilities?

    -http://www.wilderssecurity.com/showpost.php?p=1828746&postcount=7

    -http://www.wilderssecurity.com/showpost.php?p=1833153&postcount=21
     
    Last edited by a moderator: Sep 20, 2011
  15. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Well I run as a protected admin and I don't see that changing. I feel comfortable using it as well :D
     
    Last edited: Sep 20, 2011
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome, wat0114 :). I also use a standard account, although it involves some extra work.

    Here is a method that works in either a protected admin or standard account that malware could use to eventually elevate. I don't elevate via shortcuts in my standard account.
     
  17. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Thanks for this MrBrian. I'm not worried though. ;)
     
  18. wat0114

    wat0114 Guest

    Thanks for that info, MrBrian! BTW, I'm not sure if you saw my Surun question I posted in #14 a bit later? Your thoughts on the Surun fixes - do you feel they help?

    BTW, I got reaquainted with this post of yours a few minutes ago. Good reading that raises (for me anyway) some serious questions about elevating from within a Standard account. It's never caused me harm but I still want to operate the most secure way possible.
     
  19. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Reading about helpful information is always good especially involving possible openings for malware but I personally don't want to get paranoid and make things too inconvenient for myself.
     
  20. Spysnake

    Spysnake Registered Member

    Joined:
    Apr 11, 2009
    Posts:
    187
    This thread has good opinions and facts, thank you all for this.

    And thank you too for making the account decision near impossible! :D

    I think I'll continue running as SUA though. The vulnerabilities listed here aren't apparently used yet, but it only takes one malware writer to discover and exploit them. And I'd like to prevent that from happening.

    At the same time, however, I still struggle with some things, as where the installed program goes and how it works after that. I have to admit, there would be no problems otherwise, but both games and programming studies make life little hard sometimes. Especially the games, at least I can make programs to run under standard priviledges.

    Funny note, I recently discovered that SUA can install things so that they even show up at the control panel. Didn't think that was possible.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The fixes in SuRun make it safer than before but it doesn't eliminate the general problem of non-elevated malware writing to locations that can later be read by elevated non-malware. The example from that SuRun thread is just one example of what is (or once was) possible because of this. This is assuming that the recent versions of SuRun still run elevated processes using the standard user account instead of an admin account.

    I do elevate occasionally in my standard account, usually via the elevated program launcher that I run. For best possible security though, use a standard account and never elevate when using it.
     
    Last edited: Sep 20, 2011
  22. wat0114

    wat0114 Guest

    Yes, I've often sought the right balance between gaining some convenience at little expense to security, so the question for me is "how much security is relinquished to gain the convenience that SuRun offers?" Is it not at least a better solution than running full-time administrator? I launch on-demand (as opposed to automagically) so many Windows tasks such as the firewall, local security policy, event viewer, and computer management, elevated from my Standard account and SuRun makes this incredibly easy because I don't have to enter credentials, but if it still harbors the weaknesses pointed out earlier by MrBrian, then I might just consider alternate means to achieve this convenience. Up until now I haven't found anything quite as easy and flexible to use as SuRun.

    Very good. Thank you again!
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What would be faster? The UAC bypass or the user deliberatily installing something? :eek:
     
  24. wat0114

    wat0114 Guest

    Heh, heh...good question :) It still seems to come down to the user deliberately installing malware, even if it's through social engineering or other trickery, to expose the weaknesss of SuRun or similar means of conveniently elevating processes, but we either want to use our machines in the most secure way possible, without regard to sacrificing convenience, or we want some convenience at the trade-off of some security.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    Assuming you mean SuRun vs. protected admin account with UAC at max, I'd have to think about that more, and I'm not too familiar with SuRun either. I also don't know if there's any malware out there that uses any of these techniques to elevate.
     
Loading...
Thread Status:
Not open for further replies.