Testing Windows 7 UAC

Don't be so short-sighted. Linux malware will increase along with market share, just like what's happening to Macs now. As for why should you download stuff, you're speaking from the viewpoint of an informed user, not the average idiot who downloads a video codec just because the website promises him/her free porn.

So why not take your own advice, and stop posting yourself?

 

I would have thought quite a large percentage of people fall into this category; and hence, logically these "battles" should in time be winnable, if sufficient lead is provided (ie from the OS) when selling the box..

Those that want to regularly install all sorts of "off-world" software (with little understanding of the risks they are encountering) are surely a minority, and akin to those in cars who according to the statistics are the ones regularly having accidents. Taking away the keys might help, but at least on a computer they are unlikely to hurt anyone other than themselves (actually probably not true thinking about it - increase in spam from botnets etc)..

Unless my memory is completely hopeless (quite possible!), I am fairly sure that Vista does, at least to some extent. The reason I say that is that I knew absolutely nothing about UAC (although I knew about LUA from XP) or Vista when first running a Vista laptop, but the first thing I did was set up a UAC - Standard User account (for normal non admin day to day use), simply following my nose.. and that seemed like an entirely rational decision when I did it, so clearly the Vista setup was leading that process, even though I cannot now remember exactly the detail..!?

Where it might have helped (if encouraging wider take up) is if it had already set up a default account (say with just a name change to enable the process), rather than rely on the user to additionally carry out that process.

Peter

 

This article has been updated and has some points worth considering. For those who weren't following this during the initial stages of Windows 7 development, proofs of concepts were created to bypass UAC features. The author writes,

From the Microsoft blog I cited in my Post #10 above:

Needing consent can be easily demonstrated. I'll use an old IE6 exploit to attempt to sneak in a standalone executable as described above. I've named it bypassUAC.exe:

​

I don't use Software Restriction Policies, but SRP would also effectively block this. (As would many other products)

So, yes: A PoC exists that, if permitted to install, can bypass UAC. In a like fashion, a Firewall leaktest, if permitted to install, can bypass some Firewalls' outbound monitoring.

Now, my bypassUAC.exe is not malware, yet it is blocked because it is not on my White List.

What is a White List? This term has many variations in meanings and needs to be clarifed in each case. I do not use it as stated in the above article,

My use of a White List is one generated by a program that includes all executables currently installed. No other executable can download/install/run without users' consent. Period.

This is not to excuse that UAC can be bypassed. On the other hand, how many use a firewall that some leak tests could bypass? Are you worried? From PoC to in-the-wild exploit is not always a foregone conclusion. Even at that, it would have to penetrate your preventative measures in order to install, before it could do any damage.

He describes reasons for user accounts.

As one who has always run as an Administrator, I question why any application already installed shouldn't be able to do what it needs to do at any time.

The points about installers and parental control are legitimate concerns, yet as I indicated in my Post #15 above, these are easily handled with proper White Listing control.

I'm not sure why anyone would want to install software they didn't trust. With proper White Listing control, nothing can install without consent. How one decides what is trusted or not is a completely different problem and has various solutions, including scanning. When you choose to install something, it has complete rights to write to anywhere on the disk. All security is out of the picture at this point.

This is an important point, and was stated in the Microsoft Blog I cited above. Again:

So, it's convenience.

Evidently the purpose of a user account is so that changes to the system cannot be made by without Administrator rights. I suppose it's an individual decision as to whether or not you feel in control of what takes place on your computer, so that you can run as an Administrator.

Perhaps out-of-the-box for someone new to computing, a user account would have some benefit. But as others have pointed out, what to do, how to configure, is not always clearly outlined for the user.

----
rich

 

And it never will be, out of the box for someone new to computing. How can it be, that you know what to answer yes or no to, if you don't know what to answer yes or no to.

I appreciate UAC for average Joe, because it at least makes him think, 'why is this coming up', initially. Once Joe sees he can just click yes, game is over. He will usually click yes. Why, because he does not understand security. And any prompt he is presented with, even very detailed, will cause him to either pass or fail the test.

Imagine, 7 or Vista, or anything that prompts.

'Dude, this thing wants to run as Admin. Should I allow it'

umm, yes?

'Dude, I will allow it and not say another word.'

cool. that was easy.

[ now maybe one with more information to HELP the user ]

'Dude, executable MyInstall.exe wants to install a system driver in %sysdir%\inf and %sysdir%. It wants to create HKLM\Software\Classes\04392-xxxx... and HKR\CLSID\04392-xxx... registry keys. It wants to register MyDll.dll and create entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry with value 001\MyStart.exe /do /fun. Dude, it wants Admin access to continue. Dude, Admin access can give malicious software a door into your system. Should I allow this action?'

umm. erm. well, no.

'Dude, I will not allow this and not say another word.'

cool. hey! why won't that new movie play now?

<starts execution again>

'Dude, executable MyInstall.exe...'

where is that yes button. ah, there it is. <clicks yes> ah, there. that was easy. hey, this is a cool movie.

<next day>

gee, why is that window there? why is my computer so slow? I better find a program to help my slow computer. let's see, registry cleaner? hmm. oh here, system doctor, speeds up slow computers. just the thing. <starts executable>

'Dude, SystemDoctor.exe wants to...'

enough already! where is that yes button?

For those who desire to learn, and keep thier system clean and safe, they might find UAC a benefit to learn with. For those who don't, what happens? Same thing over and over. What is the difference between being an admin and starting the executable vs. being prompted to start the executable AS an admin? lol, I don't see much.

It comes down to some simple facts. Millions of peeps use computers. A certain % will like them enough to invest some time into how to do more advanced things. A certain % will not. The % who invest, get dividends paid in more stablility, less chance of data theft or paying someone to fix the issues. The % that do nothing simply don't care. And if they don't understand the issues, they can be blissfully ignorant. Until they get pwned, then they will rant about how stupid computers are, how they wish they did not have to use them. They pay $$ to GeekSquad to have thier system formatted, losing thier pictures etc. They get computer back, runs fast etc etc. They repeat same thing again.

This problem has no solution. *nix/mac is not the answer. More security in windows is not the answer. Certainly providing LUA for the masses is not the answer. Being admin for the masses is not the answer either. The answer is, there is no answer for the masses. I am glad to belong to a group such as those here who recognize the need for an answer, for everyones sake. I am happy to attempt different methods to help the masses. (ok, those I support anyway ). Things discussed here are great learning, always new things. And for us, who seek knowledge in this realm, we only can benefit more when more chime in with different views. I am fairly certain though, that any solution any of us may develop will only be a solution to a certain %, and most likely without the user having a keen interest or a more advanced user helping them, there won't be a solution. Even if the software used was made to be used as user, not admin, (and that would be a great step), security will still come down to the operator. How can any solution fix that?

I have in my years, only had a few peeps try out linux distro. A few have liked it and still stick with it, but now they know more of *nix than I lol. The others, plain and simple, want the familiar software they buy at walmart for a pc. They want what everyone else uses. They want to play that new mahjong game for xp/vista. I can't see a fix, only different ways to mitigate threats based on operator knowledge. It is funny, that those who are interested in computers to only a certain degree, but not as much as could be, are the ones with the largest problems. they put on the worst software to 'secure' them, only partially understand what they are doing, and call me the most. Ironically it is the person who knows nothing and wants to keep it that way, who stands the best chance of staying secure. I think only because they know someone to actually tell them how to do it rather than them having to figure it out themselves.

Of course, opinions are just that, opinions.

Sul.

 

Well put, Sul!

That's all we can do. But at least we will have done something!

----
rich

 

I agree to some extend there will be a sizeable group of people who are security concious but who had never even heard of SRP or DEP as they are so well hidden or not available on home additions. There will be people who would use LUA if it was set up for them and they were told what to do and why. Most people in my family do nothing on the computer that requires admin privileges.

I had a look at a large computer book on Vista recently. I had a section of securing your computer from malware. It did give DEP a mention (page 1147 if you get that far) but no mention of SRP. How is your conscientious user to find out? Probably only if they are so interested they spend hours and hours searching the internet and learning.

 

Ignoring those in the IT industry itself, I am not convinced that the remainder fall either into the a) "just gimme the naked body" category or alternatively b) "I want to spend time understanding all this better", although I appreciate you guys are dealing with all of this on a day to day basis.. However, it may be that as professionals you are seeing this in the same way that policemen see criminals, or doctors the sick etc.. ie slightly disproportionately to the greater population.

I think there is also a category c), for example highlighted by Windchild's retired chap above, and others... which are the majority..

Most of my family & friends (ignoring one or two in IT) fall into occasional b) or mainly c), ie c) being not computer literate at all but would probably hit "no" rather than "yes", provided they had some inkling or steer that that was what was required... They do not have either the desire, ability or time to understand lots more about computers: so that they will never be in category b). However, they are risk averse, and increasingly take on board for example the "don't click on e-mails" and other tips (simply through the more widely raised profile of these issues).. They do not regularly load new games / software etc. Mainly, they know what they want the machine for: the usual browser, e-mail, and other software, eg leisure / hobbies / work / whatever, and don't need to change that much... But they will never be enthusiasts, or even necessarily visit any kind of sites such as this. And.. they (almost) never seem to get infected, but are clearly aware of the risk....

Hence, I am not sure why features such as UAC, LUA / Standard User and SRP / default deny cannot be valuable (alongside their third party non MS equivalents) in what you guys loosely describe as the education process.. If the profile of UAC / Standard User / default deny improves, both strategically as a security issue and in terms of default implementation, then I suspect the majority are more than capable of slowly adapting (to what is essentially a safer position), especially if there is sufficient, wider competent lead or steer...

Peter

 

I think that group is pretty large, but I do not think it is the majority. I hope I'm wrong, but from what I see, it seems that the majority belongs into the "just gimme the naked body" group. But certainly there exists this group c of users that don't constantly modify their systems and install stuff, but just want a working, safe computer for themselves. This is the group that can be educated, and should be. And I certainly agree that they are also the kind that will immediately benefit from more secure defaults, or just setting them up with LUA or even LUA + SRP later if the defaults suck (and they do). They're not likely to try to disable things that they know are there to protect them.

 

LUA adds a layer of protection so that it makes it much harder for the system as a whole to become compromised. It's not just a matter of inconveniencing the newbie by making him jump through more unnecessary hoops in the hopes that he will give up trying to install his latest pirated copy of Photoshop. No, LUA's biggest advantage is they help mitigate the damage done by browser exploits. If you are running as admin and you're hit with a nasty browser vuln that allows a trojan onto the system, your machine is pwned. If one is running under a LUA, the trojan cannot install itself.

I don't care how "careful" you are, anyone who browses the web can be hit with a trojan that exploits a browser vuln. There is often no way to tell which sites are "safe" and which aren't. That's where LUA (and SRP and MIC) comes in. Everyone should conduct day to day activities under a LUA. Period.

 

Yes, agreed, limited rights for users is the smart option.

Security relies on limiting the rights of the user, what can and cannot be done, both by what they choose to do or some exploit might try on thier behalf.

But it breaks apart when the same user, the one actually running the keyboard/mouse, elevates themselves to admin to do a function that they cannot as a user do, whether intended or from being tricked.

LUA is not a fix then, only a mitigation. The fix lies in the physical user making correct choises.

That everyone should run day to day in LUA is good advice, but I would not call it the 'end all answer'.

Sul.

 

Indeed, LUA is no "end all answer", and I don't think there can be any "end all answer" as far as software is concerned.

But, like Chronomatic said, LUA can help protect users from remote code execution exploits, such as through browsers and browser plugins, and that is certainly a good thing.

I'm sure we all agree that it is much better if the system can only be owned by the user being actively stupid, than it is if the system can be owned just by the user opening foxnews.com or any trusted site that happened to be hacked or serving malicious ads.

 

Some quotes from the aforementioned 'Inside Windows 7 User Account Control':

 

Being a former IT-guy and now working in the branding industry, I stumbled upon house style software (you know for word excel, powerpoint etc) which put all the command keys and menu styles under an 'house style / corporate identity' bar. On top of that it was a web based application with a minimal footprint on the desktop

In a corporate environment you only use predefined forms, branded poresenations and exel (VBA) like forms,, so practically you woudl never need any additional menu option from word, PPT, excel etc. Even for the simplest word operations were faciliatted with an icon (like enumaration or new paragraph),

This marvelleous piece of software could swith from office to open office beneath the hood, without the user noticing it. For a large temporary workforce company (I won't recal the name but it is one of the top 3 world players), we pulled a trick by converting a small country after a re-brand (they had just taken over the number five in teh world) to this software on open office. We reveiled it after a month showing them that the users did not notice it, all XML based (office 2007) communications with back office applications kept on working with open office (uses XML a lot longer).

Even when the PC's OS would remain NT-based this would (again with very little conversion cost and NO, I repeat NO user training required) save approx 1.4 million euro on lisences (the number five was still on office 2003).

With a working pilot country and a solid business case, the IT-department and purchasing still determined to stay on office 2007.

So when these type of no-brainers are a to high threshold, I think the conversion to Unix on the desktop will be a mission impossible the next coming years. No matter how well Unix is or the availability of alternative software. Professionals and average joe people will stay on WIndows.

 

Certainly, UAC could function like SuRun. SuRun is a great example of how it should work.

It will allow users to install something with administrative rights, without actually changing anything in the administrator account, and that includes registry, etc. It will install the application, only for the current user.

If I am not mistaken, I believe it was possible to install something only for the current user, with Windows XP.

Now, why did Microsoft take that away with Windows Vista and now Windows 7?

Why not keep it, and enhance it with UAC? Meaning, that users wouldn't be able to install something, unless they were given rights (for example, parents controlling what their children could install)? And, if allowed, then whatever they would install, of course considering it is a safe application and from trustworthy sources, the application would only install for the current user, and not globally.

So, it would allow users to install/run things with elevated rights, without actually using any parts of the administrator account.

It's actually sad to see that Microsoft took that part away with Windows Vista and 7.