UACMe - Defeating Windows User Account Control

OK, I didn't understand you.

 

@Rasheed

We are seeing things from differing points of view here. I'm more interested in preventing exploitation through threat gates like the browser and other internet-facing apps. You seem to be more concerned with what happens after you run some new app. I agree that classical HIPS may be able to do some damage control but I don't like to place my bets on it. Admin rights and no User Interface Privilege Isolation means malware can easily tamper with the HIPS...not saying it's necessarily going to happen but it can. I just think HIPS are better suited to restrict threatgates than to monitor installation.

 

@ safeguy

OK, I see what you mean, we had a bit of a miscommunication. But to clarify, I'm trying to figure out if the current UAC implemention (with alerts) makes sense or not. Basically you're saying that UAC/LUA is mainly meant as protection against exploits. So does that mean that most exploits will fail because of UAC? Don't we need anti-exploit and sandboxing anymore?

Of course, like I already said, UAC will not help to stop malicious behavior from software that you install/run yourself, because all installers need admin rights anyway. So you need HIPS/sandboxing for protection during install.

The question that comes to mind is, wouldn't it be more logical to give an option (when running as admin) to stay quite when you run/install software yourself, and to alert only when apps try to make "potentially harmful" system changes? Of course this last part can also be covered by HIPS/behavior blocker. But with this approach you still have all of the advantages of LUA without any annoying UAC alerts. Or am I missing something?

 

From many Microsoft security bulletins:

 

Did you try changing this settings in Group Policy: Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options | User Account Control: Detect application installations and prompt for elevation?
By default it is enabled. You might try to disable it and see if you still get prompts when installing software.

 

@ Minimalist

This is only available on Win 8 Pro. But anyway, I would rather rely on security tools than on UAC, the current approach isn't even good enough. It might give some protection against exploits, which is cool, but UAC does not give you any clear feedback about why some app wants to run or what system changes it wants to make.

For example, UAC might pop up an alert when your browser gets exploited, but this may even confuse expert users. UAC also does not help if you install some app, because as soon as some app has admin rights, it can do whatever the hell it wants. UAC only makes sense if it could automatically block exploits or give a clear alert about some app being exploited, like EMET does for example.

 

UAC is about limiting what access to your filesystem/memory an executable has. Without it, anything can potentially ruin the system as they all run under admin rights. Not all executables or installers need admin privileges in the first place.

This is not just about security, but the basic computing sense of separation between the user and admin. Except this time, both can coexist in the same environment.

 

But that's the thing, I understand the basics about UAC, but when I read about it, I come to the conclusion that it hardly gives you any REAL security. It's an extra layer and makes life easier for people who want to run as non-admin. That's about it.

It's not worth the extra hassle when running as admin. And that's exactly the reason why I was trying to figure out if UAC can be made a bit smarter. Because it's the annoying alerts which will make you turn it off.

Right now I have turned off UAC in Windows 8 (no alerts), but in Win 8, all apps still run as non-admin (with medium integrity), the only difference is that they can auto elevate, including malware delivered by exploits. Solution: use anti-exploit, HIPS and sandboxing, which is harder to defeat than UAC.

 

Which is completely fine, what I'm not recommending here is turning it off altogether.

 

These articles are also interesting:

http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
http://www.computerworld.com/articl...-turns-off-windows--uac--warns-microsoft.html

 

That first link is an excellent read. It makes me realize that my use of Standard User Account is worthwhile and I also keep UAC on high as well. Quite simply, when I need to do a significant amount of admin work, I just log into my Admin account. But that is maybe once a month or so. I am able to do most of what I need in my Standard account using the "over the shoulder" prompt when necessary. That first link gave me a better overall understanding of UAC and integrity levels. Thanks for sharing the links.

The thread over at kernelmode.info (link in OP), of which this thread is based, has progressed as well and is quite informative now.

 

@ WildByDesign

As you may already know, I think differently, as an experienced user, you might as well just run as admin. UAC hardly gives any real security, so instead of getting annoyed by UAC alerts who basically only prevent auto elevation (without giving any clear info and fine tuning options) I rather rely on my security tools. Of course this is my point of view, most security experts will encourage to use LUA, but to me it's not worth it.

 

Yes forgot about that, will do some reading. And LOL, I see that Wilders Security is mentioned, but EP_X0FF is not very positive about it.

 

For sure, over the past few months I have noticed that your way of thinking is not always in line with others. But I don't see that as a problem though because you know what you are doing, and there is certainly nothing wrong with thinking outside the box. I respect your way of thinking and actually I happen to agree with you far more often than other users do. And that's the beauty of choice and free thinking. If we didn't have much choice of software and other security methods and everyone had the same setup, it would be boring indeed. I'm not really for one way or the other when it comes to UAC, I suppose it's either don't use it at all or use it at the highest settings, one way or the other. Since the default settings seem to be what is targeted the most and has been the most vulnerable. Surely the best thing that any of us security conscious users have going for us is common sense and also creativity.

 

EP_X0FF seems like a primo example of why I don't hang out with offensive-security people.

 

Same here. That guy may have vast knowledge in his field of interest but the attitude needs some fixing. I don't know why he felt the need to call me "safegay" and all the **** about "masturbating on bloatware security setup"...some kind of ego trip maybe Neither does he know how minimal my setup is nor has he read through my other posts on this forum to throw such immature comments. Regardless of his background, I find it rather silly that he keeps mentioning UAC as a security feature...it is NOT. Alas, that message will never come across stubborn people. Clear example of False Authority Syndrome.

 

Yes I agree. And I don't always think differently, but I was trying to get to the bottom of all this UAC stuff, that's why I was pounding on it. Everything I wrote about it in this thread was based on my own user experience, and the fact that I and lots of other people turn it off, must already be a sign to M$, that UAC must be fine tuned even more.

I agree, the personal attack was kinda childish. And UAC is not (or hardly) a security feature, that's for sure, I'm also not impressed with the current implementation.

 

For those that believe that UAC isn't a security feature, and also are the only user using the operating system, would it be right to say that the inference is that you should disable UAC?

 

Good question. Maybe It depends on whether or not the user wants to run as a Standard user, even from an Administrator account.

-http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

 

Right, that was my point . For what other reasons than security-related reasons would one want to do that on a single user system?

 

I don't see any other reason.

 

I don't either. For a multi-user system, standard rights may be desired so that your kid can't install games, for example.

 

The only reason I can think of for those disabling it is so they don't have to deal with prompts. This means they probably want to run as full time administrators, so they either don't realize the security benefits of running as Standard users or they aren't concerned about the risks of running as full time admins. It seems to me this is what it boils down to.

 

In order to avoid conflating UAC with standard user accounts, I'll change my question to: For those that believe that UAC isn't a security feature, and also are the only user using the operating system, and also don't use a standard account, would it be right to say that the inference is that you should disable UAC?

 

That is the inference, yes. But if they are advanced users and understand what UAC is for, they won't turn UAC off on client machines. Somewhere Microsoft states UAC should only be disabled on servers or domain controllers for advanced users or server administrators, especially where critical legacy applications that are not UAC-compliant are used.