Why do idiots disable UAC & claim it's not a security function?

I read all the posts here, but since the beginning I had a simple question: why all this concern to UAC if an HIPS can do many more things and much more ?

 

Irrelevant...HIPS is an additional whitelist based layer added on top. It really, ideally should not be used instead of UAC. UAC, while some confuse it for HIPS, is not. It has to do with least user access control.

Furthermore, UAC and its essential technologies that run with it are parts of Windows, whereas HIPS is a 3rd party installed solution, much like an antivirus.

 

I take my hat off to you here. A whole lot of argument about a feature that is designed, by intent, to allow easy access to root. It is good, it is evil, blah blah blah.

The bottom line is that UAC is simply a mechanism to make it easy to get root. In the hands of an experienced user, any level of UAC is helpful because it makes sometimes tedious activities easier. Yet, in the hands of the inexperienced, it is an easy way to say yes to get something done, which can also lead to root that is unwanted.

For so many bright individuals here, you seem to argue about strange things.

 

I think you don't know what HIPS really is. Never mind.

 

x100

 

I know exactly what Host-based Intrusion Prevention is. HIPS most often is used to refer to a whitelist based prevention measure installed on the host computer (i.e. the user's PC in a home scenario) that locks down your OS by asking you for permission when things try to make any changes to your system. Some newer HIPS, such as Comodo's Defense+, have a built in whitelist that which tries to assist with the user having to make so many decisions. Whether the HIPS is like Comodo's, or it is a "true HIPS", this is a good whitelist based prevention measure because the default is to deny access to anything trying to change critical areas of the system or install anything.

There will be some overlap with UAC, but UAC is not meant to be a HIPS product in that sense. It strictly relates to administrative privileges and elevation.

But arguing HIPS over UAC, if you read the rest of this thread, has the same flaw - it requires the user to know what to do. I personally don't mind this drawback as I generally do know what to do, but this sort of security counter measure, as powerful as it is, sadly does very little to nothing for beginner users getting fooled, especially if there is social engineering involved.

Since this thread is primarily arguing over leaving UAC on or turning it off, let us stay on topic.

EDIT: The last thing I want for this thread is for it to slowly turn into a "quote x1" thread, a "I know more than you lol" thread; nor do I want it to be locked because the personal attacks are becoming too rampant. Thank you.

 

HIPS is interesting. It's come to mean exactly what you described, some program that alerts you to everything.

That's just one implementation. As you said, host intrusion prevention system. There's no alerting necessary, the idea is just that it's a mitigating preventative system as opposed to a detection system. IDS can alert you plenty as well, such as someone using NMAP to view your open ports - this is something an IDS will pick up and alert you to.

Sandboxie is a HIPS but it doesn't really alert you. It just prevents certain things from happening.

Anyways, the topic has gone a bit away form UAC the last few pages. We've ended up talking about sandboxing and patch management as well.

@Fabian,

I agree that sandboxing can let a developer get lazy. But I wouldn't say "Only sandbox if you can keep patching." If you can take advantage of the windows sandbox you should, even if it means slower patches.

 

Very true. Wikipedia.org actually has a good article on the different types of "IPS" intrusion prevention systems and their different configurations/approaches.

My point in explaining it the way I did, I suppose, was to explain it in the context of popular "HIPS" products that are used and commonly talked about on these forums and in the security community.

 

The best way I can sum it up into a simple, unbiased sentence is:

"Absolutely use a sandbox and/or Windows integrity levels to prevent against true exploits (not social engineering) that are not yet discovered by the vendor, but also rigorously release new patches to address known security vulnerabilities as well as to harden your software to make it less prone to attack."

 

No will to flame, be sure. I let the thread, only two details:

- the only way to use anh HIPS ( Defense+ too ) is to set it in a personal and most higly possible level, not default blacklists and/or internal sandboxies like CIS complete.

- my first question was only to understand if really you all believe UAC better than HIPS's. That's all.

 

Ah...

No, UAC is not better than HIPS. HIPS can do a lot more. But then again, just because I install a HIPS doesn't mean I'd disable UAC.

As for your other comment, I agree completely. HIPS is traditionally a whitelist based prevention measure and companies like ESET are making learning modes which make it more blacklistish and that is not how it's meant to be.

 

I always saw it as a mechanism to stop you from running root to begin with, as most of the XP using population did, at all times.

 

I always thought being logged in as a member of the users group was the way to achieve security. No admin token around. It forces you to use a "run as" or log in with admin rights to get root. Much safer, but much more likely to push users over to apple

 

I figured I would update this thread with some information on seeing Virtual Store (UAC related function) in action...

ZDaemon is a fairly well-known multiplayer DOOM (legacy shooter game by id Software) client based on the ZDoom port. It is regularly updated and thus is technically not legacy, even though unpatched/unmodded DOOM certainly is. In my opinion, ZDaemon is simply awesome; the team that develops it really are on the ball, and it is, I feel, the best multiplayer DOOM port around.

ZDaemon installs with a "one user mentality". They recommend installing it directly into your C: root directory. I refuse to do this ever, and I installed it in the Program Files (x86) directory instead.

If you install ZDaemon somewhere else besides Program Files (x86), or if you install it with User Account Control disabled, ZD only has one configuration file created. This means that every user on your computer will have the exact same settings. I talked to the developer, and he said that the only way around this is to have multiple installations of it.

If you install ZDaemon in Program Files (x86) and have UAC enabled, you do not have to worry. Windows detects that this program was designed without Least User Access in mind, and it creates separate configuration files in the Virtual Store folder of any alternate Windows user accounts you use the software with.

As a side note, I am sorry to admit that when I brought this up on their IRC channel, I was very heavily flamed for being in favor of Windows UAC. Since it is a small team of admins that probably would have no problem banning me forever due to my opinions, I apologized and praised their work. After all, my intent was not at all to start an argument in the public IRC channel; I was more trying to point out what Windows did with their software when UAC was enabled.

I definitely do like their work; they are brilliant people, but a lot of times programmers design their applications in a mindset where end users should place their software above the integrity of their computer's OS, and I do NOT agree at all with this model.

 

It's very important in this case to have something like Applocker running
because a keylogger running in user space can grab it!!
With Applocker, the keylogger will be defeated in its very first move
of "executing"...Sorry I mean second move...first move being able
to write to a user allowed path/registry...

In that case, Sandboxie will protect the user. Here's the scenario:
I visit a porn site and a lethal stealth malware hijacks my browser
and starts running in the browsers process...After am done with
the porn site (and this will be a habit) I'll close the browser everytime
so everything in that process gets deleted including the malware...
So now with the new browser I can peacefully enter my login
credentials when I visit a banking site.

In the above scenario its VERY important that I close my browser
everytime I visit any website which does not ask for login credentials
or to be precise something like porn sites...Do you think this is a good strategy??

I dont know why but I found your post genuinely hilarious

As far as ur relatives are concerned, can you give them one word of advice about UAC and
that is to click "No" when they are surfing...That way when a drive by attack happens
it cant escalate..You can just explain them in plain words that nothing in this world can ask
you to install software "while they are surfing"...I dont think that should be too technical
for them...That will take care of one of the BIGGEST vectors of attack. What say ?

How do you USE Windows Integrity levels?? As Fabian mentioned it has nothing to do with UAC and is part of core Windows security feature..I mean there's no UI or frontend to set low, medium, high levels
it runs automatically, right ?
which is automatic and runs in the kernel right??

 

You can set programs to use different integrity levels.

 

For a moment, I thought someone else started another thread about this very same topic!

Yes, what you mentioned is correct. It still protects the user, because the user can flush the sandbox. But, I was thinking in the opposite situation - someone not flushing it before before more important tasks. A careful user would flush it, though.

The shareware version of Sandboxie doesn't allow more than one sandbox at the same time, which could potentially lead to some braveheart loading a few apps in the same sandbox, at the same time. Hopefully, no one does it.

While I agree, I installed Google Chrome in Program Files, so UAC does prompt them while browsing, eventually. Hopefully, they will know the difference... unless some piece of malware uses a Google stolen digital certificate to make it look like it's coming from Google. I know they won't download and manually update Google Chrome, so it's a small risk one has to take.

That's correct. UAC and WMIC aren't related, at all. You can change integrity levels, however. Windows Vista+ has a built-in tool called icacls, which you can use in cmd line. It's not very useful compared to Mark Minasi's applications chml and regil. You can also work with SDDL (Security Descriptor Definition Language) -http://msdn.microsoft.com/en-us/library/bb625964.aspx

 

Originally Posted by xxJackxx
That, and I love Windows 7 UAC on a standard user account. When the standard users at work need to install something and it prompts for a user name and password, I can enter the admin credentials and not have to log into another account to get something working. Big time saver. It never quite worked that way in Vista.

In reply to the above:

And what do you guys think about this ??

 

I use WinPatrol Plus in place of UAC.

 

UAC can be bypassed really really easy by viruses so dont think of it as a security feature. it was meant to be one but its a fail but i still recommend it to novice-mediocre users but i have disabled it for my self and never had any issues.
its no question that when it comes to security you cant put your trust in microsoft.

 

But only if the dummy in front of the computer clicks on "allow"!

 

Link to POCs with proof of malware bypassing UAC on Always Notify "Vista" mode please...

PS wow who dug up this thread lol

 

Nowadays, anything is bypassed. All you got to do, is not to attack the way it works.

Ways of how it doesn't work:

1. It can't stop the user from being ignorant.
or
2. It can't stop the user from being stupid.
or
3. It can't stop privilege escalation.
or
4. It can't prevent apps with stolen digital signatures from looking legit, and therefore fooling the user.

So, if you attack this, then you bypass it. So, a system with UAC isn't any better than a system without it.

I think I should disable it... What do you think?

 

lol M00n you're still confused if you think a UAC is comparable but I won't derail this topic.

I think defining what UAC is 'for' would be difficult as I think even Microsoft has given multiple different statements - though I think the latest is to encourage developers to use lower rights or something.

 

there you go, proof:
https://www.youtube.com/results?search_query=windows 7 uac bypassed&page=&utm_source=opensearch
and stopping yelling Dumb, youre only embarassing yourself not to mention its rude!