Windows XP turns 20: Microsoft’s rise and fall points to one thing — don’t fix what isn’t broken

I have an even better idea, simply disable UAC instead of having to mess around with scheduled tasks, at least I assume that's what you mean LOL.

 

I've checked it on multiple systems so it is more likely that something is wrong on your system, or you have not disabled UAC properly.

Just because it is the main entry point, doesn't mean their aren't other big entry points. And there are enough other apps that don't implement sandboxes.
And like I said, you're undermining the security on which the browsers sandboxed is based, which is never a good idea. Even if you don't have any processes running with high IL, there is nothing preventing processes with lower IL from requesting admin access.

And I'm sure you know what I mean. First you only care about the main entry point for malware, and then you care about something that is WAY less likely to get exploited. And who says they run with system IL. For example, Firefoxes scheduled update task does not have Run with highest priviliges checked.

Only with a locked down HIPS, which are unable to completely lock down the system due to Patchguard, plus the fact that there are very few good HIPS left. I stopped using them due to that fact and the fact that it made using the system for normal use a lot more user unfriendly than a few UAC pop-ups.

Says who? That is certainly not the main purpose and usefullness.

Which is a non-argument, a kernel exploit can also be used to bypass the anti-malware tools.
And disabling UAC could weaken sandboxes.

Just because UAC is not a panacea does not mean it is useless.
Your antipathy against a few UAC alerts seems out of proportions. Even if they annoy you so much that you'd rather disable them, in spite of the security consequences, does not make them useless for everyone else.

 

Unless you disable UAC... When UAC is disabled Windows gives high IL by default for every process.

 

If UAC is actually disabled then this is correct. Or at least enough.
As anyone can see in this screenshot, I have a VM with Windows 11. UAC disabled. I have Firefox open to Majorgeeks. I have downloaded a file. I have Process Explorer open. You'll see it says Administrator in the title bar. I did nothing to elevate this, UAC is off. It shows Firefox is Low integrity. I downloaded SanDiskSSDDashboardSetup.exe with Firefox from this site, on the internet. You'll see I chose the save location of the file to the Windows directory. You'll see the file in Windows Explorer in the Windows folder. With UAC on, this is not allowed. With no prompts whatsoever it allowed this without complaint. So anyone with a false sense of security that their browser being shown as Low integrity actually means something, here is the proof that it can still write to what would normally be protected OS folders without anything to stop it.

 

Yeah why have good security instead of really ****** one, right?

Here's a fun article, related to UAC and admin rights.
https://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html

 

It;s even worse than I thought, thanks for the info.

 

It seems that not only default integrity level is set to high but some checks for integrity level are just not performed at all. I think I read it somewhere long ago, but not verified it yet. Then forgot why exactly I do not disable UAC completely even when I use user account not being part of administrator group.
Thanks for checking it and sharing the info.

 

Yes, it appears the reported integrity level means nothing with no UAC as there is no mechanism to enforce it. I do want to be clear that this is UAC disabled and not just set to don't notify which would have failed but given a save error instead of a UAC prompt.

 

Even with UAC still enabled and set to Never Notify the security is broken. A low IL may not be able to write to protected folders, but it can get high IL without an UAC prompt, thus defeating the whole sandbox.
Using Didier Stevens' info here (https://blog.didierstevens.com/2010/09/07/integrity-levels-and-dll-injection/) I created a copy of cmd.exe and set it to low IL. With UAC set to never notify it can launch high IL processes without an UAC prompt:

 

Good to know. I assumed it was still broken with that setting but I had not tested to what degree. It's not a setting I would ever use, beyond a test like this.

 

Weird, perhaps you guys are on to something. I use Windows 8 and 10 as administrator with UAC set to ''never notify'', isn't this the same as turning UAC off? What this means is that if I run sandboxed applications like Edge and Vivaldi (both Chromium) their sandbox seems to function correctly, this means I only get to see them running with untrusted, low and medium IL processes, I've checked this via Process Explorer.

See above, I don't see how disabling UAC undermines the security of built-in browser sandboxes. Hackers will still need to bypass the sandbox in order to get malware running with high IL. Or are you saying that on all these hacking contests, they actually disable UAC in order to get their exploits working?

Then perhaps I misunderstood, I thought you were talking about running system services for auto-elevation but perhaps scheduled tasks are something different. I would never allow any app that is not related to security and system monitoring to install a system service.

PatchGuard isn't a big deal, only thing that matters is that HIPS like SpyShelter and Comodo can correctly monitor certain behaviors, and this can be done without having full access to the Windows kernel.

Let me explain, you guys see UAC as an important extra lock on the door, right? But when you install trusted software you might as well temporarily disable UAC because all of those alerts are expected. It's only when you ever encounter an unexpected alert, which will normally occur during some exploit attack, that it might be useful.

No it's not an non-argument because anti-malware tools can still monitor malware no matter if they run with high IL as long as they are not targeted directly. So let's say that some keylogger is installed, then tools like KeyScrambler and SpyShelter will still be able to block them for monitoring keystrokes. And most keyloggers don't even need high IL for this, unless they want to gain persistence.

I never said it was useless for all people. I said that I don't see it as an important security measure. There has to be a balance between security and usability and those UAC alerts are way too annoying to me, while gaining little extra security. No thanks, I've already got enough extra locks on the door LOL.

In fact, even Microsoft doesn't see UAC as a security boundary, that's why they don't bother to fix most of the UAC bypasses. Yes I know most of these bypassed can be mitigated by setting UAC to the highest setting, but most people won't bother with this and it will probably make it even more annoying.

 

Isn't setting UAC to ''don't notify'' the same as disabling UAC?

And you probably already figured it out but what I'm saying is that as long as you're able to block malware from either running at all, or block them from performing malicious activities, it really doesn't matter if UAC is enabled or not, while running as admin. But this is of course a no brainer. I never had a problem on Win XP, when UAC didn't even exist. And I don't see UAC or running as a limited user as a crucial part of security, that's the bottom line.

 

UAC is NOT a security boundary and you should never disable it.

 

If it's not a security boundary what would you call it?

 

I already have good security with AV, firewall, HIPS and sandboxing LOL. And yes, we all know that UAC and limited user accounts can be useful to block malware that require admin rights. But malware doesn't neccesarily always need admin rights to do any damage.

If your browser gets exploited, then ransomware can still encrypt your Downloads and Documents folder. And a keylogger can still record keystrokes, stealing your Gmail and Instagram passwords. It can also perform code injection into the browser allowing to bypass your firewall, all without any admin rights.

 

A convenience feature.

https://docs.microsoft.com/en-us/tr...windows-security/disable-user-account-control

https://docs.microsoft.com/pt-br/ar...-user-account-control-and-security-boundaries

Anyway the user should not disable UAC, it is pretty stupid to do so.

Edit: While UAC isnt a security boundary, it actually augments security.

SUA + UAC in a updated Windows OS (10 or 11) is much better than security combos that messes up with usability, stability and performance.

 

Perhaps this is the problem? I always set it to ''Never Notify'' which to me is the same as disabling UAC, since all apps/processes can now automatically get admin rights. Of course in the document you can read that this is not recommened due to ''security concerns'', but like I said, I already got this covered, so I don't have these concerns.

 

Yes, I'm aware of what Microsoft has said about it, but it's hair splitting IMHO. UAC is an imperfect security boundary just like all security. The point is to understand what it does and doesn't do. The only security is an educated user

 

I agree, I think that an updated OS with a Limited User Account in the hands of an educated user is much safer than any security combo (HIPS/Firewall/Sandbox/Anti executable/Antivirus and so on).

This thread is still relevant:

https://www.wilderssecurity.com/thr...uac-claim-its-not-a-security-function.317697/

 

I'll give that a read - thanks!

 

Agree with the others in this thread, I would also not set UAC to "Never notify", but I agree with you that all this security you have keeps you safe from malware anyways, along with, of course, a good dose of common sense too.

Good point!

I know very little about this, but aren't browser exploits quite rare, and rather it's browser addons or plugins that are more vulnerable to exploits? At least that's the way I understand it.

BTW, you might find this informative:

How User Account Control works

This way you would only have to respond to the occasional Consent prompt rather than the Credentials prompt. There would only be one mouse click on "Yes", but you would still be running apps under a more secure Standard User token.

 

Yes, with 'never notify' UAC is still on, it is still active, however everything is automatically approved. That does mean processes run as Medium IL by default. As xxJackxx posted, it looks like when UAC is on never notify, but still enabled, restrictions are still applied on Low and Untrusted IL processes. However, as I posted, while lower IL's may be restricted, there is nothing from stopping them from getting high IL, thus sandboxes are still broken:
https://www.wilderssecurity.com/thr...x-what-isnt-broken.441518/page-4#post-3051683

I don't know the details about the hacking contests, but I think the most popular have UAC on default settings and they exploit or bypass the sandbox as well. But as I said, that wouldn't be necessary when UAC is set to never notify, as you can just get a high IL automatically.

Well, it differs per software. In the VM I checked I have Firefox, Opera and Vivaldi installed which automatically update, however, I don't see any services from them in services.msc
Firefox did have Mozilla Maintenance Service in the past, but it seems to have changed to a scheduled task. Since they don't have any installed services, I can't manually run them to check their IL, but maybe they would run as High IL instead of System. Afaik services can also be configured to run once in every while, so they aren't running all the time, reducing attack surface.

Well because they can't patch the kernel anymore(which is on the other hand a good thing), they do have less control. For example Kaspersky's HIPS which I used for quite a while, had a list of behaviours it was monitoring, and a few items that were on the 32 bit version were missing in the 64 bit version because of Patchguard. And Defensewall was not releasing a 64 bit version because it wouldn't have the same security as the 32 bit version.(Not sure anymore if they did release a 64 bit version later on anyway.)

Installing trusted software should only give 1 alert per installer, not much. It is also useful when just running files that shouldn't need admin rights, or a malicious exe hiding as a Docx file for example. And UAC gives the publisher name from the digital certificate, so if the installer has been replaced with something malicious, that can tip you off. And it is an integral part of the security of the operating system, which is relied upon by other software for security, which might break, for example sandboxes as we now know.
UAC is a bit hard to describe in the door analogy. I would rather say it is a reinforcement of the door, making it harder to bust in. You can put as many advanced locks on it as you like, but if the door is weak, then you can just bust it in. Of course you do still need good locks on it, if it is hard to bust but you can just pick the lock easily and open the door then it doesn't matter that the door is reinforced.

When a kernel exploit is being used they will have system IL, they may not disable anti-malware tools when they don't target them directly, but you can't be sure they still work like they supposed to. And most people who want to infect someone with a keylogger won't want this for just a short time, so they will want persistence.
Of course a keylogger can still log with medium IL, or other malware can do nasty stuff with medium IL. Extra security measures are always strongly advisable.

Well not literally useless, but you said it was stupid and a joke, and a lot of the time you are talking in general, not for your specific situation.

Well, as I said, it is not just another security measure but part of the underlying security, which will weaken other locks when not using it.

Yeah it is a shame they don't fix them. However setting UAC to the highest makes little difference for me. User programs and installers already give alerts on the default settings, for me those are the vast majority of alerts. The few extra alerts on the highest level don't make much difference, but it does give extra security.

 

Interesting, of course UAC itself isn't a security boundary, but I thought it was in combination with the Integrity Levels. I wasn't aware there was still such a difference between using a UAC admin account and limited user account. So it will be harder for Low IL processes to attack High IL processes when using SUA since it then runs in a different 'session'. However for a browser sandbox for example, all processes(medium, low, untrusted) run as the user, so running as SUA will not make it harder to break out of the browser sandbox, from Low to Medium IL for example. Of course if an attacker wants admin rights after breaking out of the sandbox, SUA will make it harder.

 

That pretty much sums it up.

By the way, SUA is a incredible "tool" against exploits, the majority of them is totally ineffective in a non-admin account modern Windows OS.

https://www.ghacks.net/2017/02/23/n...igate-94-of-critical-windows-vulnerabilities/


In combination with UAC it is so painless to use a standard user account nowadays, I dont see a reason to not use SUA.