Limited Rights Account and UAC settings

[AtlBo]

Running 3 PCs on Windows 7 Pro 64, and I am attempting to get caught up on security. Have been running on a password protected Admin account using Private Firewall and 360 TS but with UAC turned off. I would like to experiment with a limited rights account with UAC on, so I am looking for input on how to set up the account and UAC for this.

I have many programs already installed. Is this going to be a problem? Also, is this going to be a problem for a-v/firewall programs already installed? Will, for example, a-v or Private Firewall have problems? Also, what about program settings? Can I change them running in a limited rights account?

As far as Windows 7 (specifically compared to 8.1/10) goes, is this real security punch so to speak? I particularly want to limit the ability of cypto viruses from being an issue, but I also would like protection for my personal files from alteration/encryption. Curious about whether most malware can get around UAC and limited rights.

Any input valued highly!

 

[Infamous]

Using a standard (limited rights) account can improve the security of your system against malware - it really depends on the situation, for example, what the malware on your system is trying to do.

Normally, security software starts up one way or another as the system is booting (usually through a device driver which would come together with a windows service). They also avoid having User Account Control prompts after the user logs in, whilst keeping administrator (or SYSTEM) rights on their processes. This means, even if you are using a standard account on Windows, the security software should still function correctly without requiring User Account Control consent all the time. Although, I should point out that there are less advanced or matured security products out there which will not function properly without the required privileges, nor have the ability to work like the bigger security products and sort themselves out without requiring regular User Account Control consent from the user.

If you wish to install or tamper with the installation of existing security software, usually this will require administrator rights. For example, if you wanted to install Avast Antivirus you would require administrator rights (since the installer would wish to do things which more desired rights are required to do due to windows security - such as install device drivers, drop in protected directories like Program Files, etc).

In terms of a ransomware infection, I personally believe that having UAC enabled (on an admin account) would help protect the system. The reason for this is because more popular ransomware infections tend to perform little tricks on the system which usually would require additional privileges (such as administrator privileges) to prevent the cancelling of the encryption by the user and help evade detection during encryption process. These tricks can include process manipulation attacking towards a legitimate windows process running in the background (examples of this would include csrss.exe), where the purpose would be for the encryption code to execute from the windows process so if the user found the ransomware process and terminated it, the encryption process would still continue without the user even being further aware of the situation (and if no current security prevented this attack, I doubt an on-demand scan would usually catch this activity out after its been done). Such tricks like attacking a windows process would require the launcher of the ransomware to have the correct rights to do such a thing; these rights can be obtained through using both documented and undocumented APIs in Windows, however I should note that to use these APIs for success of the accomplished goal, the program would need to be running as administrator anyway.

As well as this, further apart from "tricks" which ransomware may or may not use (because they are not always used, and the one described above is for more advanced ransomware attacks), administrative privileges would be required to do things such as access protected directories (like Program Files directory), install device drivers on the system, perform auto-run modifications to have a program start for all users on the system (through HKEY_LOCAL_MACHINE), create tasks using the task scheduler and other things. Therefore, you can also be better protected from a wide variety of infections, not just ransomware attacks.

You could set up some tricks of your own against ransomware attacks (or any malware without administrative rights). You could create your own folder in a protected directory and then store some really important personal documents in there instead. Meaning, when ransomware comes along and tries to encrypt, if it doesn't have the correct privileges (administrator or higher), then it won't be able to access the directory to encrypt the files.

If you are careful and double check which programs you allow to run with administrative rights, you can safeguard your system from a wide variety of potential malware attacks. User Account Control is one of the most underrated security features in Windows, I see people rate it negatively all the time, however it's actually very good when used correctly. The aim of it isn't to auto-block malware, it's down to you to decide which programs should be granted "special privileges" if you prefer that term; use it wisely and you will be better protected.

That's not to say that all malware requires administrative privileges. Some malware will not require additional privileges than the standard to function - it really depends on the type of malware infection taking place, the goals from the attacker. In fact, targeted and sophisticated malware may even exploit features like UAC silently. But even then, if you are careful with what you download and the websites you visit, you can better protect yourself from malware which only requires the littlest of privileges, no matter of the purpose behind the attack.

In my opinion, you may as well just use an Administrator account with UAC enabled and set to Always Notify. This approach is useful, as well as providing more rights to your account as a whole.

I know this post was really long, much longer than you expected. I tried to cut it down but I have some sort of addiction to detail. If you do not understand anything, don't hesitate to ask me to explain it differently. If I misunderstood your questions, then I am really sorry.

Hope this helped.

 

[AtlBo]

Yes, much more than I was expecting, but I feel like it really covers the basics of the issues. I am very grateful for the knowledge, and I really appreciate your "addiction to detail".

Just a question about malware that doesn't require higher privileges. Would this be mostly associated with boots? Is there a short story on what to look for from potential threats that don't require admin privileges...

Also, on bypassing limited rights. With UAC running, basically anything that runs and requests rights will cause an alert, is that correct?

I use PrivateFirewall in a way so that it saves only the bare minimum of settings. Basically, I see all the pop ups for 21 behaviors and then for net access, and, generally I approve only the one time. Some things I allow PF to remember the choice, but most things not. I have managed to keep the number of processes being managed to a minimal, which is helpful. I can relatively easily for example go through them and make sure none are allowed admin privileges. This is something I have already done. UAC could be a good compliment to that, although I am concerned about pop ups. Anyway, mainly this PF setup has helped me learn much more about what I require from security, and hopefully I will be better able to use UAC than I would have before.

BTW, should I use the highest UAC setting? I know I am going to get confused with UAC sometimes after 4 years of Private Firewall. The info on the PF pop ups is helpful...

 

[AtlBo]

In my opinion, you may as well just use an Administrator account with UAC enabled and set to Always Notify. This approach is useful, as well as providing more rights to your account as a whole.

Answered my last question I see. Thanks for that. Post was a lot to take in. I will give this a try today.

One last question. Do I need to somehow reset UAC choices from before, so that I can start over? I will be using the highest setting. I have only used it a small amount, and I can't recall if it saves choices...

 

[Infamous]

Just a question about malware that doesn't require higher privileges. Would this be mostly associated with boots? Is there a short story on what to look for from potential threats that don't require admin privileges...

I don't really understand the question but it might just be my fault - do you mean "bots"/"botnet"? I think you are asking about hints to a program being malware. I'll try to answer the question but I am not sure what you meant so apologies if I misunderstood.

I'll start with bots - they may or may not require administrator privileges. Depending on what features are incorporated and supported for the attacker to send back instructions on when they should be performed will depend on whether it will require administrator rights or not. It's not guaranteed to require admin rights or not.

When you download a program, you can try checking the properties of the application. Such as: File description, Product name, Copyright, Size, Digital Signature. These can provide you hints to whether the download is trustworthy or not to you. (check the spoiler for some examples and information to explain this further).

Spoiler: Examples and more detail

Example 1 - If you downloaded a program called "Photoshop.exe" and checked the file properties, it may claim on the Copyright that it's from Adobe. However, if it's not digitally signed by Adobe as the publisher, then you can safely assume it's a fake version of Adobe and may or may not be malicious (since it could just be adware).

Example 2 - you downloaded a program from the internet which may or may not require administrator privileges. You check the file properties and find that its digitally signed. After checking if its digitally signed, check the name of the publisher. Do some research on this publisher and the product, even a few searches would be good enough (and better than nothing). If you find anything suspicious, best stick yourself away from running the program.

Example 3 - you download a program from the internet, you check the file properties and find that fields such as the company name have been left out and forgotten. In this case, I would advise you to avoid the download from being ran.

Example 4 - you download a program from the internet, it seems a reasonable file size for the type of program it is, it has an icon* which doesn't seem suspicious and important fields such as the company name, file description have been entered and seem valid. You check the digital signature and make sure you trust the publisher. If you're still happy, you run the program.

About the icon note in example 4 - some malware writers will try to trick the people who are downloading the program. One of the oldest tricks in the book would be putting an icon of e.g. an archive, which may trick the user into believing that its an archive and that by opening it won't harm their system. By "suspicious" icon, I am referring to if the program appears to be infringing an icon from another company (for example, is it claiming to be from McAfee by placing the McAfee logo as the icon of the program?) or appears to be trying to trick you.

Another thing to look out for would be double extensions. By double extensions, I am referring to a file name with multiple extensions. For example, let's take the extension "hello_AtlBo.exe" and let's add a double extension to it. Now after adding the double extension, it transformed into "hello_AtlBo.png.exe" or "hello_AtlBo.zip.exe" or "hello_AtlBo.psd.exe". Double extensions are one of the oldest tricks in the book, and they still fool many people today, they may also add suspicious icons to help fool the user. If you find double extensions, then be a bit more awake! Check the spoiler below for some examples.

Spoiler: Examples and more detail

Example 1 - you download a program from the internet. The file name is "holidayphoto31.jpg.exe". An attacker may do this in an attempt to make the user believe that its a picture (hence the *.jpg extension), as opposed to an executable (Portable Executable). If you see this, then I recommend staying away from the program. An attacker may even change the icon to the icon a legitimate *.jpg file may have, as an addition to attempting to fool the user even more.

Example 2 - you plugin a USB a friend gave you and find a document called "portfolio.doc.exe". An attacker may do this in an attempt to make you believe it's a Microsoft Word document. They can also change the icon like in example 1. In this case, I recommend staying away from it.

When you download a program (or find a program you don't remember downloading onto your system), you can scan it at VirusTotal. VirusTotal is a scanner owned by Google which incorporates many different Antivirus scanner engines. Even if your existing security solution you are using does not pick anything up, it doesn't mean you shouldn't get a second opinion from other vendors.

To be extra safe, you can even do your browsing in a sandbox or run newly downloaded programs in a sandbox. From the sandbox you can check what happens in the sandboxed environment once the program has been ran and thereafter decide if you want to run such a program on your main system. An example of a sandbox which could be used would be Sandboxie; if you're using Comodo, you can use their built-in sandbox.

The above tips can be useful regardless of if the program requires administrator privileges or not. If the program requires administrator privileges, then remember that admin rights being required usually means it will try to do something which shouldn't be done without extra permission!

I hope I didn't misunderstand your question otherwise I'll feel a bit stupid.
Hope this helped.

 

[Infamous]

Also, on bypassing limited rights. With UAC running, basically anything that runs and requests rights will cause an alert, is that correct?

Yes, exactly. However, if it doesn't have the correct rights and doesn't check and try to elevate itself (which means it tries to obtain them) and tries to proceed with the action which can only be done with the correct rights, then the action will just fail and unless it returns and error you won't even be aware of this.

One last question. Do I need to somehow reset UAC choices from before, so that I can start over? I will be using the highest setting. I have only used it a small amount, and I can't recall if it saves choices...

You can just search for User Account Control on Windows Start, an option should appear called "User Account Control Settings". From there you can change it to the correct setting, then hit OK and you'll have to consent to the UAC settings changes through a UAC prompt. After this, reboot to make sure the changes have taken affect.

Also note, programs which are granted administrator rights will also have the ability to completely disable UAC.

 

[AtlBo]

Mostly I am looking at script monitoring types of programs, so I am basically attempting to learn as much as I can about what to expect from UAC in terms of what could potentially get by it. This way, I can know better what to look for in anti-script security.

I think I have everything you mentioned covered at least fairly well. I am running Firefox in the 360 sandbox, and I use NoScript, Ghostery, and Better Privacy (removes flash cookies), along with Bluhell browser firewall. NoScript and Ghostery were made for each other it seems. No Script is yes sort of all encompassing, but it does block drive bys where a page redirects a download from a different link to the current page. I have seen this work with NS several times already. With "safe sites" (only a few for me), I can Allow with NS and then Ghostery still catches all the ad junk. It's a great one, two. NS is super configurable once you get 6 or 8 months of use from it.

You answered all my questions. Thanks I really appreciate you taking the time to break all of this down. If I can get this shored up, maybe I will be better able to focus on other areas of security. This is kind of where I am at and hope for...

 

[jamescv7]

Your configuration step is fine already, as long UAC is enabled then no need to worry about cause it will vary on the tweaks where the digital signature is unsigned or unknown to prompt with permission.

Put in a limited is not an issue however you need some things done on administration.

Just don't forget to have a virtualization tool and backup for any sudden changes/incidents.

 

[Deleted member 178]

Limited Account is safer than admin account, since you have to enter a password to allow privilege elevation; MOST malwares will be blocked at this point.

remember if you are in Windows 8/10 , installing a app will in some case override the restrictions.