Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

jamescv7 · May 26, 2017

Actually it is all about responsibility, no need to sacrifice or limit it.

One of the important aspect is to install the important and necessary updates which will secure from different exploits and holes; then next a reliable antivirus solution to protect in case of any attacks, and lastly have a regular backup.

Here's the point, it's useless when you run a LUA or SUA when the system is unpatched cause some threats may execute on other way.

Again it's all about the responsibility and how maintain it.

ZeroDay · May 26, 2017

There's a REALLY easy solution to this: MS should make SUA the default account like other operating systems.

Deleted member 178 · May 26, 2017

ZeroDay said:
There's a REALLY easy solution to this: MS should make SUA the default account like other operating systems.

i'm still wondering why they still don't do it.

lab34 · May 26, 2017

I was looking for the differences between SUA and Admin+UAC.
And I found an interesting post of Umbra from last year:
Poll - Administrator Account vs Standard/Limited User Account

Umbra said:
From Fixer (ReHIPS dev.)

- Elevated admin: Maximum access rights, can read+write from everywhere across file system and registry.

- Non-elevated admin (LUA): Slightly restricted read rights (some files may be SYSTEM read-only, but elevated admin can take the ownership and grant any access rights to itself and LUA can't do it, but there are few system locations like this+other users' profile folders and registry hives are also inaccessible) and restricted write rights (restricted for the same reason as reading is restricted, but there are significantly more locations, like Program Files, Windows, System32, etc and HKLM registry hive). But this user is vulnerable to LUA elevation and may become elevated admin.

- Non-admin user ( SUA): The same as LUA, but without elevation vulnerability for the cost of usability.

ZeroDay · May 26, 2017

Umbra said:
i'm still wondering why they still don't do it.

Along with all the other built in security in Windows 10 adding SUA as the default would be a massive step forward wouldn't it. Perhaps they will at some point as they're clearly strongly focused on improving Windows default security.

Handsome Recluse · May 26, 2017

ZeroDay said:
Along with all the other built in security in Windows 10 adding SUA as the default would be a massive step forward wouldn't it. Perhaps they will at some point as they're clearly strongly focused on improving Windows default security.

I don't think it's tested for Microsoft's audience though. Linux are nerd people. I think the more likely outcome is Windows 10 S as an option for people who only need just that.
Mitigate here includes both prevent and limit, right?

DJ Panda · May 26, 2017

Been using SAU at max for almost a year. Practically no prompts from UAC even while at max. It really isn't a pain for me to put my password in every once in awhile.

The school I go to makes sure all computers are SUA only. Though they don't update Windows or programs so that might be a problem.

ZeroDay · May 26, 2017

TerrakionSmash said:
I don't think it's tested for Microsoft's audience though. Linux are nerd people. I think the more likely outcome is Windows 10 S as an option for people who only need just that.
Mitigate here includes both prevent and limit, right?

MAC os does it by default too though and most Mac users I know can just about use a computer lol

S3cur1ty 3nthu5145t · May 26, 2017

Umbra said:
i'm still wondering why they still don't do it.

Because it is easier for them to let Umbra continue schooling users on how to utilize built in features with just a few clicks and minutes of their time.

Janl1992l · May 26, 2017

Umbra said:
Amazing the number of people (even here) using admin account for daily usage...

i have always used admin account and got never infected. It not a big deal to use a admin account if u are not a happy clicker. Some people are way to paranoid for my liking. Well, each there own. I will always us admin account. There is no reason to change that and some things are so much easier with a admin account. and when, thats most likly never will happens, i got infected i simply backup the os and done. not much time wasted.

lab34 · May 27, 2017

James Forshaw (Google Project Zero) just post a three parts article on his blog about UAC bypass.
Tyranid's Lair: Reading Your Way Around UAC (Part 1)

(disclaimer: all of this is tricky for me, maybe I don't understand very well, tech+english...)

The conclusion on the part 3 is embarrasing me.

On the mitigation side it's simple:

DON'T USE SPLIT-TOKEN ADMINISTRATOR ACCOUNTS FOR ANYTHING YOU CARE ABOUT.

Or just don't get malware on your machine in the first place ;-) About the safest way of using Windows is to run as a normal user and use Fast User Switching to login to a new session with a separate administrator account. The price of Fast User Switching is the friction of hitting CTRL+ALT-DEL, then selecting Switch User, then typing in a password. Perhaps though that friction has additional benefits.

What I understand here: User Account Control and Split Tokens. is that "split token admin accounts" are the admin account restrained by UAC. OK... But:

What about Over-The-Shoulder elevation, where you need to supply a username and password of a different user, does that suffer from the same problem? Due to the design of UAC those "Other User" processes also have the same Logon Session SID access rights so a normal, non-admin user can access the elevated token in the same way. Admittedly just having the token isn't necessarily exploitable, but attacks only get better, would you be willing to take the bet that it's not exploitable?

Anyway, unless Microsoft change things substantially you should consider UAC to be entirely broken by design, in more fundamental ways than people perhaps realized (except perhaps the CIA).

Malware Man · May 27, 2017

I've used to use a admin account for everyday use up until about only a year ago.

Even though now I know what I am doing I still use a standard user account. Yes I know there are viruses out there that will bypass UAC and all that but it's still safer than using a admin account.

Most times when a ransomware hits a standard account it only encrypts that user account. So you can just log into the admin account and delete the user account and make another and start again. Of course if you got a USB or other hard drives in the computer like me then the ransomware will encrypt those hard drives as well.

I am sure there are viruses out there that bypass UAC and encrypt the whole hard drive, but software isn't perfect and is always going to have holes in it. At least this way you protect yourself against a huge number of vulnerabilities and viruses by using a standard account alone.

It's also nice if I leave my standard account logged in I know that no one can walk by and totally mess up my laptop or delete accounts and install and uninstall software cause they need my password.

Since I use my Microsoft account as my standard account I risk getting my OneDrive files encrypted if I were to ever get hit by ransomware which would be very annoying.

Windows Defender Shill · May 27, 2017

NO!

If you have that little of confidence in your security set up that you have to use a standard account, then you need a new security setup.

Plus if you are the Admin, (which you probably are if it's your computer) you will just type in the admin password for anything that needs it.

Deleted member 178 · May 28, 2017

Windows Defender Shill said:
NO!
If you have that little of confidence in your security set up that you have to use a standard account, then you need a new security setup.

You use SUA first, then a security tool...

Plus if you are the Admin, (which you probably are if it's your computer) you will just type in the admin password for anything that needs it.

and you shouldn't have alerts unless you repeatedly doing admin tasks.

shmu26 · May 28, 2017

lab34 said:
James Forshaw (Google Project Zero) just post a three parts article on his blog about UAC bypass.
Tyranid's Lair: Reading Your Way Around UAC (Part 1)

(disclaimer: all of this is tricky for me, maybe I don't understand very well, tech+english...)

The conclusion on the part 3 is embarrasing me.

What I understand here: User Account Control and Split Tokens. is that "split token admin accounts" are the admin account restrained by UAC. OK... But:

What is "split token" admin account?
What is this article telling us not to do?

ZeroDay · May 28, 2017

shmu26 said:
What is "split token" admin account?
What is this article telling us not to do?

It's when you run an SUA account and still enter your admin password in UAC when performing certain tasks, by doing that you're giving the SUA the Admin token. You're supposed to use the SUA for regular non admin tasks and anything that needs admin credentials you should log out of the SUA and into the admin account. By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.

Deleted member 178 · May 28, 2017

ZeroDay said:
It's when you run an SUA account and still enter your admin password in UAC when performing certain tasks, by doing that you're giving the SUA the Admin token. You're supposed to use the SUA for regular non admin tasks and anything that needs admin credentials you should log out of the SUA and into the admin account. By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.

Exact, it is why i recommend to install softs or do critical admin tasks on admin account , not SUA.

shmu26 · May 28, 2017

ZeroDay said:
By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.

Why is it better to switch to admin account, rather than enter your credentials in the SUA?

lab34 · May 28, 2017

shmu26 said:
Why is it better to switch to admin account, rather than enter your credentials in the SUA?

I think it's under this sentence: "If malware is running in your split-token account you've given it Administrator access. In the worst case all it takes is patience, waiting for you to elevate once for any reason. Once you've done that you're screwed."

If you switch to another account the malware cannot use the elevation (it's another account... I don't know if I'm clear, it's not really clear for me too !)

Help @Umbra !

The problem, is that it's braking the superb usability of the uac

212eta · May 28, 2017

Do you use a Standard User Account for daily usage?

No.

Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

Do you use a Standard User Account for daily usage?

Yes

No

Level 85

Level 30

Deleted member 178

Level 6

Level 30

Level 23

Level 30

Level 30

Level 6

Level 14

Level 6

Level 9

Level 7

Deleted member 178

Level 85

Level 30

Deleted member 178

Level 85

Level 6

Level 9

Similar threads