Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

[shmu26]

I think it's under this sentence: "If malware is running in your split-token account you've given it Administrator access. In the worst case all it takes is patience, waiting for you to elevate once for any reason. Once you've done that you're screwed."

If you switch to another account the malware cannot use the elevation (it's another account... I don't know if I'm clear, it's not really clear for me too !)

Help @Umbra !

The problem, is that it's braking the superb usability of the uac

Thanks. That makes sense, at least to me.
I have UAC set high, and I get a UAC prompt every time I do something as simple as run a Macrium Reflect backup job. So it sounds like UAC is a waste of time for me, because I often need to enter my admin pin.

 

[ZeroDay]

Why is it better to switch to admin account, rather than enter your credentials in the SUA?

Because entering your credentials in an SUA is giving the SUA access to the admin token. It's best to use an SUA for browsing etc and any tasks that require Admin credentials should be carried out in the admin account

 

[Deleted member 178]

I think it's under this sentence: "If malware is running in your split-token account you've given it Administrator access. In the worst case all it takes is patience, waiting for you to elevate once for any reason. Once you've done that you're screwed."
If you switch to another account the malware cannot use the elevation (it's another account... I don't know if I'm clear, it's not really clear for me too !)

Exact

The problem, is that it's braking the superb usability of the uac

Usability is why UAC was created in the first place (imo big mistake) to avoid the need to sign in into admin account...it was strong on WinVista but whiners made it weak on Win7. Now there is rumor that MS will lock it to "max" setting without possibility of changes.

 

[Deleted member 178]

Why is it better to switch to admin account, rather than enter your credentials in the SUA?

Yes

 

[DJ Panda]

Sorry, I still don't understand why its better to switch to admin account rather than typing it in a SUA. Someone try to explain it again please.

 

[Andy Ful]

I tested the autor's powershell script, and it can run elevated cmd.exe without elevation prompt on LUA, but it fails on SUA. The autor's bypass can be implemented into executable, too.

 

[tonibalas]

For about 6 months i am running SUA after the suggestion of @Umbra and other staff members.
At the 1st week i had a little trouble to get accustomed to the SUA.
But after that all is good.
When i want to install or try new software i switch to my admin account and proceed with my work.
I think anyone at least should try for a few days using a SUA.

 

[Arequire]

I've tried multiple times in the past to use a SUA for daily computing but I always end up going back to purely admin. A good number of programs I use frequently require admin access and having to keep entering credentials or to keep switching back and forth between two accounts just to do simple tasks just irritates me.

 

[Andy Ful]

What is "split token" admin account?
What is this article telling us not to do?

From: Difference Between UAC and Admin Approval mode

UAC includes several features and security improvements.

Admin Approval Mode
Admin Approval Mode (AAM) is a UAC configuration in which a split user access token is created for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. Without AAM, an administrator account receives only one access token, which grants that administrator access to all Windows resources.

Why is this functionality important?
AAM helps prevent malicious programs from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.

I have an impression, that SPLIT-TOKEN ADMINISTRATOR ACCOUNT from the article: Tyranid's Lair: Reading Your Way Around UAC (Part 3)
can be normal (not built-in) Administrator account with UAC.

Edit
That would be also consistent with the results of my test (see post #46).

 

[AtlBo]

Exact, it is why i recommend to install softs or do critical admin tasks on admin account , not SUA.

I've come to think of the p/w prompt in the SUA as a security warning, and a request to change the system. There are only 4 or 5 applications installed that require the use of admin credentials, so I feel like I know that I can take the rest of them seriously if that makes sense. For this reason, I don't feel as though I need to change accounts to run these programs at least.

 

[shmu26]

Sorry, I still don't understand why its better to switch to admin account rather than typing it in a SUA. Someone try to explain it again please.

Problem is this: there might be malware lurking in the background, just waiting for admin permission to come along. So if you type in the admin password in your SUA, you just granted permission to that lurking malware.
But if you switch to your admin account, that is not where the malware is running in the first place. So it won't receive permission.

 

[roger_m]

You're supposed to use the SUA for regular non admin tasks and anything that needs admin credentials you should log out of the SUA and into the admin account. By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.

I did not know that. With that in mind, I'm staying with an Admin account, rather than changing to SUA. I'm constanty installing new software and it would just be too much of an annoyance to switch to a SUA account everytime I did this. In the past month, I've installed about 40 programs.

 

[Deleted member 178]

I did not know that. With that in mind, I'm staying with an Admin account, rather than changing to SUA. I'm constanty installing new software and it would just be too much of an annoyance to switch to a SUA account everytime I did this. In the past month, I've installed about 40 programs.

40 in the same day is sure annoying to switch, but 2 a day isn't so hard. A switch take 10sec.

 

[shmu26]

40 in the same day is sure annoying to switch, but 2 a day isn't so hard. A switch take 10sec.

What happens if you leave your admin account running in the background, so you can switch back and forth quicker? Is that a security risk?

 

[Deleted member 178]

I can't tell for sure because i never do that

 

[roger_m]

40 in the same day is sure annoying to switch, but 2 a day isn't so hard. A switch take 10sec.

It's 40 this month, not in one day, but sometimes I do install a number of programs in one day.

For the moment, I'm going to stick with just using an Admin account, for the sake of convenience. I'm not click happy (it doesn't matter if I'm emailed ransomware, if I know better than to open the infected attachment) and I keep Windows and vulnerable software updated. In my experience, that is enough to keep me safe. If I'm ever proven wrong, I have backups. Because of this, I don't feel that my system isn't secure enough, or that I need to do every possible thing to secure it as much as possible.

If I rarely made changes to my system, then I most likely would use both Admin and SUA accounts, as it would not be much of an inconvenince in that situation.

 

[Deleted member 178]

It's 40 this month, not in one day, but sometimes I do install a number of programs in one day.

i know, i meant if i would do 40 a day, i would run on admin account all the time

 

[Ink]

+1 Ditto

Can default Admin account be hidden from Login screen? Hate the idea of having 2 accounts on a single-user PC.

 

[_CyberGhosT_]

Can default Admin account be hidden from Login screen? Hate the idea of having 2 accounts on a single-user PC.

I think there is a tweak for that Spawn, I too hate it, I will do some digging I remember reading something about it.
If I find it I will PM you the Info, if that's ok ?

 

[Ink]

I think there is a tweak for that Spawn, I too hate it, I will do some digging I remember reading something about it.
If I find it I will PM you the Info, if that's ok ?

Here would be fine.