Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities

Do you use a Standard User Account for daily usage?


  • Total voters
    61

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Actually it is all about responsibility, no need to sacrifice or limit it.

One of the important aspect is to install the important and necessary updates which will secure from different exploits and holes; then next a reliable antivirus solution to protect in case of any attacks, and lastly have a regular backup.

Here's the point, it's useless when you run a LUA or SUA when the system is unpatched cause some threats may execute on other way.

Again it's all about the responsibility and how maintain it.
 

lab34

Level 6
Verified
Well-known
Mar 28, 2017
263
I was looking for the differences between SUA and Admin+UAC.
And I found an interesting post of Umbra from last year:
Poll - Administrator Account vs Standard/Limited User Account
From Fixer (ReHIPS dev.)

- Elevated admin: Maximum access rights, can read+write from everywhere across file system and registry.

- Non-elevated admin (LUA): Slightly restricted read rights (some files may be SYSTEM read-only, but elevated admin can take the ownership and grant any access rights to itself and LUA can't do it, but there are few system locations like this+other users' profile folders and registry hives are also inaccessible) and restricted write rights (restricted for the same reason as reading is restricted, but there are significantly more locations, like Program Files, Windows, System32, etc and HKLM registry hive). But this user is vulnerable to LUA elevation and may become elevated admin.

- Non-admin user ( SUA): The same as LUA, but without elevation vulnerability for the cost of usability.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
i'm still wondering why they still don't do it.
Along with all the other built in security in Windows 10 adding SUA as the default would be a massive step forward wouldn't it. Perhaps they will at some point as they're clearly strongly focused on improving Windows default security.
 
  • Like
Reactions: AtlBo

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Along with all the other built in security in Windows 10 adding SUA as the default would be a massive step forward wouldn't it. Perhaps they will at some point as they're clearly strongly focused on improving Windows default security.
I don't think it's tested for Microsoft's audience though. Linux are nerd people. I think the more likely outcome is Windows 10 S as an option for people who only need just that.
Mitigate here includes both prevent and limit, right?
 
  • Like
Reactions: AtlBo and ZeroDay

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
Been using SAU at max for almost a year. Practically no prompts from UAC even while at max. It really isn't a pain for me to put my password in every once in awhile. :) The school I go to makes sure all computers are SUA only. Though they don't update Windows or programs so that might be a problem. :p
 
Last edited:
  • Like
Reactions: AtlBo and frogboy

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
I don't think it's tested for Microsoft's audience though. Linux are nerd people. I think the more likely outcome is Windows 10 S as an option for people who only need just that.
Mitigate here includes both prevent and limit, right?
MAC os does it by default too though and most Mac users I know can just about use a computer lol
 
  • Like
Reactions: AtlBo

Janl1992l

Level 14
Verified
Well-known
Feb 14, 2016
648
Amazing the number of people (even here) using admin account for daily usage...
i have always used admin account and got never infected. It not a big deal to use a admin account if u are not a happy clicker. Some people are way to paranoid for my liking. Well, each there own. I will always us admin account. There is no reason to change that and some things are so much easier with a admin account. and when, thats most likly never will happens, i got infected i simply backup the os and done. not much time wasted.
 

lab34

Level 6
Verified
Well-known
Mar 28, 2017
263
James Forshaw (Google Project Zero) just post a three parts article on his blog about UAC bypass.
Tyranid's Lair: Reading Your Way Around UAC (Part 1)

(disclaimer: all of this is tricky for me, maybe I don't understand very well, tech+english...)

The conclusion on the part 3 is embarrasing me.

On the mitigation side it's simple:

DON'T USE SPLIT-TOKEN ADMINISTRATOR ACCOUNTS FOR ANYTHING YOU CARE ABOUT.

Or just don't get malware on your machine in the first place ;-) About the safest way of using Windows is to run as a normal user and use Fast User Switching to login to a new session with a separate administrator account. The price of Fast User Switching is the friction of hitting CTRL+ALT-DEL, then selecting Switch User, then typing in a password. Perhaps though that friction has additional benefits.
What I understand here: User Account Control and Split Tokens. is that "split token admin accounts" are the admin account restrained by UAC. OK... But:
What about Over-The-Shoulder elevation, where you need to supply a username and password of a different user, does that suffer from the same problem? Due to the design of UAC those "Other User" processes also have the same Logon Session SID access rights so a normal, non-admin user can access the elevated token in the same way. Admittedly just having the token isn't necessarily exploitable, but attacks only get better, would you be willing to take the bet that it's not exploitable?
:(
Anyway, unless Microsoft change things substantially you should consider UAC to be entirely broken by design, in more fundamental ways than people perhaps realized (except perhaps the CIA).
:(
 

Malware Man

Level 9
Verified
Well-known
Feb 2, 2013
440
I've used to use a admin account for everyday use up until about only a year ago.

Even though now I know what I am doing I still use a standard user account. Yes I know there are viruses out there that will bypass UAC and all that but it's still safer than using a admin account.

Most times when a ransomware hits a standard account it only encrypts that user account. So you can just log into the admin account and delete the user account and make another and start again. Of course if you got a USB or other hard drives in the computer like me then the ransomware will encrypt those hard drives as well.

I am sure there are viruses out there that bypass UAC and encrypt the whole hard drive, but software isn't perfect and is always going to have holes in it. At least this way you protect yourself against a huge number of vulnerabilities and viruses by using a standard account alone.

It's also nice if I leave my standard account logged in I know that no one can walk by and totally mess up my laptop or delete accounts and install and uninstall software cause they need my password.

Since I use my Microsoft account as my standard account I risk getting my OneDrive files encrypted if I were to ever get hit by ransomware which would be very annoying.
 

Windows Defender Shill

Level 7
Verified
Well-known
Apr 28, 2017
326
NO!

If you have that little of confidence in your security set up that you have to use a standard account, then you need a new security setup.

Plus if you are the Admin, (which you probably are if it's your computer) you will just type in the admin password for anything that needs it.
 
  • Like
Reactions: AtlBo
D

Deleted member 178

Thread author
NO!
If you have that little of confidence in your security set up that you have to use a standard account, then you need a new security setup.
You use SUA first, then a security tool...

Plus if you are the Admin, (which you probably are if it's your computer) you will just type in the admin password for anything that needs it.
and you shouldn't have alerts unless you repeatedly doing admin tasks.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
James Forshaw (Google Project Zero) just post a three parts article on his blog about UAC bypass.
Tyranid's Lair: Reading Your Way Around UAC (Part 1)

(disclaimer: all of this is tricky for me, maybe I don't understand very well, tech+english...)

The conclusion on the part 3 is embarrasing me.


What I understand here: User Account Control and Split Tokens. is that "split token admin accounts" are the admin account restrained by UAC. OK... But:

:(

:(
What is "split token" admin account?
What is this article telling us not to do?
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
What is "split token" admin account?
What is this article telling us not to do?
It's when you run an SUA account and still enter your admin password in UAC when performing certain tasks, by doing that you're giving the SUA the Admin token. You're supposed to use the SUA for regular non admin tasks and anything that needs admin credentials you should log out of the SUA and into the admin account. By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.
 
D

Deleted member 178

Thread author
It's when you run an SUA account and still enter your admin password in UAC when performing certain tasks, by doing that you're giving the SUA the Admin token. You're supposed to use the SUA for regular non admin tasks and anything that needs admin credentials you should log out of the SUA and into the admin account. By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.
Exact, it is why i recommend to install softs or do critical admin tasks on admin account , not SUA.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
By using an SUA and still entering your admin credentials at the UAC prompt you're defeating the purpose of using the SUA in the first place.
Why is it better to switch to admin account, rather than enter your credentials in the SUA?
 
  • Like
Reactions: AtlBo

lab34

Level 6
Verified
Well-known
Mar 28, 2017
263
Why is it better to switch to admin account, rather than enter your credentials in the SUA?
I think it's under this sentence: "If malware is running in your split-token account you've given it Administrator access. In the worst case all it takes is patience, waiting for you to elevate once for any reason. Once you've done that you're screwed."

If you switch to another account the malware cannot use the elevation (it's another account... I don't know if I'm clear, it's not really clear for me too !)

Help @Umbra ! :confused:

The problem, is that it's braking the superb usability of the uac :(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top