Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Understanding UAC prompt/ alert usefulness
Message
<blockquote data-quote="Andy Ful" data-source="post: 973684" data-attributes="member: 32260"><p>There is a nice article about UAC on the Microsoft website:</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works[/URL]</p><p></p><p>The authors use the term "built-in UAC elevation component" which is present both on Admin and SUA.</p><p></p><p></p><p></p><p>As I noted in my first post, this component can do different things on Admin and SUA:</p><ul> <li data-xf-list-type="ul">On SUA, it cannot show the UAC <strong><span style="color: rgb(184, 49, 47)">consent prompt</span></strong> and shows the UAC <strong><span style="color: rgb(0, 168, 133)">credential prompt</span></strong> instead. The user has to insert the valid credentials of any valid Administrator (there can be several different Administrator accounts on one computer). If approved, then the elevated process will run in the context of the Administrator account (the process changes the user context from SUA to this Administrator).</li> <li data-xf-list-type="ul">On the Administrator account, the UAC consent prompt is shown and the elevated process will run without changing the user context. This behavior can be changed by UAC policy and the credential prompt can be shown also on the Administrator account.</li> </ul><p>So, it is possible to set UAC settings to show the same UAC prompt on SUA and Admin. But still, there will be a difference in security. <span style="color: rgb(184, 49, 47)"><strong>On the Administrator account, the standard and elevated processes can run on the same user account</strong></span> and <span style="color: rgb(0, 168, 133)"><strong>this is not possible on SUA</strong></span>.</p><p></p><p><strong>When people use the term "UAC bypass", they usually think about process elevation without changing the user context and without showing the UAC prompt. This is possible only on Admin and not possible on SUA.</strong></p><p>Such bypasses are not considered by Microsoft as serious threats because UAC on Admin is not considered by Microsoft as a security boundary (whatever it means).</p><p>When elevating from SUA to Admin, we have not only the UAC bypass but also account-separation bypass. This is a much more dangerous thing.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 973684, member: 32260"] There is a nice article about UAC on the Microsoft website: [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works[/URL] The authors use the term "built-in UAC elevation component" which is present both on Admin and SUA. As I noted in my first post, this component can do different things on Admin and SUA: [LIST] [*]On SUA, it cannot show the UAC [B][COLOR=rgb(184, 49, 47)]consent prompt[/COLOR][/B] and shows the UAC [B][COLOR=rgb(0, 168, 133)]credential prompt[/COLOR][/B] instead. The user has to insert the valid credentials of any valid Administrator (there can be several different Administrator accounts on one computer). If approved, then the elevated process will run in the context of the Administrator account (the process changes the user context from SUA to this Administrator). [*]On the Administrator account, the UAC consent prompt is shown and the elevated process will run without changing the user context. This behavior can be changed by UAC policy and the credential prompt can be shown also on the Administrator account. [/LIST] So, it is possible to set UAC settings to show the same UAC prompt on SUA and Admin. But still, there will be a difference in security. [COLOR=rgb(184, 49, 47)][B]On the Administrator account, the standard and elevated processes can run on the same user account[/B][/COLOR] and [COLOR=rgb(0, 168, 133)][B]this is not possible on SUA[/B][/COLOR]. [B]When people use the term "UAC bypass", they usually think about process elevation without changing the user context and without showing the UAC prompt. This is possible only on Admin and not possible on SUA.[/B] Such bypasses are not considered by Microsoft as serious threats because UAC on Admin is not considered by Microsoft as a security boundary (whatever it means). When elevating from SUA to Admin, we have not only the UAC bypass but also account-separation bypass. This is a much more dangerous thing. [/QUOTE]
Insert quotes…
Verification
Post reply
Top