User Account like a Castle

Discussion in 'General Security Discussions' started by Andy Ful, Jul 17, 2017 at 6:15 AM.

  1. Andy Ful

    Andy Ful Level 11

    Dec 23, 2014
    538
    1,880
    Male
    business
    Poland
    Windows 10
    Microsoft
    #1 Andy Ful, Jul 17, 2017 at 6:15 AM
    Last edited: Jul 17, 2017 at 6:53 AM
    What is User Account with UAC? It is like a castle.
    Is the castle a security? It was in the medieval ages.
    What is Standard User Account (SUA) with UAC? It is a castle in the medieval ages.
    What is Administrator Account (AA) with UAC? What a stupid question. It is a castle in the 21st century!

    Why AA with UAC is not a security?
    1. Microsoft says, that UAC is not a security, but only a security component.
    2. Microsoft says the truth, AA with UAC can be easily bypassed in many ways.

    Remark.
    Microsoft officially says that UAC is not a security. I understand this official statement, as a statement about default UAC usage, which is mostly AA with UAC.

    Example.
    Run command prompt on AA as standard user and copy/execute the below commands:
    reg add HKCU\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM"
    schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

    You can see the second command prompt window, running as administrator without UAC prompt!
    You can repeat this on SUA, and you will see that the second command prompt will be run as standard user!

    Can you make UAC more secure on AA? Yes.
    1. You can choose 'Always notify' UAC setting.
    2. You can use hidden UAC setting to elevate only executables that are signed and validated:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001

    But, even those secure settings will not prevent some UAC bypasses like from our Example.
    Those baypasses can be blocked when using some other methods like Software Restriction Policies, whitelisting, blocking some system executables (see Excubits Bouncer blacklist). For example, blocking 'reg.exe' will stop the bypass from our Example.

    Let's come back to medieval ages.
    Why SUA (with UAC as an integral security component) is a security boundary?
    1. It is recommended by Microsoft.
    2. It is a security boundary from the administrator standpoint (user does not know the administrator password).
    3. It is a security boundary, when preventing malware infections. Over 80% 0-day malware samples (including exploits) fail on SUA.

    Can you make SUA even more secure? Yes.
    You can use the same hardening settings as on AA, or disable elevation of privilege as a standard user, by the reg tweak:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorUser"=dword:00000001

    See also the excelent articles about user accounts & UAC:
    Tyranid's Lair: Reading Your Way Around UAC (Part 1)
    Tyranid's Lair: Reading Your Way Around UAC (Part 2)
    Tyranid's Lair: Reading Your Way Around UAC (Part 3)
     
    roger_m, shmu26, LanDude and 6 others like this.
  2. Andy Ful

    Andy Ful Level 11

    Dec 23, 2014
    538
    1,880
    Male
    business
    Poland
    Windows 10
    Microsoft
    #2 Andy Ful, Jul 17, 2017 at 6:24 AM
    Last edited: Jul 17, 2017 at 6:40 AM
    Something is wrong with my thread. I cannot post the full text because of an error. Please do not reply because 75% of text should be still added! The original text has some examples of commands, and this is probably the issue.

    Edit
    It is OK now. I had to add and next edit the commands in parts.
     
    shmu26 likes this.
  3. Daniel Keller

    Daniel Keller Level 2

    Dec 28, 2016
    60
    176
    Male
    Germany
    Thank you very much for this post. It is very educating, as usual! :)
     
    shmu26 and Andy Ful like this.
  4. Andy Ful

    Andy Ful Level 11

    Dec 23, 2014
    538
    1,880
    Male
    business
    Poland
    Windows 10
    Microsoft
    Thanks for reading it, and the kind comment.:)
    This thread may be controversial for some forum members.
     
    shmu26 likes this.
  5. Windows_Security

    Mar 13, 2016
    312
    1,394
    Male
    Holland
    Windows 7
  6. Andy Ful

    Andy Ful Level 11

    Dec 23, 2014
    538
    1,880
    Male
    business
    Poland
    Windows 10
    Microsoft
    Yes, I know it, too.;)
     
Loading...
Other threads that you may like Forum Date
Poll Umbra's Poll Series : Standard User Account (SUA) General Security Discussions Jul 13, 2017
Video Review NotPetya and Standard User Account Video Reviews Jul 8, 2017
South Korean bitcoin exchange hacked, user accounts plundered Security News Jul 5, 2017