Security Benefit of Standard User Account with UAC

[jim]

When I got my Windows 7 machine, first thing I did was stick an Admin account on there with a long password, and gave myself a standard user account with a slightly simpler password.

So whenever I want to do something that requires UAC elevation, like clicking the start button or making some toast, I have to type my Admin password into the UAC prompt. Which is a bit of a pain in the arse.

A couple of days back, I had some buggy software that needed Admin rights, but if I ran it as an Admin it defaulted to the Admin user share and therefore wouldn't patch my specific database, so I put myself as an Admin temporarily. Forgetting to put it back, I've only just realised how much more seamless everything is. Instead of stopping every 10 minutes to type in the password, I just click continue. The prompts still appear, they just don't require the password.

So what security benefit does the standard/admin mix setup actually provide?

[Splash]

Would you want your standard users to be able to just click continue?

[jim]

It's only me and my girlfriend, so that's not a big deal.

If I had a kid, or let my mum onto my network , then I'd be right along with you but nobody else ever touches these machines. And they couldn't login anyway, guest account is disabled and everything is passworded.

I just started thinking earlier on that I'm not sure what benefit it actually provides - just have this ingrained idea that it's how you're "meant" to do things. The only thing I thought of was VNC-style remote desktop hacks - presumably a passworded UAC would provide a bit more of a restriction to activities of that ilk?

[Splash]

I guess it depends on how often you're seeing the UAC prompts. If it's so often that it's an actual nuisance I'd be tempted to question why you're seeing the prompts...

If I'm running software that's so badly written that it requires local admin rights (and believe me, I've seen my share!) then I'd be seriously questioning how vital that software was. I can honestly say that beyond setting up and installing new stuff (which I would expect to see a UAC prompt for) I very rarely see any popups. And I'm a tinkerer, so I'd expect that I'm seeing more than Joe Public.


EDIT: The danger with UAC, as with anything else that pops up asking for confirmation before implementing an action is that people get blasé about it. A company that I used to work with had a desktop tech who selected an OU in AD rather than a user account and pressed "delete". As soon as he saw the "are you sure" prompt he immediately clicked yes. You don't want to be that guy.

[scaryjim]

... just have this ingrained idea that it's how you're "meant" to do things. ...

In the bad old days, when either you were an admin and so were all your programs, or you weren't, that was the way to do things, as it prevented malicious attackers gaining admin-level privs to your system. As I understand UAC, the whole point is that even admin-level accounts run in a reduced privs mode until they need admin privs to do something, mitigating some of the dangers from malicious software.

One option, since you're on Windows 7, is to turn the UAC prompting down a little. Vista only gave you "on" or "off" options, while 7 gives you several levels to choose from: perhaps you just have a particularly high level set?

That said, my kids have a standard account on our HTPC, and the only time they ever come and get me to type in an admin password is when they download a new game from BigFish. And I run Server 2k8 at work and only ever see UAC prompts when I'm deliberately performing administrative tasks. So I'd echo Splash in questioning why you're seeing so many UAC prompts...

[jim]

I would say that 90% of the prompts come from writing to the C:\ directory, which I seem to do fairly regularly. Usually it's for installing game mods, fan-made patches, or editing files directly within the file structure to either change graphical settings or alter the way the game works.

And then certain programs, like I just installed MediaMonkey recently, which requires it to be started in administrator mode in order to install add-ons. I presume that's a case of C:\ access again.

Maybe I'm overblowing a bit, but it feels like I have to do it fairly regularly.

[dangel]

I just started thinking earlier on that I'm not sure what benefit it actually provides - just have this ingrained idea that it's how you're "meant" to do things. The only thing I thought of was VNC-style remote desktop hacks - presumably a passworded UAC would provide a bit more of a restriction to activities of that ilk?

Nope, most remote solutions allow you to configure them so you can remotely press the UAC dialogs just like any other

[peterb]

It is good practice to only use admin priveliges when necessary. If you download malicious software as an admin, that software potentially executes with admin priveliges - with all that that implies. But the advice given by other posters (who have more Win7 experience than I do) is good and worth looking at.

If there are only two of you using the machine and you are prepared to accept the risks involved, then running as admin all the time is fine - but not something I would do.

(What would be useful would be to escalate priveliges for a pre-set period of time - ideally user configuarable) so you enter the password once and then don't need to for - say- 15 minutes while you do admin type tasks)

[jim]

Nope, most remote solutions allow you to configure them so you can remotely press the UAC dialogs just like any other

Sorry, you've lost me a bit there? What I was saying is that presumably if somebody hacks into your PC and gains remote access, if they don't know the admin password they won't be able to run activities that require UAC elevation?

Judging by what you've said, that's roughly right then - if you're logged in as an admin, somebody who's hacked in and has remote access can just click the continue button? I had in my head that UAC wasn't meant to appear remotely, but having said that, Alt-Ctrl-Del was meant to prove you were at your workstation...

It is good practice to only use admin priveliges when necessary. If you download malicious software as an admin, that software potentially executes with admin priveliges - with all that that implies. But the advice given by other posters (who have more Win7 experience than I do) is good and worth looking at.

See as far as I can gather, if an application requires admin privileges, it will ask you for those rights via UAC whether you're logged in as an admin or not. The only difference is that one requires a password, the other requires you to click continue. I might be wrong, but if that's right then it doesn't seem a particularly big difference - the remote access scenario is the only one I can think of where it makes a difference at the moment.

[dangel]

Sorry, you've lost me a bit there? What I was saying is that presumably if somebody hacks into your PC and gains remote access, if they don't know the admin password they won't be able to run activities that require UAC elevation?

Correct, but that's assuming the physical access wouldn't allow them to deduce that anyway - better to assume your highly secure remote control solution would keep them at bay in the first place NT passwords can be hacked - I do it all the time for people who forget them..

Judging by what you've said, that's roughly right then - if you're logged in as an admin, somebody who's hacked in and has remote access can just click the continue button? I had in my head that UAC wasn't meant to appear remotely, but having said that, Alt-Ctrl-Del was meant to prove you were at your workstation...

If you've configured your remote control solution to allow access to the secure desktop then yes that'd be true. I have a build machine here that i do that with but it's on a ring fenced network and setup only to allow local-based connections. Nothings 100% n'all that but reasonable precautions etc. E.g. By default my build machine running UtlraVNC wouldn't let me see the Windows Logon screen - this had to be manually configured to allow it. Of course that still means a remote login has to have a domain account/pw to login/unlock the PC.

[CrazyMonkey]

I immediately disable UAC, i find it more a nuisance than anything worthwhile.

Seeing as UAC can be bypassed i believe that largely negates it's use. Most public crypters now circumvent UAC so now even old malware can not only be masked from detection but also bypass UAC.

I believe it has its uses for kids and the like but when you are very tech savvy i dont think their is any point, atleast in my mind.

[dangel]

I immediately disable UAC, i find it more a nuisance than anything worthwhile.

Seeing as UAC can be bypassed i believe that largely negates it's use. Most public crypters now circumvent UAC so now even old malware can not only be masked from detection but also bypass UAC.

I believe it has its uses for kids and the like but when you are very tech savvy i dont think their is any point, atleast in my mind.

Oh, where to begin?

Ok, first off - please fill me in on how a 'public crypter' circumvents UAC? How is this 'masking' done? How does it 'bypass' it? Really - i'm interested, and don't hold back i'm tech savvy too. We'll set the bar as a non-admin account running with UAC at default level in W7, all admin accounts are passworded.

Disabling it arbitrarily on the basis it 'might' be circumvented smacks of the kind of thinking we get from those who think virus checkers are also a bad idea (and why not, because they 'can' be circumvented, and they 'might' not work), or worse by those who don't really understand how something works and yet disable it

[Paul Adams]

UAC is a "user awareness" feature rather than a security feature - to make you aware that a process is trying to initiate an action considered "administrative".

Without UAC, a standard user gets access denied and an administrator gets no warning or error - so it can be argued that UAC has most benefit for admins more than standard users.

UAC uses split tokens to allow administrators to use their standard token for normal program use, but they can launch a process elevated with one OK press to use their admin token in the same session.

However, if UAC were to be disabled/bypassed by something then the real security is provided by not being an administrator running that "something".


I run as a standard user with UAC left at its default level - the most frequent "unexpected" UAC prompts I get are from Steam games running for the first time that fire off DirectX installations.

Other prompts I get tend to be predictable - installing software, changing items in the Public user profile, clicking a Control Panel icon with the yellow & blue shield, launching FRAPS or Asus notification area tools, etc.


The only environments I tend to disable UAC and be logged in as an admin are isolated virtual machine environments I set up for testing, setting up repros & debugging - I would never recommend this for personal or regular use in a corporate environment.

[badass]

passwords can be hacked - I do it all the time for people who forget them..

If the NTLM hashes are created, you can rip through the passwords at a pretty high rate due to the way the hashes are created. Have you tried password cracking with the NTLM hashes disabled?
Just curious as I'd imagine it's still pretty quick for simple passwords

[CrazyMonkey]

Oh, where to begin?

Ok, first off - please fill me in on how a 'public crypter' circumvents UAC? How is this 'masking' done? How does it 'bypass' it? Really - i'm interested, and don't hold back i'm tech savvy too. We'll set the bar as a non-admin account running with UAC at default level in W7, all admin accounts are passworded.

Perhaps you forget that nothing is secure, nothing foolproof - UAC & DEP obey these rules.

First off, do you know what i mean by a crypter? If you did you should know what i mean by masking against detection, essentially i just mean bypassing detection, becoming undetected as ultimately the malware underneath is the same in the operation it caries out (obfuscating the original program by means of encryption, entry point alteration, changing signature detected bytes are a few examples of avoiding detection). However this is a different discussion to the topic at hand.

Check the forum in my sig (registration may have gone private), some public crypters there offer UAC circumvention and most if not all private ones have it as standard.

For instance on 32Bit system you could use a RunPE (like t0fx's on the forum) and inject your file into a system process like "svchost.exe", however these RunPE's do not work on 64bit.

I know back in vista you could drop your file to user/temp, write that to HKCU startup (Software\Microsoft\Windows\CurrentVersion\Run\) and then create/call the key via RegWrite.

The easiest way would be to use something that already has the highest level of execution privileges (svchost) for example.

Bypassing is a bit of a lose term here, more like dodging it but still.

I found a VB6 routine that successfully bypasses it, it's by "smokin" created recently if you wish to compile and test it yourself. Im not sure exactly how it does it as there are too many encryption routines in it. I wont post the source directly here, but if u wish to have it i can pm you it. Posting malware is surely prohibited.

So before you insinuate that i 'dont really understand', simply googling reveals discussions on various techniques.

A quick google links to results of a 10 sample malware test (primarily against the ability to run under windows 7) have a read if you like. http://blogs.zdnet.com/security/?p=4...=trunk;content

Oh and i dont believe virus scanners are a bad idea, (hell im hoping to work for an anti-virus company in the near future) but i do believe they should not by any means whatsoever be relied upon.

I have more information on the subject and malware in general, feel free to pm.

[Splash]

I hate to use analogies, but this calls for one I'm afraid.

So - Fort Knox is pretty secure, right? In that case it's probably not worth them employing a guy at the gates to check ID as people come and go, as it's simply more hassle for the genuine visitors and he could probably be bought by a criminal with the right connections.

UAC is a small part of a layered security model - each layer no matter how thin makes it more difficult for the system in question to be compromised. Given how rarely UAC fires when people are following guidelines (not writing to system directories, not running software that requires admin privileges etc) I think it's well worth having turned on and anyone on respected techical forums such as these where Joe Public often looks for advice who is advocating removing a layer needs to seriously think about their audience.

For sure, debate it's merits but a blanket "just switch it of, it's rubbish" is dangerous in my opinion.