Implementing User Account Control (UAC) Best Practices… | BeyondTrust

What is User Account Control (UAC)?

User Account Control (UAC) is a security feature in the Windows Operating System designed to mitigate the impact of malware. All users have triggered a UAC prompt at some point. Tasks that may trigger a UAC prompt include trying to install an application or change a setting that requires administrator privileges. A UAC prompt is the pop up that appears and requests the user to confirm they indeed want the install or other change to happen.

Windows Vista introduced the UAC prompt to improve on the security challenges experienced in Windows XP. The UAC prompt has not significantly changed since then, except for some visual improvements in Windows 10.

Why the Need for UAC?

When an application launches in Windows, it is assigned an access token. This token defines the privileges and access for the application. The principle behind Windows UAC is to give local administrators two tokens, one standard token and one admin token.

Initially, only a standard token is issued. However, when an application specifically requests an admin token, by default, it triggers a UAC prompt message to appear. If the user clicks “yes” on the UAC prompt to proceed with execution of their request, then an admin token is issued. The admin token then enables the application to run with a high level of privilege.

An admin token is like an ‘access all areas’ pass that allows the application to do almost anything on the system. So, when an application with an admin token is compromised, an attacker can inflict considerable damage.

Insertion of the UAC step helps minimize the number of applications running with admin tokens that an attacker can exploit. In addition, user account control reduces the risk of an attacker acquiring an admin token without triggering a message to the user for approval.

Since the majority of applications don’t need an admin token to function, users aren’t bombarded with pop ups. Thus, we seem to have an effective security feature in place. But wait, this isn’t the end of the story.

UAC Problem #1 – The user is still a local admin

Before you scroll to the top of the article to check if I am contradicting myself, I said earlier that Windows User Account Control is a security feature not a boundary. In fact, Microsoft describes UAC as “a fundamental component of Microsoft’s overall security vision”. While many folks continue to portray UAC as a security boundary, technically, it isn’t.

Over the years, numerous security researchers and threat actors have successfully explored ways to run their tools without triggering UAC. When these tactics have been reported to Microsoft’s bug bounty program, the Microsoft response has been “UAC is not a security boundary”.

Microsoft doesn’t want their own applications triggering lots of pop-up UAC prompts. Thus, Microsoft created a mechanism so that applications they trust will avoid triggering the UAC prompt. The security downside to this is that trusted applications can then be exploited, or piggy-backed off, to bypass UAC.

Because UAC isn’t considered a security boundary, these bypasses are not viewed as bugs and are not patched. At the time of writing this blog, the UACME project (https://github.com/hfiref0x/UACME – note, some network filters will block this page) lists 76 different UAC bypass techniques. Many of these bypass techniques are actively used in malware to silently elevate privilege on a Windows endpoint. Far more bypasses exist in the wild—those 76 just represent the most popular ones.

UAC Problem #2 – User Account Control is not actually a security boundary

Before you scroll to the top of the article to check if I am contradicting myself, I said earlier that UAC is a security feature not a boundary. In fact, Microsoft describes UAC as “a fundamental component of Microsoft’s overall security vision”. While many folks continue to portray UAC as a security boundary, technically, it isn’t.

Over the years, numerous security researchers and threat actors have successfully explored ways to run their tools without triggering UAC. When these tactics have been reported to Microsoft’s bug bounty program, the Microsoft response has been “UAC is not a security boundary”.

Microsoft doesn’t want their own applications triggering lots of pop-up UAC prompts. Thus, Microsoft created a mechanism so that applications they trust will avoid triggering the UAC prompt. The security downside to this is that trusted applications can then be exploited, or piggy-backed off, to bypass UAC.

Because UAC isn’t considered a security boundary, these bypasses are not viewed as bugs and are not patched. At the time of writing this blog, the UACME project (https://github.com/hfiref0x/UACME – note, some network filters will block this page) lists 76 different UAC bypass techniques. Many of these bypass techniques are actively used in malware to silently elevate privilege on a Windows endpoint. Far more bypasses exist in the wild—those 76 just represent the most popular ones.

Solving UAC challenges with Endpoint Privilege Management

UAC problems 1 and 2 above seem to create a terrible situation, as end users need admin tokens to perform common activities, like install software, install printers, and change settings. If you remove local admin privileges, the end users are secure, albeit less productive. Moreover, users might spend all day raising help desk tickets. Alternatively, if you provision local admin privileges to them, then a threat actor may bypass the operating system’s UAC security mechanism and wield the admin privileges against you.

Fortunately, modern Endpoint Privilege Management tools like BeyondTrust’s Privilege Management for Windows effectively address this challenge, and more. The BeyondTrust solution allows you to immediately remove local admin privileges from all users, which substantially reduces your attack surface. Privilege Management for Windows intercepts UAC and elevation requests and seamlessly elevates just the applications your users need for their role, based on policy.

For known and trusted applications, you can use simple policy rules or out-of-the-box policy templates to seamlessly launch these applications without having to prompt the user. Then, for unknown applications or tasks, you can ask the user to justify why they need a specific application, perform reputational checks, verify the application publisher, or trigger step-up authentication via MFA to ensure both the application and user are who they say they are.

Privilege Management for Windows provides Quick Start templates that make it practical for organizations to tackle common least privilege policy use cases from Day 1, enabling rapid leaps in risk reduction. In addition, custom access tokens allow you to assign privileges at a granular level to ensure no user or application is over-privileged

Don’t fall into the pitfalls of either exposing your organization to the risk of over-privileged local admin users or hampering productivity by under-privileging users. Find the balance between security and productivity, follow security best practices, and, most importantly, build a secure foundation that prevents attackers from gaining privileged access to systems.

“BeyondTrust continues to provide the best solution for enabling that fine balance between security and usability in Windows”

Russell Smith, Editorial Director, Petri IT Knowledgebase, Microsoft Vulnerabilities Report 2022

Learn more about BeyondTrust Endpoint Privilege Management, or contact us today.

This post was first first published on BeyondTrust (en) website by . You can view it by clicking here