Uac

So after that discussion about UAC in the other thread i now used it for some days too and for me it kinda feels "annoying". Some people said that UAC when beeing at maximum protection, cant be disabled/bypassed by any malware/trojan/... is it true? I know that it is possible to bypass/disable UAC at the default protection.. but never tried it on the maximum protection. Also it looks more annoying than usefull/secure since its just a simple "yes" popup and not something like root pw on linux.

Anyway I used it for 1-2 days and found alot of programs asking for UAC access:
Teamviewer
Secunia PSI
Filezilla setup
AutoIt setup

When UAC is alerting, it doesnt rly give any info about what is going on? It just said that this file wants to make changes / needs admin access. But there is no information of what this program actually wants to do. So how do you know if you should allow a file/setup or not (besides trustfull stuff. which still could be binded with a malware when someone found an exploit on the site and modified the download file.. but ye.. nvm that )


thx

 

UAC at the default Windows 7 can be disabled by malware. At max settings it can not be.

UAC is very helpful for preventing against malware because it essentially doesn't allow the malware to elevate to administrative level and therefor it doesn't allow it to mess with system files.

I found the linux popup more annoying because I couldn't hit "yes." lol I know I'll get for that.

Basically, UAC is asking "Is this program supposed to be running as admin?" and you look at the program and if you don't recognize it you can go ahead and say "No." Otherwise just let it run as admin. More and more programs are being coded to install to areas that don't require admin access because it's a security issue.

How are you supposed to know? Well as I said, if something is trying to get admin access randomly you probably don't want it to. If something is asking for UAC after you opened up a program it's probably that program but always check. When in doubt, google.

 

It can be bypassed. Have a look at [1], which has / some/ links to further information about this. Also, have a look at http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx#id0560012.

Take out the password prompt, put in a graphical consent prompt on a separate, secure desktop - that's basically UAC (be aware that for various reasons this description is simplified, wrong, and does not correctly reflect what kind of security improvement you can get by using UAC [1]).

It can't tell you what to do at all.

However, UAC dialogs will show you the "Verified publisher" of a file. This information is verified by looking at the digital signature of the file. So if the file gets modified, the UAC dialog normally doesn't show that original publisher anymore, but instead say that the publisher is "Unknown". Be aware that this technique is not foolproof either. For instance, there are various problems with it that are inherent to the design of a PKI (Public Key Infrastructure), which is being used to verify the signature of a file. For instance, if you (or a malicious software) succed(s) to install a malicious root certificate on your system, the "Verified publisher" of any file on your system can be faked. Furthermore, another big PKI problem is that the certificates which are already installed on your system must not necessarily have certificate chains following them that are absolutely trustworthy. The good news is that this is rather irrelevant given the fact that for various reasons, UAC is not really secure in the first place...


------

Yeah, that's indeed a reproduction standard.

On an unrelated side note, why not give using proper English a try?


------
[1] Security is not a solution, it' a concept

 

Excellent source. If you look at the details, you'll see that the examples are not really ones of malware bypassing UAC in the strict sense of the word, but rather tricking the user into giving permission to execute stuff that should not be executed. Ultimately there is no protection against this kind of thing, independently of what technology you use.

That is really because you don't understand what it is you are doing.

Essentially yes, with some caveats as pointed out above. There is no such thing as absolute security.

That's because you did not configure your user correctly: You are supposed to run your day-to-day work as a standard user, not as an admin. If you do that, you'll have to provide a password, just as in Linux, or Unix, etc.

Obviously, all setup program require admin privileges. On the other hand, no standard user-mode application should require it, unless it was coded by incompetents. Or is really not what it pretends to be... TeamViewer is a cr@ppy program. It should not require admin access for its functionality.

That would be asking a bit much. It's an operating system, not a mind reader. There is no realistic way the OS could tell you what some random executable will be about to do, not without completely sacrificing performance, and even then there's limits.

Bottom line: It is your responsibility to make sure the code you are about to give full access to your computer is trustworthy. There is no system in the world that could relieve you of that burden. Well, unless you want to consider whitelisting approaches, which are really not practical for an OS for the general public. This has been considered, but was dropped, for a whole host of reasons.

 

.. true that in the end i guess it would be more disturbing when having to enter a pw all the time :S

Couldnt read that article yet (just woke up, had an espresso and now got to go :S) but if malware could disable/bypass UAC (without the user clicking on yes) or fake the publisher (is windows looking for its digital signature in the internet or just readon the publisher from the file itself.. second could be faked so easily :S), why should i even use it ? Propably some really bad written / old malware wont be able to bypass UAC but then there are still too many trojans out there which can.

Sry but i was writing this from my HTC Desire HD while i should have cleaned weapons at army ;D + i´m not a native american so english is just a 2nd language for me

 

Generic malware doesn't have to bypass it most of the time because most people don't realize how useful UAC is lol

 

Just login as root is pretty much the same as running on admin with no uac.

An admin with UAC kind of like using sudoer with no password attribute on it.


Anyways UAC is pretty useless, when most people just hit OK anyways when they got no clue of what it does. Goes pretty much the same on all linux OS. Luckily, most linux user are classed as technically proficient after they figure out the installation process, graphic or terminal.

In the end, it's all really is if that do your trust them, their code, their compiler that made their binaries ... etc etc

 

It can't. You should have read the article...

 

Anyway this link shows you how to enable Highest Security UAC on Windows 7 Home Editions.

Hope it helps Home Administrators to lock down systems from pesky "download and run anything" Users.

Irresponsible and silly home users NEED to have their rights taken away.

This also helps in preventing people who "borrows" your computer with Windows 7 Home Edition from messing with it when your account is created as Administrator.

 

You might already know that Microsoft has two basic terms when talking about security:

• Security feature:
  A "security feature" does enhance security but can't necessarily be relied upon. Taking W-LAN as an an example, security features would be using a MAC-filter, disabling SSID broadcast ("hiding" the wireless network) or using WEP - in some way, these do enhance security, but they are easy to bypass.
• Security boundary:
  A "security boundary" is a strict security feature with no obvious easy ways to crack it. Taking W-LAN as an example, using WPA2 encryption would be a security boundary - for now, WPA2 can be called reasonably secure.

The default of Windows Vista as well as Windows 7 with UAC on highest setting is that your user account is an "Administrator in Admin Approval Mode" (AAM). This means that you have have the rights of a standard user unless you allow some process to run with elevated privileges (through a UAC dialog), which will automatically give them administrative rights. These UAC consent prompts for AAMs are NOT a security boundary, they can "easily" be bypassed [1].


So yes, UAC /may/ sometimes lead to higer security, but basically it's insecure because it's not meant to be relied upon. In any case, this doesn't mean that it's a good idea to disable UAC because it's not absolutely secure anyway. First of all, there is no such thing as "absolutely secure", and second, disabling security features makes you a potentially more lucrative victim (see also: " 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy").

zakazak, to somewhat increase the security of UAC (have a look at [1] for more information about what kind of security this would give you), you can create another password-protected user with administrative rights in the control panel of your system and make your own user account a standard account. Be aware that this will also cause UAC to ask for the password of the other account instead of asking you to click yes or no, which is another convenience tradeoff. I already linked to this information at Security is not a solution, it' a concept, where you can also find quite a lot more information on how to increase the security of your system.


------

Is there a need to rush?

Not really either of both. Digital signatures can be verified using specific cryptographic algorithms. Wikipedia: Digital signature.

This.

Please read before asking. If you can't be bothered to look for information yourself before asking, people can't be bothered to answer you. (No offense intended, I'm not trying to imply that you don't care.)


------
[1] UAC: Desert Topping, or Floor Wax?

 

hmm i read it yesterday and if i got it right, one article describes that UAC is only 100% secure (cant be disabled/bypassed by malware without user clicking yes) when using it with an normal account where you have to enter a password.

So for me , a admin account user, it isnt that secure?

All in all UAC gves a little more security.. i´m not sure if it is usefull with comodo. I get asked by comodo about every software which has a dignital signature that isnt known (sandbox it? block it? send it to comodo? no internet access for that file?).

Thanks

 

setups needing admin access? who'd have thought THAT??
other than that, teamviewer, if installed fully, never needs uac anymore except at installation time. quicksupport needs it at start time, of course (else, you can not install/uninstall anything on that client, as you would not be able to get admin rights)
secunia i don't know, nor would i ever use it.

after installing a pc, i see uac maybe once, twice a month. very, very very annoying indeed /sarcasmtag-all-the-way

guess what, that's the reason uac exists in the first place: because no one knows what a file does when it wants to access your system and needs admin for it. not windows, not the user, sometimes not even the app itself. so it can't inform you. it can just say "something's wanna mess with your system, wanna allow it?".


thx[/QUOTE]

 

teamviewer asks me everytime i run it for admin access.

 

Only 2 types of Applications require Admin Permission.
1)Setup Installers
2)Hardware diagnostics

Setup Installers need Admin Permissions to install into Protected Folders

Hardware diagnostics need Low Level System Calls to Access their own Hardware directly (Since there is no universal API standard for hardware design).

All other Applications should use proper Operating Systems API to perform their corresponding functions.
Any Applications NOT doing that is a poorly coded application.

 

okay so all in all i only have to worry about setup files beeing modified (binded with malware) and make sure those setup files are from a trustfull source. Most other programs shouldnt need admin access (except poorly coded stuff.. altough its hard for me to belive that teamviewer is so bad :S).

Now how to be 100% sure that malware cant bypass UAC? Admin account with UAC at maximum level (win7) could still get disabled / bypassed by malware without having the user click "yes" in the uac prompt? So i would have to create a second user (non admin) and work with that all the time and when uac asks me for permission, i would have to enter the admin pw?

thanks

 

No need to create extra users.
I posted this link on how to activate Secure Desktop Admin Mode on Windows 7 Home Edition(It is the same backend registry key for all Windows 7 Editions).

This will force credential requirements on all admin accounts with Secure Desktop Mode (unless there is a vulnerability hole in the OS).
It is very useful when you lend your computers to others for a while and they will not be able to mess with your system even in your Admin Account or install rubbish on it.

 

as said, if you have it installed, it doesn't. doesn't here at least. of course, the quicksupport.exe you have on clients is never installed, so has to re-elevate each time.


about the security: don't browse on non-legit pages and you'll be fine. uac + mse + notbrowsingforcracksandpr0n == good enough security to not have to bother.

 

i have teamviewer installed.. still it asks everytime i run it.

thanks weinter, i did this. Hopefully no malware can disable/bypass UAC now anymore (without me clicking "yes").

 

If you elevate the mode set to 1, it will not only need a "yes", it will ask for the admin password in secure desktop mode which is the highest security level.

 

also windows live messenger 2009 (with messenger plus installed) needs admin rights when starting it.

 

No, it doesn't, on a healthy system. If yours does, then something is fishy here. Are you sure that what you are starting really is what you think it is?

Other than that, the rule since time untold is to use a standard user account, not an administrative account, for your day-to-day work. This was true back in the good old Unix days, and it's just as true today, on any serious OS (Windows' new least-privileged philosophy notwithstanding).

 

yes, it does.

yes it is windows live messenger 2009. Else comodo internet security (or kaspersky internet security which i used in the past) would tell me that there is smth wrong with it (e.g. checking digital signature online)

 

Sure, on your system. All I can say is that I have never seen it requiring administrative privileges on any system I have seen it run on. There is no reason for such an application to require administrative privileges. If it does on your computer, then something is seriously wrong with it, or with the installation of Live Messenger you have.

Oh, and there are many ways in which starting messenger could do more than you think it does without any of those anti-virus packages noticing anything. Like I said before, the protection that anti-virus software provides is minimal.

 

do you also have it installed with messenger plus?

i think this is what makes it need admin priviliges..

another thing i just found out: if i right click a program and set it to "run as administrator" i still get the pop up everytime i run it. Isnt there a way to tell a programm to run as admin (and when doing so i enter the admin password) and then its getting saved and the program starts itself everytime without a prompt?

 

The Problem we are talking about here stems from using an "Administrator in Addmin Approval Mode" ("AAM" Administrator) user account, not from "Yes or No" (the so-called "UAC consent prompt") vs. "Password" (the so-called "UAC credential prompt"). The access token with full admin rights lies in userspace when using an account as "Administrator in Addmin Approval Mode", which by default all Administrator accounts in Windows Vista as well as Windows 7 are.

This does increase security somewhat because attackers that have physical access to your machine won't be able to do anything that requires administrative rights by just clicking "yes". Instead, theses attackers would be asked to enter the account's password.

However, it's important to note that this does not solve the several other potentially security related problems and considerations that exist with UAC, in particular not the the one that we're currently talking about here ( AAM Administrators and access tokens). Furthermore, attackers with physical access to your machine most likely have a myriad of other options to break into your system, often including, but not limited to, directly accessing the boot device; manipulating the machine via Firewire, Expresscard, Cardbus, PCMCIA; or booting up from an external boot device, thereby dumping the not-yet-cleared RAM contents in order to e.g. gain full access to the machine from remote locations.

• The most secure thing would be to create a separate "standard" user which you use for everyday tasks, and actually switch between users (like with Windows XP, except that in Windows XP this would NOT be secure), neither using a UAC consent prompt ("Yes" or "No") nor UAC credential prompt ("Enter password for user X").
• Creating a "standard" user which you use for everyday tasks and using UAC credential prompts is a bit less secure (this is where, instead of having to switch users, a UAC dialog will ask you for the password of a /separate/ administrator account that you would have to set up first).

Remember that there is no such thing as perfect security. YOU have to decide which of these possibilities is the one that's better suited for you. If you want "full" security, it would be best to "lock" UAC and switch between users whenever you need admin rights. Then, you could find other ways to handle programs that need administrative rights, such as using them in a virtual machine (which I also wrote about in Security is not a solution, it' a concept, be but be aware that virtual machines are not armor-plated either [1]) or using alternative software that's compatible with whatever you need the software to do.

After all, if your messenger runs with administrative rights all the time, a potential attacker exploiting that messenger would then already have full acces to your machine, no matter what UAC settings. Software should not run with administrative rights for day-to-day tasks. This is especially important for software which interprets data that's not necessarily coming from a trustful source or might have been altered in transit (no matter what data that is - websites, audio files and radio streams, instant messages, Windows Homegroup related data, PDFs, downloaded slideshows, pictures, fonts - everything you can imagine). Every software that surpasses a certain level of complexity has errors in it. In most software, these kinds of errors frequently lead to various kinds of security related problems that are not yet publicly known, but which may enable attackers to execute commands on your machine by sending specially crafted data or altering legit data that the software is receiving.

As stated above, every software that interprets data can be a potential security problem.

If you're not sure about a file, you can also use online anti-virus scanning services such as https://www.virustotal.com/ , which will check uploaded files for known malware using several anti-virus products (they can also lookup file records from their database of already analyzed files, based on a hash that you give them - see below). However, of course this can't guarantee that the file you uploaded is NOT compromised/malicious as these scanners will only finds malicious code that is already publicly known or very poorly written. Be aware that there are some evil online antivirus scanners out there which you should avoid.

You could then examine those files in a "disposable" virtual machine (but be aware that virtual machines are not armor-plated either [1]).

Furthermore, in case a file does not have a digital signature you can use checksums (also called "hashes", they are the base for digital signatures) to verify that it hasn't been modified. Have a look at Wikipedia:File_verification#Authenticity_verification. Currently, secure hash functions that are often used for this purpose are SHA1 as well as SHA256. MD5 is also used very often, but can no longer be called secure.

Microsoft has a command line tool available that's called "fciv" (File Checksum Integrity Verifier) which can be used to compute hashes.

That's not possible, there is no such thing as "100% secure". Just as an example, your whole operating system might be controlled by a malicious hypervisor, which would be undetectable by any software on the operating system level or higher (the operating system itself, UAC, Antivirus etc.). One of the most popular proof-of-concepts of this is Joanna Rutkowska's Blue Pill.


------

I disagree with this. While there is still truth to it, malicious activities have expanded to legit sites as well. Many cracks sites, pr0n sites and similar questionable offers are very dangerous, but legit sites should no longer be handled as being secure per se either. A recent example for this is the giant lizamoon mass injection (just in case you didn't know: do not open the text-only (i.e. non-clickable) links that are listed in that report - it's safe to open the report itself however).


------------------------------------------------------------------------
[1] post7291485 and subsequent posts in "How paranoid are you about security?"

 

Thanks for so much help Christoph.krn

I cant rly switch between users all the time. There is just too much to do for me which requires admin rights (it starts by my own work with writing some programs and ends with some programs which simply need admin rights).
I wonder if a standart user with uac prompt gives is more secure than an admin account with uac-password prompt?
Running vmware all the time in the backround isnt really an option for me either.

The only thing i´m really "scared" about is that some malware simply disabled UAC. I know that this is possible but I have no idea if the maximum level of UAC in win7 and/or the password prompt and/or a standart user will prevent malware from doing so.

I know and also normally check files before running them on jotti/virustotal or check their md5 hashes (altough those can be manipulated too ).

I know that due to MSN running could cause a big security risk. However, I have been running my windows without UAC for a year already. Also i belive that it only need admin priviliges because i installed it while UAC was disabled. I recently re-installed a program which always asked for admin access and now its working fine

Thanks

 

You're welcome.

Yes. That's not really a "security boundary" but it's the most secure way to use UAC - the only thing that would be more secure would be to switch users (which would be a security boundary).

Ultimately, only switching users will prevent that malware could bypass (or disable) UAC. However, using a separate standard account / administrator account combination with UAC credential prompt that asks for the password of a separate administrator account comes pretty close, in particular since this combination is not very common (i.e. there are easier ways to attack the average user). Since you seem to be using brain 1.0, I think you should be "reasonably safe" (which is not a reason to stop being careful).

Yes, that's possible. UAC virtualizes access to certain HDD and registry locations in order to enable some programs that would normally need administrative rights to run with limited rights. So if you installed the software while UAC was disabled, the software may have written something somehere where administrative rights are needed, which is why you get a prompt every time you start the software if you re-enable UAC.

 

Fine, I will create a standart user then and use that one. Any way to simply copy an already existing user to a new standart user (all settings, etc) ?

Propably i´m better off when completly re-installing win7 :S

@edit: i could simply create a new admin account and make my current account to a standart user? So i wouldnt loose any of my settings/need to copy something to a new user?

 

Use Windows Easy Transfer to transfer settings to a new account.

 

Bah, LUA isn't worth it. UAC is plenty.