The finer points of User Account Control (UAC) in Windows Vista

User Account Control (UAC) has received plenty of scrutiny since Vista's release, but since you no longer need to give out administrator rights to allow users to make changes, it is definitely making life harder for clever hackers. Find out how in this excerpt from Hacking Exposed Windows.

Hacking Exposed Windows
By Joel Scambray

Have a look inside the third edition of Hacking Exposed Windows : Microsoft Windows Security Secrets and Solutions by Joel Scambray, with this excerpt from chapter 12, "Windows security features and tools."

User Account Control (UAC) is one of the most discussed and visible aspects of the Windows Vista operating system. This is probably because, unless you've disabled it, it requires your attention more often than any other Windows security feature. On that note, Microsoft publicly states that UAC is not a security boundary, but merely an opportunity for the user to make a decision on whether an action should take place or not. Given that many attacks these days require some form of user intervention, UAC does raise the proverbial bar for attackers. As such, we will discuss some of the finer points of UAC in this section.

The "principle of least privilege" is by no means a new concept. In fact, if you've been in the security realm long you've heard the phrase more times than you'd care to count. Then why, for such a simple concept, is it so difficult to implement? In the software world, two primary factors exist: usability and compatibility. Users and enterprises want a solution that they can use straight out of the box and have it play nice with older or

Windows Vista security
Vista BitLocker Drive Encryption tips

Microsoft Windows Vista: A review of UAC

The ultimate Microsoft Vista tutorial on security

disparate systems. Typically, the application of security controls hinders one, or both, of these, so the user (or enterprise) disables the security feature and we're back at square one. Who's to blame them though? In previous versions of Windows, if you wanted to change your time zone, power settings, install a printer driver or connect to a wireless network that required a shared secret, you couldn't do it as a regular user. So you, as a user or person responsible for an enterprise full of complaining users, decide that bumping things up to local administrator sounds great. Now the security folks are unhappy because users are unknowingly installing evil on their machines.

The challenge here is to create a solution that makes everyone, including the security folks, sleep better at night. That solution involves adding a notch or two between no access and full access. This is exactly what Microsoft did when considering how to secure the Windows Vista operating systems.

Tokens and processes

When a Windows process is created, its access token is populated with the Security Identifier (SID) of the invoking user, the SID of the groups to which the user belongs, the SID of the logon session and a list of system-wide privileges possessed by the user. When a process attempts to interact with another securable object, such as a file, the contents of the process's access token are used in conjunction with the object's security descriptor to determine how the process can interact with the object, such as reading or modifying it. Due to such things as the time zone/printer scenario, users are often surfing the Web and reading emails under the context of the local administrator. As such, exploiting a vulnerability in a mail client and Web browser provides remote attackers with full control of the operating system -- a less than desirable situation, depending on who you are. What if we could simply remove the privileges associated with administrators and other powerful groups from these processes? Wouldn't we be better off?

UnAdmin

User Account Control is the compromise between users with administrator privileges and the shortleashing security folks; it's not quite warm porridge or the perfect bed, but it's closer. It allows non-IT users to feel empowered by granting them the ability to change WEP keys, install printers and set the clock without dishing out administrative privileges. To accomplish this, during an interactive logon, UAC leans on the Local Security Authority (LSA) to detect whether the user's token contains any elevated privileges. If it does, the original fully privileged token is stashed away and the LSA performs a second logon with the filtered token. The primary advantage of this is allowing elevated accounts to operate unprivileged until they attempt to perform an action that requires additional privileges.

User Account Control considers the following privileges elevated, and they will therefore be stripped from user tokens upon logon:

  • SeCreateTokenPrivilege

  • bPrivilege

  • SeTakeOwnershipPrivilege

  • SeBackupPrivilege

  • SeRestorePrivilege

  • SeDebugPrivilege

  • SeImpersonatePrivilege

  • SeRelabelPrivilege

By default, this affects the following groups:

  • Built-in administrators

  • Power Users

  • Account Operators

  • Server Operators

  • Printer Operators

  • Backup Operators

  • RAS Servers Group

  • Windows NT 4.0 Application Compatibility Group

  • Network Configuration Operators

  • Domain administrators

  • Domain Controllers

  • Certificate Publishers

  • Schema administrators

  • Enterprise administrators

  • Group Policy administrators

Additionally, if the user is a member of the administrators group, the filtered token will contain a deny-only version of this SID. This will cause Windows to consider the administrator's SID only when evaluating deny Access Control Entries (ACEs) in a object. The user will not be able to access the object unless he has been explicitly granted access or by membership of another group. This can be observed by logging in to Vista as a member of the administrators group and running whomai /all from the command prompt. The following listing is an example of executing this command:

USER INFORMATION
----------------
User Name SID
=============== ============================================
forilldohmikej S-1-5-21-1726311756-936665386-659771895-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
======================= ======== ====== ========================
BUILTINAdministrators Alias S-1-5-32-544 Group used for deny only

It's also worth noting that UAC does not affect service, network or batch logons. Once the user is logged on with the restricted token, subsequent attempts to perform potentially sensitive actions, such as installing software or interacting with portions of the Control Panel, will cause a dialog box to appear, requesting confirmation that you indeed intend to take this action. Herein lies the greatest challenge to UAC -- convincing users to leave it enabled. Left enabled, UAC plugs a fairly large hole in most organizations' and users' security model: running as administrator.

This was first published in May 2008

Dig deeper on Microsoft Windows Vista operating system

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close