Disabling UAC Because It Doesn't Provide Real Security

Yeah, you can (well, it’s a root around as it is enforced with group policy but yeah). But that’s like removing the safety guard on your circular saw, not wearing your seatbelt, or riding your motorcycle without a helmet.

Sure, things will be fine, so long as you don’t fuck up. That’s not how you do security though - you assume everybody, ESPECIALLY those with high-value admin accounts (likely targeted) will eventually fuck up. Because humans aren’t perfect.

I think that’s the biggest security lesson to learn personally. DON’T assume you’re better than everybody else, assume YOU will fuck up, and pro-actively defend yourself from yourself.

How we use it is that end users don’t get admin. Neither to IT admin “desktop” accounts. We elevate when using remote assistance for specific tasks (using our workstation admin account - e.g., username-wsadm). Or on our own workstations, we elevate when doing something that requires it.

Get some random elevation prompt for day to day task unexpectedly? No, we don’t elevate.

you can configure which apps will get elevation when needed or set permissions to a user or group so its not required, which is the correct way of dealing with things.

Its not really much different than setting permissions on files on linux so you dont have to run sudo to get your bash script to run.

also yikes on the win 7 at work.

Yes exactly, which is why it should be left up to the user, and who adequately understands their circumstances, to determine how they configure their computer. It is the user who understands their tech level the best and should be left to configure their system as they see fit, including disabling or enabling UAC as they see fit.

Essentially, I have been saying that UAC should not be enabled in every-single-instance of Windows since there are better ways of providing real security and isolation.

The original prompt from @thro implied that it was inappropriate to disable UAC even during initial setup when consecutive admin actions are common and then just enable it later after the initial setup is complete. That implication is there because that was the context in which the original post was in: in a thread for how to solve/troubleshoot small windows issues, and quoted from a post for how to do the initial setup to help users avoid small windows issues later. The post did not comment on the final “day-to-day” configuration of the system.

This is somewhat of a different topic than UAC, more comparable to file permissions in linux. UAC is more about elevating permissions and when/how it should be done.

However, the C:\file.txt is one example of how UAC creates “small windows problems” by breaking even notepad when running in Admin Approval Mode (AAM), while having no security benefits in that mode. Other examples are limiting/breaking Steam voice chat functionality and renaming start menu entries. Since there are no real security benefits while configured enabled in AAM, it might as well just be left disabled: it breaks things without any benefit.

The advice here, except for @thro 's, has been to run as standard user and then use the “run as” functionality after initial setup. @thro has been implying that UAC should always be left enabled, even during initial setup, even when troubleshooting “small windows issues”.

This is incorrect because the “Run as” functionality was already present in Windows XP which did not have UAC at all. UAC was added with Vista.

Therefore the “whole point” of UAC is not elevation because Windows already had an elevation system before UAC, which many sys admins used to great effect. The point of UAC in Vista was “something else”. What is that “something else”? Why did Microsoft implement UAC when the “run as” or “elevation” functionality was already present in their OS? What did they hope to change from the Windows XP days to when engineering UAC and as they implemented it in Vista? What would happen if a user tried to run their Vista OS the same as XP? What was Microsoft hoping to change in that experience?

Maybe a link back from when Vista was first published can tell us part of the real reason why UAC was designed and part of why it was implemented the way it was? Do you get why I went out of my way to find a link from that era now and why information like that is so valuable, especially because it is from 2007?

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts

It’s important to be aware that UAC elevations are conveniences and not security boundaries. A security boundary requires that security policy dictates what can pass through the boundary. User accounts are an example of a security boundary in Windows because one user can’t access the data belonging to another user without having that user’s permission.
Because elevations aren’t security boundaries, there’s no guarantee that malware running on a system with standard user rights can’t compromise an elevated process to gain administrative rights […]

• Mark Russinovich on Windows Vista User Account Control
  https://web.archive.org/web/20140402171410/http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

• Note that, OS security here is not provided by UAC, but rather by the use of a normal use account.
• “Forgoing security” means using an administrative account the same way it was used in the Win XP days which was to run any piece of software that needed some form of admin credentials.

I could give a history lesson as to the exact “convenience” provided by UAC, however UAC being a convenience and explicitly not a security boundary is part of why I recommend disabling it in some environments. It already contradicts @thro 's core claim that it should always be enabled because it does not provide any tangible benefit in environments where actual security boundaries already exist (including data-level boundaries, not just OS ones) or where elevations an inappropriate (AAM mode for example or kiosks).

If UAC provided real OS security, then it should be able to provide some security benefit solely by being enabled. However, that is not the case, when it is run in AAM, where it only produces small windows issues without any increase in OS security. There is also no reason not to use an admin account in some environments (disposable VMs), and what end-users mean by “security” means “data security” not “os security”. The OS is trash. It can just be reinstalled again if needed. What users care about securing is their data, which UAC cannot protect. Telling people to always run UAC without respecting their technical level or environment or context that UAC is disabled/enabled under is what is wrong.

For example, if someone points out different environments or conditions, it would make sense to gain a new understanding that there are numerous ways to configure the system to provide both maximum OS and data security. That would be in contrast to the blind “I drank the marketing coolaid” approach of always leaving UAC even during initial system setup.

You’re forgetting that 90% of Windows users are computer illiterates that click on everything and do silly things. In such instances, this person IS the sysadmin. If you serviced computers during the years that 98/ME/2K/XP was the norm you would know all too well how 99% of the time the issue was the user had installed some malware like Bonzi Buddy or similar that had hooked/replaced system files or altered registry entries.

Don’t forget the BHO (Browser Helper Object) infestation because an unprivileged process could install them without any user interaction. Malware/Virii was known to alter/cripple AV software to avoid detection and would hook/alter core parts of Windows to prevent their detection and removal. All without ANY opportunity for the user to see the process is trying to do something dangerous.

I mean you could even load a kernel driver (.sys file) from a userspace process with little more than the default Administrator group level access that everyone was/is given by default.

On the topic of how YOU use your computer. While you may want to do things that IMO is silly such as storing your documents in C:\ there are very good reasons for not doing so. Let’s say you need to migrate a profile/user to another PC due to say a company enforced upgrade of equipment. If the user is storing their documents in a stupid location, how is the sysadmin supposed to know to copy these potentially mission-critical files to the new PC?

Outside of the enterprise world also, you are re-installing a computer for a non-technical customer/friend, etc… and they have also stored documents in non-standard locations. How are you to know where they have put things? Way back then I used to regulally see people store literally thousands of files inC:\ simply because it’s easy to find them.

If you are the person servicing your PC, sure, turn UAC off knowing full well the ramifications of doing so. It’s on you to fix/manage the problems it might cause and as a computer literrate person you likely can fix these issues. At the end of the day, most people know little more then how to use a web browser and change their desktop background.

Once thing you may not have considered, lets say you work for a company that sells PCs and you are installing Windows on them. You like most service agents store commonly used things like drivers, programs, etc on a shared network resource or even a USB stick. You know durig the installation of various parts of the process what will ask for UAC access.

One day you’re company hires a new employee, or one becomes digruntled and decides to alter/modify one of these deployment files with something malicious, or your network is compromised and this is done by a criminal. A UAC prompt might save you as something might be asking for UAC that it didn’t prior. Futher to that, if your deployment files are signed (most are), the attacker would have to remove/resign the file after the alteration which would also cause the UAC dialog to change.

If OTOH you had UAC disabled by default, this would go completely undetected and you would be deploying infected PCs to your customers. Turning UAC back on after system setup would be too late.

Note that UAC also enables the Secure Desktop which is used to collect user input when secure programs (ie BitLocker, etc) wish to prompt the user for things such as passwords. This is to prevent any potential malicious software already on the PC from being able to keylog/screencatpure, etc the details. UAC is more then just file/admin protection.

Most of what you are referencing refers to enterprise environments.

I have never claimed that UAC cannot be effective when the user of the system (the enterprise) decides to set up their computers for their end users. Such environments, the user responsible for maintain the system is different than the one actually having to use it. What “security” means in that context is protecting the computers and the network as whole from the end-users. The goal there is not to help them, but to deliberately hinder them if they “accidentally” run unsigned software or w/e.

Deliberately hindering users in their use of the computer system is not an explicit goal for every computer, just in domain environments. Exactly the reverse is true for typical personal systems security means protecting user data, which UAC cannot protect.

UAC in admin approval mode is still pointless, however. Why would a “malicious” employee that has credentials to deployment files craft their malware in such a way especially designed to be defeated by UAC? Shouldn’t they take UAC into account and instead hook into the auto-elevation of an existing program? Then the malware would have 100% the same signature as the original, trigger UAC, auto-elevate and infect everything.

For example, elevation dialogs only identify the executable that will be elevated; they say nothing about what it will do when it executes. The executable will process command-line arguments, load DLLs, open data files, and communicate with other processes. Any of those operations could conceivably allow malware to compromise the elevated process and thus gain administrative rights.

Hooking previously elevated processes allows malware to infect the system without triggering a UAC prompt because doing so does not require changing the signatures of the executables already elevated.

Most people think that UAC itself provides security but that is a misconception because it itself is not a security boundary. What can provide actual security of the OS is running as a limited user and such discussions are distinct from UAC.

It is because the two (UAC and standard accounts) are usually paired together in articles that people tend to incorrectly associate UAC with OS security.

Managed computers are not directly comparable to end-user managed computers because what “security” means is different between those two scenarios (protecting the OS vs protecting data). With respect to those two scenarios, using UAC is what is silly because it cannot provide security to a user’s data, which is what users care about. It cannot protect against ransomware. Therefore, in that context, UAC can only create issues with no tangible benefit.

Context matters.

Manually selecting “run-as” is not the same has having Windows elevate you when required without just crapping out and then having to do run-as.

You said to disable it because it provides no security. You didn’t put any disclaimers in there, you said flat out - it provides no security and then backed it up with a 13 year old blog.

Others, including those responsible for the security policy of five-eyes allies, disagree.

They are directly comparable and exactly the same when discussing crossing between one security boundary and another.

I also said that context matters and accused you of quoting me out of context numerous times. Want to try to quote me in context at some point?

Actually, as posted by @gnif above, they aren’t, as UAC enables the secure desktop for password entry… which is an extra layer of security to stop your password being sniffed from malware running in your non-elevated user context (speaking of context…).

Speaking of running Windows as non-admin with UAC on, I tried doing that but Ubisoft’s uplay launcher, needed for their games, wouldn’t work on my system except in an admin account. Have any of you solved that problem? If you have, I’ll log in as non-admin in Windows in a heartbeat. I currently do have it in a passthrough VM though, and of course don’t log in as root in Linux…

Yeah, uplay is malware and i don’t run it (actually serious, fuck that software).

Look… i will concede that if you are just gaming on a machine then security maybe gets in the way. But to just suggest everybody turn it off during install without even seeing what (if anything) breaks (and trying to solve that) is simply bad security advice.

as to a possible solution - try right-click run-as administrator (and putting in admin creds) - that may work. UAC doesn’t automatically elevate properly in 100% of instances. But it does help.

Game launchers often try to do stuff like write to OS filesystem locations (e.g., program files) - i believe steam actually uses the user profile these days and thus doesn’t have this problem any more. But haven’t run steam on windows for quite some time now…

edit:
Windows security has plenty of problems to be sure. But UAC is one of the attempts Microsoft has made to help run windows with lower privileges in a less inconvenient manner. As above it enables the secure desktop for password entry. It attempts to elevate automatically when required rather than just let the app die with permissions problems.

UAC is a net win for security in my view, and also the view of the aussie DSD and others. It’s not perfect but turning it on as general rule is better than turning it off.

Yeah, Steam and Gog Galaxy (GOG Galaxy being optional) are fine, I think even Origin was fine… uplay wasn’t. I haven’t tried the Epic launcher because of not being able to get uplay to work, but I didn’t try that run as administrator stuff.

If anyone is running Uplay with run-as-adminstrator or some other technique in a non-admin account, let me know, as it’s a pain to redo my windows installation as a user account configuration and I don’t feel like doing it “for science” at the moment.

Really?

That is, home computers, not enterprise.

Explicitly stated non-enterprise, right there.

Those PCs go to the end home user, how is this enterprise?

You do realize to hook an already elevated process requires elevated access already? A process that has auto elevation has to do it via the manifest file and as such windows does the elevation BEFORE the program is launched and as such you have no opportunity to hook the target application outside of patching.

If the executable is properly signed any binary alteration at all to the executable will invalidate the signature and it will need to be re-signed. Re-signage is only possible with a valid code signing certificate (I know, I have one), and even then the application signer changes which is a dead giveaway of tampering, AND the person that signed it gives away their identity as they have to purchase and prove their identity to get a code signing cert, which is NOT easy.

I heard application signing was cracked or something, could be wrong though… if it is, all that goes out the window. Not that I disagree with using UAC, I have UAC active on my Windows installation…

Yes, there are ways to hack around it by patching windows DLLs, etc. It’s great if you need to run unsigned code and don’t have a signing cert. However to patch windows first you need to have full access to the PC already as SFP gets in the way. If you have this level of access who cares about UAC

There was (also) a stolen/forged windows certificate a few years ago that could be used for code-signing. I think stuxnet used it.

It has since been revoked.

Is the system completely 100% flawless? No. But its better than no code signing at all.

edit:
e.g., if someone was to (somehow) steal @gnif’s (or HP’s, Dell’s, etc.) cert/private key and he didn’t notice, someone could sign code with his cert and have it run. Until it was revoked.

Well, I decided to spin up another VM just to test Uplay in a non-admin account to see if I can get it running… Sigh…

Also a bad bug in a third party signed windows driver IIRC that could be abused to elevate. Again though, a bug that was promptly fixed. The fix was simple on MS’s part, the certificate was revoked.

@Peanut253 Do you have any experience or background in Cyber Security or secure computing contexts? I am just asking because, the people here are giving some good insight and advice.

As with all code, you cannot code for all user’s use cases and you create software for the lowest common denominator of user that will use that software. In variably, there will be a user that is going to break your software in ways that you could only imagine.

My recommendation is that if you feel like you know best of what you need in a computation environment, then you should start to build your own. No seriously, you should. You will start to discover things that you did not know/understand. Then you will see why over 50 years of computing has created the norms that we now take for granted. There was a lot of stumbling and fumbling along the way.

I understand that you feel a certain way. That is okay. All opinions are welcomed here. Just realize that on a public forvm, you will get some feedback about those feelings and opinions.

No.

UAC is kind of like apparmor triggered sudo

Without UAC you’re basically root all the time.

It’s not a silver bullet, it’s meant to add to security (defense in depth).

In general, nothing that a typical (99.99%-ile) user does on a daily basis should require it to be disabled.

For example: installing software is not something done daily, updating software should be done automatically in the background and not be done by user. (Yes much software is buggy in that regard).

It may not be (rhetorically strictly) harmful to disable it, but it’s not recommended; in fact it’s negligent to disable it for others or if one doesn’t understand how it works.