Security

Vista UAC: A security manager's perspective


Microsoft’s UAC has come under intense fire.  It appears that the consensus among security researchers is that UAC is not an effective security control.  An example of the arguments against relying on it as a workstation access control is contained in an eWeek article by Lisa Vaas (“Microsoft: UAC Can Be Hijacked by Social Engineering”, 26 Feb 2007).

From the perspective of a security director, I tend to agree that UAC is problematic.  This is not only because social engineering—a big vulnerability in many organizations—can be easily employed to bypass it.  It also has the potential of lulling less security-aware organizations into that proverbial false sense of security.

Restricting local administrator access for workstations to a restricted group of support/engineering employees is a basic security control.  A review of Microsoft’s monthly patch list quickly shows that most exploits require the user to have local administrator privileges.  Although UAC attempts to resolve this issue, I don’t believe it goes far enough.

Users today are frequently tricked into running malicious applications on their workstations.  This usually requires an affirmation by the user—in the form of clicking OK or some other method.  The only thing UAC introduces is an additional step, assuming local admin access hasn’t been removed.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

4 comments
georgeou
georgeou

"Users today are frequently tricked into running malicious applications on their workstations." Users can be tricked on any OS platform hence the saying; If I can get you to run my code it's not your computer any more. The point of UAC (which it's already been successful at) is to force companies like Intuit to write cleaner code that doesn't require admin privileges. The point of UAC is to give you a warning on potential malware whereas you go no warning before on driveby attacks that use to silently infect Windows XP and before. When you understand this, you'll see how important UAC is.

Tom Olzak
Tom Olzak

George, I don't think writing cleaner code is going to fix the problem of allowing end users to have local admin access to their systems--whether through UAC or not. And it isn't Intuit we have to worry about. I also don't believe that throwing up an extra message warning a user that they're about to install an application is going to stop the vast majority of them from installing malware. I'm not saying that UAC isn't important. It's a significant step forward. However, I fear that a good number of organizations will treat it as a panacea for preventing unwanted software getting installed on workstations. Tom.

georgeou
georgeou

"I also don't believe that throwing up an extra message warning a user that they're about to install an application is going to stop the vast majority of them from installing malware." If you're just surfing the web or opening some document and minding your own business and the desktop dims and presents you with a warning message that something is trying to change your system, that better set off some warning bells. If that doesn't give you a clue, then nothing in the world is going to protect you from yourself. UAC can be tweaked by a system administrator to ONLY allow users to escalate only digitally signed code from trusted sources. This is very similar to only running your users as standard user with zero install privileges but it's a bit more flexible because you're letting them only install good software. While that isn't a "panacea", it is the most effective way to prevent 99% of generic malware infections and is vastly superior to anything else you can use.

mib.2945
mib.2945

Well, theres another side to the story. Oftentimes users are tricked by malicious code purporting itself to be something else. When a user is presented with a prompt "Click ok to visit the webpage" its a little different than uac prompting "the file trojaninstaller.exe is attempting to run" A lot easier to see when a program is trying to run/install than to see when a dialogue box just pops up. Further, via active x controls pre-uac users could have content installed on their pc without ANYTHING prompting them. Now, uac prompts again and says "hey, this is installing, is that ok"