How do you configure your Windows system to prompt for additional credentials

User Account Control Settings

Unlike Windows Vista, UAC settings can be set instead of simply turned off. Setting the UAC to a setting lower than default will disable the secure desktop. It is not recommended to turn off UAC. Turning off UAC will disable many security settings in Windows 7 including some in IE 8.

UAC settings may be accessed in different ways:

Go to Control Panel | Action Center and click Change User Account Control Settings on the left pane.

Control Panel | User Accounts | Change User Account Control Settings

Type uac in the Start menu Search

There are four options in the UAC Settings (Figure 8.9):

Always notify me when:

Programs try to install software or make changes to my computer.

I make changes to Windows settings.

Default – Notify me only when programs try to make changes to my computer.

Don't notify me when I make changes to Windows settings.

Notify me only when programs try to make changes to my computer (does not dim the desktop).

Don't notify me when I make changes to Windows settings.

Never notify me when:

Programs try to install software or make changes to my computer.

I make changes to Windows settings.

UAC settings may also be managed through Group Policy in the Local Security Policy console or Local Group Policy editor as shown in Figure 8.10 by expanding Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options:

UAC: Admin Approval Mode for the Built-in Administrator account – Enabled by default, this feature requires the built-in administrator, which is disabled by default, to require elevation prompt and Admin Approval Mode.

UAC: Allow UIAccess applications to prompt for elevation without using the secure desktop – Disabled by default, this allows User Interface Accessibility (UIAccess) programs to automatically disable the secure desktop for elevation prompts on standard users.

UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode – This option sets how the elevation prompt receives consent from the administrator. The options are:

Elevate without prompting

Prompt for credentials on the secure desktop

Prompt for consent on the secure desktop

Prompt for credentials

Prompt for consent

Prompt for consent from nonWindows binaries

UAC: Behavior of the elevation prompt for standard users – This option sets how the elevation prompt receives consent from the standard user. The options are:

Automatically deny elevation requests

Prompt for credentials on the secure desktop

Prompt for credentials

UAC: Detect application installations and prompt for elevation – Enabled by default, this configures whether Admin Approval Mode or elevation prompt are enabled when attempting to install an application.

UAC: Only elevate executables that are signed and validated – Disabled by default, this setting will only elevate executables and DLLs that are signed and validated in the Trusted Publisher store.

UAC: Only elevate UIAccess applications that are installed in secure locations – Enabled by default, this setting will only elevate UIAccess applications located in %SystemRoot%\%ProgramFiles%\ or %WindowsDirectory%\system32\.

UAC: Run all administrators in Admin Approval Modes – Enabled by default, this requires all administrators to use elevation prompts and Admin Approval Modes.

UAC: Switch to the secure desktop when prompting for elevation – Enabled by default, this setting sets whether secure desktop (dimmed display) is initiated for elevation prompts.

UAC: Virtualize file and registry write failures to per-user locations – Enabled by default, this should remain enabled for software compatibility.

Thankfully, Microsoft included different settings for UAC for administrators to tweak for each environment. As each environment is different especially in reference to applications, it is difficult to recommend settings. We recommend enabling and using the most UAC settings that don't interfere with user productivity.

User Access Control

☑

UAC is used to secure access to administrative privileges by allowing only standard accounts to have limited functionality.

Administrator accounts will run in Administrator Approval Mode by default, as will UAC. If changes need to be made, the “shield” icon will appear, marking the use of or need for administrative action. Unless turned off, UAC will be invoked when needed.

User accounts should not be able to do things they do not need to do. All that does is leave the door wide open for malware (or other forms of attack) that could compromise these accounts and allow access to system resources. Users should have only the privileges they need, and nothing more. With Windows Vista, UAC is used to separate user privileges from those that would require administrative rights and access.

UAC defines access security by first limiting the surface area for attack. Accounts have been redefined so that if they are compromised, they will pose no security threat, but at the same time will allow for nonthreatening tasks to be functional. When administrative privileges are needed (such as when installing an application), the user will be prompted for an administrator password. UAC makes user accounts safer by prompting the user for approval before allowing him to perform any administrative tasks.

UAC is also easier to understand. Now, when users are prompted for credentials, UAC more clearly defines what process is invoking it.

UAC will also help shield users from malware and other exploits by allowing each user defined to require an administrative password to be able to see and use content on the Web. With UAC and parental controls, users can now enjoy a safer Web surfing experience, and children will not so easily be duped into doing things that compromised security in the past.

User Account Control (UAC)

As most administrators know, one of the largest issues with Microsoft Vista was the lack of acceptance by end users. The main attribution for this is believed to be the UAC feature introduced in Windows Vista. Microsoft understood the issues with UAC in Vista and has improved the feature for Windows 7. The UAC is now an even better security feature and should never be disabled.

The UAC level may be modified through the Action Center, which is a new feature introduced in the next section. It is found in the Control Panel. Unlike Vista where you could just disable or enable it without more detailed setting, Windows 7 allows four options for UAC as shown in Figure 1.4:

Always notify me when:

Programs try to install software or make changes to my computer

I make changes to Windows settings

Default – Notify me only when programs try to make changes to my computer

Don't notify me when I make changes to Windows settings

Notify me only when programs try to make changes to my computer (does not dim the desktop)

Don't notify me when I make changes to Windows settings

Never notify me when:

Programs try to install software or make changes to my computer

I make changes to Windows settings

Warning

Many security features in Windows 7 depend on these UAC settings. The lower the UAC setting is, the more susceptible you or your end users are to running malware without your knowledge or permission. It is recommended to use the highest UAC setting that always notifies users of changes and to educate users how UAC works. Even if the highest UAC setting is selected, if the user gets in the habit to accept every prompt, the machine will be insecure. This security feature relies on user training and proper configuration.

Group Policy Settings for UAC

UAC settings can be configured using local or Active Directory Group Policies by going to the Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options node, as shown in Figure 9.13.

The following UAC settings can be configured with Group Policies:

User Account Control: Admin Approval Mode for the Built-in Administrator account Applies only to the built-in Administrator account, which enables UAC Admin Approval Mode for it just like other administrator accounts. When this setting is disabled, the built-in Administrator account in Vista acts like the Administrator account from XP, thereby all processes run using Administrator privileges.

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Set to Prompt for consent by default, this setting causes UAC to prompt any time a process needs more than standard user privilege. Prompt for credentials causes Admin Approval Mode UAC prompts to behave like those a standard user would see, whereby the user must enter the administrative password to move forward. Elevate without prompting reduces the security protection of UAC by automatically giving processes administrative privileges.

User Account Control: Behavior of the elevation prompt for standard users In workgroup environments, this is set to Prompt for credentials. This causes the UAC to prompt the user for the administrative username and password. In Active Directory domain environments, this setting defaults to Automatically deny elevation requests, which disables the UAC prompt because standard users aren’t expected to know the administrative username and password and therefore there would be no need in even prompting them for it.

User Account Control: Detect application installations and prompt for elevation Enabled for workgroup environments and disabled in domain environments. When enabled, UAC prompts for administrator credentials any time the user tries to install an application that attempts to make changes to protected parts of the system. Domain environments that make use of Group Policy Software Install (GPSI) or Systems Management Server (SMS) should not need this setting enabled.

User Account Control: Only elevate executables that are signed and validated Great for environments that require all applications including in-house programs to be signed and validated with a trusted certificate that increases security. This setting is disabled by default, thereby allowing users to run any application whether it is signed or not.

User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled by default, this setting causes Windows Vista to grant user interface access to only those applications executed from Program Files, the \Windows\System32 directory, or from one of its subdirectories. This setting prevents any non-administrator from downloading and running an application. This is because non-administrators will not have the necessary privileges to copy an executable file to one of those locations.

User Account Control: Run all administrators in Admin Approval Mode Enabled by default, this setting causes all administrator accounts, with the exception of the built-in account, to use Admin Approval Mode.

User Account Control: Switch to the secure desktop when prompting for elevation Enabled by default, this setting caused the screen to darken in the background when the UAC prompt appears. This darkening makes it difficult for malware to emulate the UAC prompt.

User Account Control: Virtualize file and Registry write failures to per-user locations Enabled by default, this setting improves compatibility with older applications that weren’t developed for UAC by redirecting requests for protected resources.

Managing User Account Controls



UAC is used to secure access to administrative privileges by allowing only standard accounts to have limited functionality.

Administrator accounts will run in Administrator Approval Mode by default, as will UAC. If changes need to be made, the "shield" icon will appear, marking the use of, or need for, administrative action. Unless turned off, UAC will be invoked when needed.

User accounts should not be able to do things they do not need to do. All that does is leave the door wide open for malware (or other forms of attack) that could compromise these accounts and allow access to system resources. Users should have only the privileges they need, and nothing more. With Windows Vista, UAC is used to separate user privileges from those that would require administrative rights and access.

UAC defines access security by first limiting the surface area for attack. Accounts have been redefined so that if they are compromised, they will pose no security threat, but at the same time will allow for nonthreatening tasks to be functional. When administrative privileges are needed (such as when installing an application), the user will be prompted for an administrator password. UAC makes user accounts safer by prompting the user for approval before allowing her to perform any administrative tasks.

UAC is also easier to understand. Now, when users are prompted for credentials, UAC more clearly defines what process is invoking it.

UAC will also help shield users from malware and other exploits by allowing each user that is defined to require an administrative password to be able to see and use content on the Web. With UAC and parental controls, users can now enjoy a safer Web surfing experience, and children will not so easily be duped into doing things that compromised security in the past.

User Account Control

Many viruses and different types of malware attempt to make system-level changes to your operating system. You can help prevent this by using User Account Control. User Account Control is used to control when programs can make changes to your system. User Account Control Settings are available through the User Accounts applet in the Control Panel. Inside the applet, just select the option for Change User Account Control Settings. This will bring up the User Account Control Settings window, as shown in Figure 4.8.

User Account Control Settings has four options:

Always notify: The user will always be notified when either the user or a program attempts to make changes to the system.

Notify me only when programs attempt to make changes to my desktop: The desktop will be dimmed when these attempts are made. This is the default option.

Notify me only when programs attempt to make changes to my desktop (do not dim my desktop): The desktop will not be dimmed when these attempts are made.

Never notify: The user is never been notified when either the user or programs attempt to make changes to the system.

Action Center

The Action Center helps you solve basic system issues. It can help troubleshoot security, maintenance, and performance issues. In the Action Center section of the Control Panel, you have four options: Review your computer's status and solve issues, Change User Account Control settings, Troubleshoot common computer problems, and Restore your computer to an earlier time.

If you choose Review your computer's status and solve issues, the Action Center will open. It will display any issues that your system has detected. These could be issues with security, Windows Update, Windows Backup, or a host of other issues.

If you choose Change User Account Control settings, the User Account Control Settings window, as seen in Figure 5.1, will open. User Account Control (UAC) is used to control whether programs can make changes to your system. This is important because you don't want malicious programs to be able to make system changes.

The User Account Control Settings window includes four options:

Always notify – The user will always be notified when either the user or a program attempts to make changes to the system.

Notify me only when programs attempt to make changes to my desktop – The desktop will be dimmed when these attempts are made. This is the default option.

Notify me only when programs attempt to make changes to my desktop (do not dim my desktop) – The desktop will not be dimmed when these attempts are made.

Never notify – The user is never be notified when either the user or programs attempt to make changes to the system.

If you choose Troubleshoot common computer problems, the troubleshooting applet will open. The troubleshooting applet, as seen in Figure 5.2, will allow you to troubleshoot issues with programs, hardware, internet connections, appearance, personalization, and security.

Choosing the option named Restore your computer to an earlier time will open the Recovery window. In the Recovery window, you can open the System Restore wizard. The System Restore wizard will allow you to restore system files and settings without losing your personal files and data. The System Restore wizard will allow you to select a restore point, as seen in Figure 5.3. Windows 7 will restore your system to the state it was when the restore point was created.

The Recovery window also includes an option for Advanced Recovery Methods. These Advanced Recovery Methods will restore your system, but everything will be replaced, including your personal files and data. You can restore your system using a previously created image. You can also choose to reinstall Windows 7, using the installation media. If you choose either of these methods, you are given the option to back up your important files and data.

Why Should I Care?

It has never been easier to obtain vital information about any Windows system. While administrator access is required for these tools to run successfully, this context is a given more often than not. Typical system users, administrators, and even some businesses consider running in a less-privileged context a burden due to the tasks that require elevated permissions.

The introduction of UAC by Vista created enormous chatter amongst the user community, who deemed this unnecessary and even intrusive. This feature enforces user accounts, even those belonging to the administrative group, to run as a standard less-privileged account until elevated permissions are required. When the elevation event is established, the UAC will interrupt the current task to ask for the users' permission before allowing initialization. Many users have disabled this critical security function for various reasons. Typical users often fail to realize the fundamental security aspects behind these enhancements, rendering their systems more vulnerable to the USB Switchblade and many other types of attacks. A few types of information an attacker can attain from an unguarded system are summarized below.

General system information can be used to determine connectivity-related data that can be used for an alternate network attack strategy.

All network services and ports that are listening for remote connection can be used for determining remote-connection protocols and methods to further expose the compromised computer or network.

All product keys for Microsoft products on the computer can be used to establish illegal copies of programs or sold for profit.

Passwords for accounts on the local system can be compromised, providing an intruder with administrative access to do anything he or she wishes on the target system.

Wireless network keys and passwords can be gathered for later use in establishing a remote connection with the respective network. Once this is obtained, the attacker no longer has to have physical access and can perform a suite of attacks using this connection remotely.

Passwords from saved network connections pertaining to the currently logged-on user are vulnerable. If these are domain-based or just for an alternate system, they can lead to further system or entire network compromise.

Internet Explorer, Messenger, Firefox, and e-mail passwords can expose a broad range of systems and remote applications the local user is using. While most of these credentials won't provide administrator access on the connecting target, they will provide the intruder with stepping stones or the ability to manipulate functions under the victim's context.

LSA secrets can be exposed. These can contain all service account and dial-up passwords turned into clear text. Some of these services run with system and others with explicitly elevated privileges level, which can be used for anything an attacker might desire.

A list of installed patches can provide attackers with information pertaining to known system vulnerabilities, giving them an alternate method of gaining elevated control in the target or surrounding systems and applications.

A recent browsing history can tip the attack to internal or external Web sites and applications. This list can be used to provide a potential target for man-in-the-middle (MITM) attacks, which could be used to intercept communication and gather credentials and related information about the particular site.

These are just a small sampling of jeopardizing actions that could be accomplished if a tool such as the USB Switchblade was successfully deployed. The data provided by this suite of tools not only reveals local system data but also uncovers perimeter and local area network (LAN) related information. If an intruder is able to acquire this level of information from a system, your computer and network can be considered as good as owned.

UAC

While we're on the subject of users and user profiles, Microsoft introduced something called User Account Control (or UAC) with Windows Vista. In short, this was something of a security measure, intended to prompt the user whenever something that might be considered untoward was going to happen; basically, there was a pop-up whenever something was going to make a change to the computer. This was intended to be a warning to the user, to alert them, but it quickly became something of an annoyance to most users and was disabled.

The behavior of UAC is controlled by several settings (value/data combinations [58]) within the following key within the Software hive on Vista, Windows 2008, and Windows 7:

Microsoft\Windows\CurrentVersion\Policies\System

Of specific interest is the EnableLUA value; setting this value to 0 (or adding the DWORD value and then making the value 0) disables the prompt that appears each time a user attempts to do something that will make a change to the system.

Interestingly, there are several locations on the Internet that refer to this particular value as being related to malware or spyware, in particular Troj_Renos.SCMP, which (according to Trend Micro) disables Windows Defender, as well.

Windows UAC

On more recent versions of Windows operating systems, Vista and newer, we will likely encounter the Windows user account control (UAC) mechanism.6 UAC will prompt the user, to the irritation of many, whenever an application makes request to do something that would require administrative privileges. Activities that may set off a UAC alter message include the following:

Installing or removing applications

Installing device drivers

Installing updates

Configuring remote access

Installing ActiveX controls

Many other similar tasks will set off such an alert as well. Although UAC prompts have been toned down a bit in newer Microsoft operating systems, such as Windows 7, the capability remains in place.

In order to ensure that UAC alerts to the user do not become an issue, we can take three primary approaches: we can stay below the clipping level for UAC, we can disable UAC, or we can disguise our activities as something else. Each method will have its advantages and disadvantages, but we will need to develop workarounds when targeting these operating systems.

In order to stay below the UAC clipping level, we really cannot perform any of the tasks that will set off a UAC alert. This will severely cripple our efforts and will restrict us to the most basic of attacks. On the plus side, if we can manage to carry out an attack in such restricted circumstances, it will be very light weight and will not leave much evidence behind.

Note

Although we may find security measures such as the UAC in most any Microsoft operating system newer than Vista, they do not all work in exactly the same way. Some methods will work on Vista, but not on Windows 7, and so forth. This is definitely something that bears testing on the same operating system and version as the target before we try to use it.

Disabling the UAC can be done by a variety of methods, but the most simple is to use the command line, as shown in Figure 13.2. While this does need to be done from a command prompt run as administrator, it is a very quick and simple method.

The main issue that we need to work around using this method is the prompt that we will get when attempting to open a command prompt with administrator permissions, as shown in Figure 13.3. In order to work around this, we can either social engineer the user into clicking Yes by disguising the prompt as part of a software update or depend on the reflex of the user to automatically click Yes on any prompts that appear, although this may be a somewhat less reliable method.

Once we have disabled the UAC, we have relatively free reign on the computer without alerting the user. We can change policies, disable the privilege escalation prompt, or any of a number of other changes to help hide our activities and clean up any trails that we have left behind.