What is the use of UAC
User Account Control (UAC) serves as a security feature in Windows, aiming to safeguard the operating system from unauthorized modifications. Whenever alterations demand administrator-level permissions, UAC prompts the user, allowing them to either authorize or reject the requested change.
Today we’ll be delving into the CIS Benchmark
2.3.17.5 Ensure ‘User Account Control: Only elevate UIAccess applications that are installed in secure locations’ is set to ‘Enabled’ (Automated)
How does UAC work?
UAC operates by establishing two distinct user account categories: standard user accounts and administrator accounts. Standard user accounts possess restricted system access, allowing only fundamental tasks like web browsing, email checking, or app usage.
What is user UI access?
The user interface serves as a bridge between human and computer processes, facilitating smooth communication through the visual representation of any application, website, or device. It encompasses components such as text, colors, menus, buttons, and videos-everything visible and accessible to users.
How to allow UIAccess applications to prompt for elevation without using the secure desktop?
To allow UIAccess applications to prompt for elevation without using the secure you need to set “Security Settings\Local Policies\Security Options\Allow UIAccess applications to prompt for elevation without using the secure desktop” property to “Enabled” to allow applications with ‘UIAccess’ permission to make the ‘UAC prompt’ to be displayed on user interactive desktop instead of secure desktop.
User Account Control: Only elevate UIAccess applications that are installed in secure locations
When an application requests privileges and presents a UIAccess attribute, it indicates a need to bypass UIPI restrictions for cross-privilege level message transmission. Prior to launching an application with UIAccess privilege, devices implement the following policy checks:
- The application must possess a verifiable digital signature through a digital certificate associated with the Trusted Root Certification Authorities store on the local device.
- The application must be installed in a local folder writable exclusively by administrators, such as the Program Files directory. Allowed directories for UI automation applications include:
a. %ProgramFiles% and its subdirectories.
b. %WinDir% and its subdirectories, with some exclusions for subdirectories where standard users have write access.
Possible values for this policy:
- Enabled: Requires the application to have UIAccess integrity only if it resides in a secure location in the file system.
- Disabled: Allows an application to have UIAccess integrity even if it doesn’t reside in a secure location in the file system.
Vulnerability
UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:
– To set the foreground window.
– To drive any application window using SendInput function.
– To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.
– To set journal hooks.
– To uses AttachThreadInput to attach a thread to a higher integrity input queue.
How to mitigate certain techniques from the MITRE ATT&CK framework?
Mitigating vulnerabilities related to “User Account Control: Only elevate UIAccess applications” involves implementing security best practices and configuring relevant settings to enhance overall system security. Below are some techniques based on the MITRE ATT&CK framework along with their corresponding security setting codes:
Use Alternate Authentication Material: Pass the Hash (T1550.002 – Subvert Trust Controls):
Mitigation:
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy.
Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons
Least Privilege (T1548.002 – Abuse Elevation Control Mechanism):
Mitigation:
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
Hijack Execution Flow (T1574 – Modify Registry):
Mitigation:
Turn off UAC’s privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] to automatically deny elevation requests, add: "ConsentPromptBehaviorUser"=dword:00000000. Consider enabling installer detection for all users by adding: "EnableInstallerDetection"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: "EnableInstallerDetection"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.
Potential impact of enabling User Account Control: UIAccess applications?
If the application that requests UIAccess meets the UIAccess setting requirements, Windows Vista starts the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application will be started without UIAccess rights and can interact only with applications at the same or lower privilege level.
Hardening User Account Control
Manual hardening is prone to human error and inconsistencies, leaving gaps in your defenses. Many regulations and industry standards require specific security configurations and manual configuration changes can introduce accidental vulnerabilities.
Automation ensures every system receives the same level of hardening consistently, saving time and reducing the risk of missed configurations. The efficiency of automation becomes evident in its ability to swiftly apply security measures across all systems, making it highly scalable and adaptable to the growing demands of network and system expansion.
Automated hardening tools like CalCom’s Hardening Suite (CHS) play a crucial role in maintaining consistent compliance with industry regulations, mitigating the risk of fines and penalties associated with non-compliance. The use of automated scripts not only makes the hardening process repeatable but also facilitates easy auditing.
