Table of contents


User Account Control (UAC) plays a crucial role in Windows security by mitigating the risk of malware. It accomplishes this by restricting the capacity of malicious code to run with administrator privileges.

 

We will discuss in this blog CIS benchmarks for:

 

 

hardening project

User Accounts and how to control them

The User Access Control settings are designed to deter potentially harmful programs and software from modifying your device. If you’ve been notified to modify these controls on a work or school device under enrollment, it indicates that your organization mandates increased protection for your device.

 

Adjust protection level to meet your organization’s requirements:

  1. Go to Startand open Control Panel.
  2. Select System and Security.
  3. Under Security and Maintenance, select Change User Account Control settings.
  4. Move the slider to one of the following levels:
    • Notify me only when apps try to make changes to my computer (default)
    • Always notify
  5. Select OKto save your changes.
  6. Select Yeswhen prompted to confirm the changes.

 

Upon adjusting the User Account Control settings, revisit the Company Portal and perform a device check to ensure that the app registers the modifications.

 

To adjust UAC settings:

  1. In the search bar, type “UAC”and click on “Change User Account Control settings”.
  2. Use the slider to select the desired level of notification/alert. Moving the slider to the top will notify you whenever apps try to make changes, while moving it to the bottom will disable notifications.
  3. Click “OK”to save the changes.

 

User Account Types in Windows

 

The following outlines the three types of accounts on Windows based computers and assists in identifying your user account type.

 

  1. Standard User accounts are designed for routine computing tasks.

 

  1. Administrator accounts offer the highest level of control over a computer and should be utilized only when essential.

 

  1. Guest accounts are primarily intended for individuals requiring temporary access to a computer.

 

request demo

Change User Account Control settings in GPO

 

Whenever alterations are made to Windows settings or an application attempts to install software or modify a user’s computer, prior notification to the user is necessary. If the User Account Control is configured to the “always notify” level, a prompt will be displayed requesting the user’s permission to authorize the changes to the computer.

 

Force UAC enabled for Windows

 

Enables User Account Control (UAC), if it is not enabled.

 

Registry Hive HKEY_LOCAL_MACHINE
Registry Path SOFTWARE\FastTrack Software\Admin By Request\Policies
Value Name EnableUAC
Value Type REG_DWORD
Enabled Value 1
Disabled Value 0

 

UAC Settings for Security

 

The CIS benchmark 2.3.17 for User Account Control (UAC) specifically addresses the security configuration settings related to UAC on Windows operating systems.

 

While UAC is enabled by default, specific policy configurations govern resulting security levels. Examining core UAC components individually reveals how customized settings strengthen protection grades and enforcement actions.

 

User Account Control Settings focus on individually assessing key UAC policy controls to cultivate best practice recommendations for hardening this foundational Windows security paradigm against prevalent attack vectors. The following settings are:

 

2.3.17.1 Ensure ‘User Account Control: Admin Approval Mode for the Built-in Administrator account’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.

The options are:

– Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.

– Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.

 

2.3.17.2 Ensure ‘User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode’ is set to ‘Prompt for consent on the secure desktop’ (Automated)

Security setting: This policy setting controls the behavior of the elevation prompt for administrators.

The options are:

– Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.

 

– Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user’s highest available privilege.

 

– Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege.

 

– Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

 

– Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege.

 

– Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user’s highest available privilege.

 

2.3.17.3 Ensure ‘User Account Control: Behavior of the elevation prompt for standard users’ is set to ‘Automatically deny elevation requests’ (Automated)

 

Security setting: This policy setting controls the behavior of the elevation prompt for standard users.

The options are:

– Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

– Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.

– Prompt for credentials on the secure desktop: (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. Note that this option was introduced in Windows 7 and it is not applicable to computers running Windows Vista or Windows Server 2008.

 

2.3.17.4 Ensure ‘User Account Control: Detect application installations and prompt for elevation’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting controls the behavior of application installation detection for the computer.

The options are:

– Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

– Disabled: (Default for enterprise) Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.

 

2.3.17.5 Ensure ‘User Account Control: Only elevate UIAccess applications that are installed in secure locations’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:

 

–  ?\Program Files\, including subfolders

–  ?\Windows\system32\

–  ?\Program Files (x86)\, including subfolders for 64-bit versions of Windows

 

Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.

 

The options are:

 

– Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.

 

– Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.

 

2.3.17.6 Ensure ‘User Account Control: Run all administrators in Admin Approval Mode’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.

The options are:

– Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

– Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.

 

 

2.3.17.7 Ensure ‘User Account Control: Switch to the secure desktop when prompting for elevation’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting controls whether the elevation request prompt is displayed on the interactive user’s desktop or the secure desktop.

The options are:

– Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.

– Disabled: All elevation requests go to the interactive user’s desktop. Prompt behavior policy settings for administrators and standard users are used.

 

 2.3.17.8 Ensure ‘User Account Control: Virtualize file and registry write failures to per-user locations’ is set to ‘Enabled’ (Automated)

Security setting: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.

The options are:

– Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.

– Disabled: Applications that write data to protected locations fail.

 

Vulnerability in the UAC settings

 

When configured with inadequate security, the UAC system contains weaknesses that can enable malicious software and unauthorized users to bypass intended restrictions. Flaws within default UAC settings allow adversaries to silently evade prompts, manipulate executions through hijacked elevated processes, and gain administrative control without consent actions. Below we will discuss UAC setting vulnerabilities.

 

CVE-2020-1509 Elevation of privilege vulnerability exists in the Local Security Authority Subsystem Service (LSASS):

This CVE is linked to a security vulnerability in User Account Control (UAC) in certain versions of Windows that could allow an attacker to bypass UAC restrictions and execute arbitrary code with elevated privileges.

 

CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability:

This vulnerability could potentially be used to bypass UAC prompts altogether, as attackers would have elevated privileges to manipulate the system.

 

CVE-2021-41526 Windows Installer Elevation of Privilege:

A security flaw has been identified in the Windows Installer (MSI) that incorporates an InstallScript custom action. This vulnerability could potentially lead to privilege escalation when the ‘repair’ function of the MSI, containing an InstallScript custom action, is executed.This vulnerability could allow an attacker to bypass UAC controls during the installation process, granting them unauthorized access to make system changes.

 

Hardening User Account Control

 

Hardening UAC is imperative by minimizing user accounts in the Administrators group, enabling detection for all privilege elevation events, requiring consent to application installations, logging detailed activity trails, and patching policy gaps.

 

The Complete System Hardening Guide

 

Aligning UAC principles with least privilege access methodologies establishes checks and balances against exploitation. Undertaking UAC security hardening measures allows organizations to obstruct attack vectors targeting Windows environments through defense-in-depth.

 

server hardening

Subscribe to Email Updates

You might be interested

CIS Controls
April 24, 2024
CIS Controls: Everything You Need to Know
WDigest Authentication
April 22, 2024
Locking Down Security: Disable WDigest Authentication
Command Line in Process Creation Events
April 20, 2024
Include Command Line in Process Creation Events – it’s all about the details