What is the use of User Account Control?
User Account Control (UAC) serves as a security feature in Windows, aiming to safeguard the operating system from unauthorized modifications. Whenever alterations demand administrator-level permissions, UAC prompts the user, allowing them to either authorize or reject the requested change.
UAC Benefits
User Account Control (UAC) provides several benefits, especially in maintaining security and minimizing risks associated with administrative privilege. UAC enhances security by preventing unauthorized changes to the system, ensuring that tasks that require administrative privilege are executed only when necessary. When a user selects an action involving such tasks, UAC intervenes by requesting elevation.
If a task requires administrator rights, the system will prompt for credentials, ensuring that only someone who enters valid credentials can proceed. Running applications in a standard user security context minimizes the risk of malware executing with full system privileges.
How does UAC work?
UAC operates by establishing two distinct user account categories: standard user accounts and administrator accounts. Standard user accounts possess restricted system access, allowing only fundamental tasks like web browsing, email checking, or app usage.
User Accounts and how to control them
The User Access Control settings are designed to deter potentially harmful programs and software from modifying your device. If you’ve been notified to modify these controls on a work or school device under enrollment, it indicates that your organization mandates increased protection for your device.
Adjust protection level to meet your organization’s requirements:
- Go to Startand open Control Panel.
- Select System and Security.
- Under Security and Maintenance, select Change User Account Control settings.
- Move the slider to one of the following levels:
- Notify me only when apps try to make changes to my computer (default)
- Always notify
- Select OKto save your changes.
- Select Yeswhen prompted to confirm the changes.
Upon adjusting the UAC settings, revisit the Company Portal and perform a device check to ensure that the app registers the modifications.
To adjust UAC settings:
- In the search bar, type “UAC”and click on “Change User Account Control settings”.
- Use the slider to select the desired level of notification/alert. Moving the slider to the top will notify you whenever apps try to make changes, while moving it to the bottom will disable notifications.
- Click “OK”to save the changes.
User Account Types in Windows
The following outlines the three types of accounts on Windows based computers and assists in identifying your user account type.
- Standard User accounts are designed for routine computing tasks.
- Administrator accounts offer the highest level of control over a computer and should be utilized only when essential.
- Guest accounts are primarily intended for individuals requiring temporary access to a computer.
Change User Account Control settings in GPO
Whenever alterations are made to Windows settings or an application attempts to install software or modify a user’s computer, prior notification to the user is necessary. If the User Account Control is configured to the “always notify” level, a prompt will be displayed requesting the user’s permission to authorize the changes to the computer.
Force UAC enabled for Windows
Enables User Account Control (UAC), if it is not enabled.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\FastTrack Software\Admin By Request\Policies |
| Value Name | EnableUAC |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
UAC Settings for Security
The CIS benchmark 2.3.17 for User Account Control (UAC) specifically addresses the security configuration settings related to UAC on Windows operating systems.
While UAC is enabled by default, specific policy configurations govern resulting security levels. Examining core UAC components individually reveals how customized settings strengthen protection grades and enforcement actions.
User Account Control Settings focus on individually assessing key UAC policy controls to cultivate best practice recommendations for hardening this foundational Windows security paradigm against prevalent attack vectors. The following settings are:
2.3.17.1 Ensure ‘User Account Control: Admin Approval Mode for the Built-in Administrator account’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.
2.3.17.2 Ensure ‘User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode’ is set to ‘Prompt for consent on the secure desktop’ (Automated)
Security setting: This policy setting controls the behavior of the elevation prompt for administrators.
2.3.17.3 Ensure ‘User Account Control: Behavior of the elevation prompt for standard users’ is set to ‘Automatically deny elevation requests’ (Automated)
Security setting: This policy setting controls the behavior of the elevation prompt for standard users.
2.3.17.4 Ensure ‘User Account Control: Detect application installations and prompt for elevation’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting controls the behavior of application installation detection for the computer.
2.3.17.5 Ensure ‘User Account Control: Only elevate UIAccess applications that are installed in secure locations’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:
2.3.17.6 Ensure ‘User Account Control: Run all administrators in Admin Approval Mode’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
2.3.17.7 Ensure ‘User Account Control: Switch to the secure desktop when prompting for elevation’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting controls whether the elevation request prompt is displayed on the interactive user’s desktop or the secure desktop.
2.3.17.8 Ensure ‘User Account Control: Virtualize file and registry write failures to per-user locations’ is set to ‘Enabled’ (Automated)
Security setting: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
Vulnerability in the UAC settings
When configured with inadequate security, the UAC system contains weaknesses that can enable malicious software and unauthorized users to bypass intended restrictions. Flaws within default UAC settings allow adversaries to silently evade prompts, manipulate executions through hijacked elevated processes, and gain administrative control without consent actions. Below we will discuss UAC setting vulnerabilities.
CVE-2020-1509 Elevation of privilege vulnerability exists in the Local Security Authority Subsystem Service (LSASS):
This CVE is linked to a security vulnerability in User Account Control (UAC) in certain versions of Windows that could allow an attacker to bypass UAC restrictions and execute arbitrary code with elevated privileges.
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability:
This vulnerability could potentially be used to bypass UAC prompts altogether, as attackers would have elevated privileges to manipulate the system.
CVE-2021-41526 Windows Installer Elevation of Privilege:
A security flaw has been identified in the Windows Installer (MSI) that incorporates an InstallScript custom action. This vulnerability could potentially lead to privilege escalation when the ‘repair’ function of the MSI, containing an InstallScript custom action, is executed.This vulnerability could allow an attacker to bypass UAC controls during the installation process, granting them unauthorized access to make system changes.
Hardening User Account Control
Hardening UAC is imperative by minimizing user accounts in the Administrators group, enabling detection for all privilege elevation events, requiring consent to application installations, logging detailed activity trails, and patching policy gaps.
Aligning UAC principles with least privilege access methodologies establishes checks and balances against exploitation. Undertaking UAC security hardening measures allows organizations to obstruct attack vectors targeting Windows environments through defense-in-depth.
