11

I'm currently thinking about increasing security on my Windows machine.

As part of this harderning I considered the least-privilege principle and want to apply this on Windows using two different user accounts: An administrator account and a normal user account (for everyday usage).

Now I asked myself:

Does using two different accounts actually increase security as opposed to running a (single admin) user account + UAC?

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • Certain malware executes at the maximum privilege level of the current (infected) user account. So, using a low privilege account will help limit the damage done (consider case of ransomwares ) – Nikhil_CV Oct 03 '15 at 01:50

1 Answers1

8

Short Answer
Use a limited account for performing the day to day activities and have a separate account with administrative privileges for performing tasks that require elevated privileges.

Long Answer
User Access Control is not considered a security boundary by Microsoft. The reason is that due to the design of Microsoft Vista and later, processes hold only a limited privilege token when launched and explicitly require elevated privileges which are protected by the UAC in a default state. As you can see, as long as the process don't request elevated privileges, UAC won't come into play. It means a malware will have access to everything the user account has access to without requiring any elevated privileges. The data of the user is much more important than getting NT AUTHORITY\SYSTEM privileges.

Another thing which needs clarification is the Always Notify setting of the UAC. It is generally understood that UAC in the default state i.e. "Notify only when programs try to make changes to my computer" can be bypassed in a lot of ways. Exploitation frameworks such as Metasploit has dedicated modules to achieve the UAC bypass in the default state where the process is silently elevated without any UAC consent dialogue. However, the same is true for the Always Notify setting as well. For example, take a look at technique outlined here. A brief summary of the technique is instead of asking for elevation interactively, register the process to the Task Scheduler with the logged in user. In Microsoft terminology, it is called S4U (service for user). The task when executed will have elevated privileges without requiring any consent from the user of privilege elevation and this is true even if the UAC is set to the highest security setting which is Always Notify.

Conclusion
UAC is beneficial in a lot of ways if the user don't have administrative privileges. Have a separate limited user account where every time elevated privileges are required, the user will be asked by the UAC prompt for the administrator user's password. If the user already have administrative privileges, UAC is of little use.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
void_in
  • 5,541
  • 1
  • 20
  • 28