5

Does enabling UAC and setting the Admin approval behavior to Elevate without prompting provide any form of extra security to Administrator account. Note that my use case is for a Kiosk application where user interaction in Admin mode is very less.

johndoe
  • 51
  • 2
  • 5
    UAC is not a security boundary under the best of scenarios, so it provides no significant enhancements to security. – Steve Nov 15 '17 at 18:30
  • +1 @Steve UAC is more a big-red "warning you are about to f*ck with this" button. It doesn't technically prevent any attack, except the social/phishing aspect. However, given that UAC in high mode can be quite irritating, alike all 'irritating security warnings' it may very well just be clicked-through, especially given the user will likely already have downloaded/interacted beforehand. So it can provide extra security, but it could weaken it by becoming an annoyance and removing consequence from action (de-sensitising your users). As steve said it's merely a warning - sweet f/a more. – Reality Jul 20 '19 at 00:47

6 Answers6

1

UAC was implemented as a way to control who installed software on a device and not really as a security measure. It's more of a management solution than a security solution.

WRT the Administrator account: that should be used only sparingly. A more secure solution to that would be to rename the account and then disable it, then create other Administrator-level accounts for specific users.

baldPrussian
  • 2,768
  • 2
  • 9
  • 14
0

It is a bad idea, if you checkout the documentation here

Elevate without prompting. Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials.

note: Use this option only in the most constrained environments.

This is just notify the administrator execution attempts, it doesn't stop the program from execution. It is worst than the basic UAC that prompt for user consent.

mootmoot
  • 2,387
  • 10
  • 16
0

I would recommend setting the UAC setting to maximum despite the fact that Microsoft does not treat it as a security boundary as this can often prevent privilege escalation from administrator to system privileges. However, if this isn't a concern, I can't imagine why you would ask an infosec forum this question at all.

DeepS1X
  • 321
  • 1
  • 5
  • This does not really answer the question. What do you mean my setting to maximum ? That would mean maximum annoyance for experienced people. – Overmind Dec 06 '19 at 06:30
0

User Account Control is disabled on the built-in Administrator account (this is not the same as elevate without prompt) by default. As such, it would not provide its features

If you turn on Admin Approval Mode for the built-in Administrator account, then it will provide its features.

Please remember, User Account Control is not a security boundary, and one should not solely rely on it.

Justine Krejcha
  • 223
  • 2
  • 10
0

UAC is not security. UAC is a protection against user miss-use.

For an administrator, UAC is just the 1st thing that is being turned off after installing a recent Windows OS. That is why some prefer to use the built-in Administrator account, as it has no such restrictions.

For the normal average non-IT users, it can help protect them from doing wrong things, but in a pretty limited manner.

So it should be left on for normal users and turned off for experienced admins.

As for the additional protection it may offer against malware it does not help much because un-aware users that clicked on something most of the time will click to continue also. It does indeed help against some automated deployment of malware.

Overmind
  • 8,779
  • 3
  • 19
  • 28
0

Microsoft does not consider UAC a security boundary, does not service most reported bugs/bypasses, and does not pay bug bounties. Source: Official Windows Servicing Criteria.

There are blogs and repos (e.g. here) that document and implement UAC bypasses, some that eventually get fixed, but some of which are old and may never be fixed.

This all to say that UAC is nothing but a small hiccup for all but the weakest attackers. Automated malware may be partially mitigated if it doesn't account for UAC or use a bypass that is well documented and can be watched for or signatured.

The primary risk that UAC addresses is admins executing unintended system changes without realizing it, because it makes them take an extra step. If you consider that a valid risk, then deploy it. (I'm assuming here that the normal kiosk user is a non-admin account, which of course is the right answer if you care at all about security).

queso
  • 288
  • 1
  • 4