0

The standard role-separation mechanism in Windows for a local administrator is to have a single account, but protect it using UAC, and configure it for Always Notify if increased security is desired. Unfortunately, this mechanism perpetually is vulnerable to bypasses. See Microsoft said UAC is not a security barrier. But in what cases?

To prevent the bypasses, a more secure strategy is to have two separate user accounts, one admin and one non-admin, for the user. Then there's no UAC bypass, except for occasional privilege escalation vulnerabilities (much more rare than intra-account UAC bypasses) found in Windows.

Unfortunately, that more secure strategy is also more of a hassle, because the user must enter a password every time he gets an elevation prompt, instead of just clicking a button. So my idea is this: have both the admin and the non-admin account share the same password. When the admin account password-entry prompt is displayed, if the user just clicks OK with a blank password, Windows should first try using the (already logged in, of course) non-admin account's password by default.

Of course, you can already create two accounts with the same password. The change I'm proposing is an enhancement to the elevation mechanism, to optimistically assume that you did use the same password for both accounts.

It seems this would combine the UX convenience of a single account (just click a button to elevate) with the security of separate accounts. My question is: is that actually true? If not, what did I miss? E.g. the kind of answer I'm looking for is: Your idea is broken because... (insert my logic error here).

As an additional benefit over the standard strategy of separate accounts with separate passwords, my idea would prevent password phishing by non-elevated malware, since the user is conditioned to just click a button, not enter his password in elevation prompts.

Sad IT admin
  • 127
  • 1
  • 8
  • Can you edit to summarize exactly what it is you are asking? It's not very clear from the way you phrased it... – nbering Jul 15 '18 at 19:22
  • I'm asking whether the feature I proposed would indeed provide both the convenience of a single account (not having to enter your password to elevate) and the security of separate accounts (preventing UAC bypasses). I'm asking because this idea seems too easy, so I suspect I missed something that would make it insecure. – Sad IT admin Jul 16 '18 at 01:15
  • Have you tried anything, yet? You ask a lot of sub-questions here that you might be answer better for yourself if you just try a few things. – nbering Jul 16 '18 at 01:19
  • I can't implement the feature I proposed myself, since it would require a change to the Windows UAC elevation prompt source code. Besides that, even if I could implement it myself, that doesn't answer my question of if it would be a waste of time (no additional security), or even worsen security. – Sad IT admin Jul 16 '18 at 01:26
  • I think hypothetical questions about Windows security features would be off-topic for this site. The only part of this that might be answerable is that passing the current user’s password to the admin account would be a bad idea. There have actually been security issues in Windows in the past related to local user admins with the same password on multiple networked machines. I wouldn’t be the right person to cover that in detail, though. – nbering Jul 16 '18 at 01:32

0 Answers0