How do I stop local users from bypassing the UAC on Windows 10?

Question

I'm the admin for a Windows 10 machine with a few local users. While I understand there are other ways to bypass security with access to the physical machine, I'd like to protect against hacks that bypass the UAC by running some trick of RunAsInvoker, regedit, or folder renaming.

I've changed the User Notify session to Always notify from Notify me only when programs try to make changes to my computer, but I don't think this is enough.

I'm a bit surprised that local non-admin users can bypass the UAC so easily. The intent is to prevent users from installing additional software on the machine that would normally require UAC access (maybe I'm misunderstanding the point of a local user?).

Answer 1

You can run and install software without being admin. UAC doesn't enter into the equation. What you're looking for is AppLocker or WDAC.

You will have to combine this with appropriate file system permissions, to ensure that users can't overwrite resources used by legitimate software to run their own code.

If you have malicious users who actively try to bypass your protections, you're in for a rough ride; local privilege escalation attacks are quite frequent and notoriously hard to protect against. One approach is not likely to be enough; you have to combine fine tuned file system permissions with whitelisting techniques such as WDAC or AppLocker, and in addition ensure rapid patching and extensive group policies to limit users.

UAC is not intended to stop people from running software with their own privileges. It's intended to make people aware that they're running software with elevated privileges, and potentially require re-authentication for that ct.

Your users are not bypassing UAC; they're simply running software with the privileges of their own user, not administrative rights.