What is User Account Control (UAC)?
User Account Control (UAC) is a security feature in the Windows Operating System designed to mitigate the impact of malware. All users have triggered a UAC prompt at some point. Tasks that may trigger a UAC prompt include trying to install an application or change a setting that requires administrator privileges. A UAC prompt is the pop up that appears and requests the user to confirm they indeed want the install or other change to happen.
Windows Vista introduced the UAC prompt to improve on the security challenges experienced in Windows XP. The UAC prompt has not significantly changed since then, except for some visual improvements in Windows 10.
Why the Need for UAC?
When an application launches in Windows, it is assigned an access token. This token defines the privileges and access for the application. The principle behind Windows UAC is to give local administrators two tokens, one standard token and one admin token.
Initially, only a standard token is issued. However, when an application specifically requests an admin token, by default, it triggers a UAC prompt message to appear. If the user clicks “yes” on the UAC prompt to proceed with execution of their request, then an admin token is issued. The admin token then enables the application to run with a high level of privilege.
An admin token is like an ‘access all areas’ pass that allows the application to do almost anything on the system. So, when an application with an admin token is compromised, an attacker can inflict considerable damage.
Insertion of the UAC step helps minimize the number of applications running with admin tokens that an attacker can exploit. In addition, user account control reduces the risk of an attacker acquiring an admin token without triggering a message to the user for approval.
Since the majority of applications don’t need an admin token to function, users aren’t bombarded with pop ups. Thus, we seem to have an effective security feature in place. But wait, this isn’t the end of the story.
UAC Problem #1 – The user is still a local admin
When a user is a local admin, they control what gets assigned admin tokens simply by clicking ’Yes‘. This means an attacker must simply convince the user to run the malware via a social engineering attack, creating fake software or using innocent sounding file names like “Windows Updater.exe”.
Users are also ‘click blind’, having likely approved hundreds of such messages over the years. When a prompt pops up, muscle memory clicks in and the user hits ‘yes’ to get rid of the pop up. If the user clicks ‘No’, prompts may continue to relaunch until the user finally acquiesces and clicks ‘Yes’. MFA fatigue attacks over the past year, such as from the Lapsus$ group, have effectively used a similar strategy to breach at least several high-profile company networks.
In the worst case, a user with local admin privileges might decide to disable UAC by changing the default setting from ‘notify me’ to ‘never notify’. While this is a way to turn-off UAC prompts, it is dangerous because it removes any user warning or control over what task is being granted privileges.
Finally, some UAC prompts may seem ambiguous to the end user. Consider the prompt below as an example. What changes is the Microsoft Management Console trying to make and why? The user might not know what an application does or what a verified publisher is, let alone what level of privilege is appropriate. Likely the user is just trying to complete a task, and the UAC prompt just gets in the way.
UAC Problem #2 – User Account Control is not actually a security boundary
Before you scroll to the top of the article to check if I am contradicting myself, I said earlier that UAC is a security feature not a boundary. In fact, Microsoft describes UAC as “a fundamental component of Microsoft's overall security vision”. While many folks continue to portray UAC as a security boundary, technically, it isn’t.
Over the years, numerous security researchers and threat actors have successfully explored ways to run their tools without triggering UAC. When these tactics have been reported to Microsoft’s bug bounty program, the Microsoft response has been “UAC is not a security boundary”.
Microsoft doesn’t want their own applications triggering lots of pop-up UAC prompts. Thus, Microsoft created a mechanism so that applications they trust will avoid triggering the UAC prompt. The security downside to this is that trusted applications can then be exploited, or piggy-backed off, to bypass UAC.
Because UAC isn’t considered a security boundary, these bypasses are not viewed as bugs and are not patched. At the time of writing this blog, the UACME project (https://github.com/hfiref0x/UACME - note, some network filters will block this page) lists 76 different UAC bypass techniques. Many of these bypass techniques are actively used in malware to silently elevate privilege on a Windows endpoint. Far more bypasses exist in the wild—those 76 just represent the most popular ones.
Solving UAC challenges with Endpoint Privilege Management
UAC problems 1 and 2 above seem to create a terrible situation, as end users need admin tokens to perform common activities, like install software, install printers, and change settings. If you remove local admin privileges, the end users are secure, albeit less productive. Moreover, users might spend all day raising help desk tickets. Alternatively, if you provision local admin privileges to them, then a threat actor may bypass the operating system’s UAC security mechanism and wield the admin privileges against you.
Fortunately, modern Endpoint Privilege Management tools like BeyondTrust’s Privilege Management for Windows effectively address this challenge, and more. The BeyondTrust solution allows you to immediately remove local admin privileges from all users, which substantially reduces your attack surface. Privilege Management for Windows intercepts UAC and elevation requests and seamlessly elevates just the applications your users need for their role, based on policy.
For known and trusted applications, you can use simple policy rules or out-of-the-box policy templates to seamlessly launch these applications without having to prompt the user. Then, for unknown applications or tasks, you can ask the user to justify why they need a specific application, perform reputational checks, verify the application publisher, or trigger step-up authentication via MFA to ensure both the application and user are who they say they are.
Privilege Management for Windows provides Quick Start templates that make it practical for organizations to tackle common least privilege policy use cases from Day 1, enabling rapid leaps in risk reduction. In addition, custom access tokens allow you to assign privileges at a granular level to ensure no user or application is over-privileged
Don’t fall into the pitfalls of either exposing your organization to the risk of over-privileged local admin users or hampering productivity by under-privileging users. Find the balance between security and productivity, follow security best practices, and, most importantly, build a secure foundation that prevents attackers from gaining privileged access to systems.
Related Endpoint Management Resources
James Maude, Director of Research
James Maude is the Director of Research at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.