Vista's account protection: one click and it's gone

Send to a friend Print

Help more people find out about this story

Del.icio.us
StumbleUpon

James Bannan09 September 2006, 4:35 AM

If TweakVista can turn off Vista's User Account Protection with one click of a checkbox, just how much security does this major new feature of Vista really offer?


Recently we’ve been discovering some of the downsides of User Account Control (UAC) in Windows Vista. One of the things we found was how easy it is to turn off completely.

David Flynn mentioned in a previous article a tool called TweakVista, and one of its features is to modify the behaviour of UAC, or turn it off completely.

These tweaking tools generally just leverage off the system registry, changing strings and DWORDs on the fly. Most of these are, in turn, set by options in local group and security system policies. So in other words, if you know where to look you can just under the hood and tweak whatever you please.

What worried us with TweakVista was the tickbox to turn UAC off entirely. There was no protected desktop popping up to ask whether we REALLY wanted to do this - it was simply gone. End of story, goodbye.

So the question I asked Microsoft was: if UAC is supposed to help protect people from malicious programs and their own bad choices, how effective can it really be if a benign app like TweakVista can jump straight in there and make whatever changes it likes while Vista slumbers, blissfully unaware of what’s happening?

What’s stopping a malicious app ... say, a downloaded "freeware game" ... from prompting the user for UAC authorisation during the install process and then getting into the registry and disabling UAC?
The response from Microsoft was thus:

"If an application requires administrative privilege, such as Tweak Vista, a prompt is generated through User Access Control (UAC). If consent is given by the user, this then elevates the application to a higher (administrative) integrity level and allows privileged access to occur within the context of that application only. Note that for this to occur, the UAC prompt requires that a user must provide consent before the application will be allowed to run. UAC is only one component of the defence in depth security capabilities of Vista. It is the sum of all Vista's security capabilities - UAC, IE7, Firewall, Defender, MIC, SID and CI - that protect users from inadvertently obtaining and then allowing malicious software to run. Microsoft recommends that users run with standard user privileges, and that they be very careful when running applications with administrative privileges."

This isn’t too surprising really. It confirms what we have come to suspect about UAC - it’s very useful for standard users and totally useless for power users/administrators.If you have to grant admin privileges to a setup process to allow installation, and from there it can do whatever it wants, UAC hasn’t actually protected you at all.

Standard users are in a different position, as when UAC prompts them for action approval, they have to enter an administrative username and password. In this case (assuming they don’t know the password), users ARE protected.

The only downside is that to get full admin rights (particularly at the filesystem level), UAC has to be disabled. This means that standard users aren’t protected. For home users this probably won’t ever be an issue, but for business machines with both admin and normal user accounts on each machine, it’s probably going to mean a bit more work to get things working properly. Hopefully the user benefits of UAC will outweigh this cost.


Post your comment



Comments

 RSS feed Email alert

Tin:

I like how they listed IE7 as one of the security features in Vista....

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

JAMES:

Maybe if you knew more about IE7, especially the Vista version and how it runs, you wouldnt make such an uninformed post.

IE7 in vista IS a security feature of vista - but one would only know that if they bothered to actually read up on it. Dont confuse IE7 in Vista with any other version of IE that ever existed.

Try to know what you talking about befor you talk about it.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Dan Warne:

To me it's pretty simple: disabling UAP should trigger a SPECIAL authentication process. e.g. it shouldn't just be part of having elevated privileges overall -- once a program has been authenticated for administrative privileges, it shouldn't automatically be able to disable UAP.

If ANY program tries to disable UAP, Windows should pop up an alert warning the user that something is trying to disable a critical part of Windows' security.

Frankly it's arguable that the security layer is worth nothing if a user can disable it so easily.

Windows' lack of 'front of house' security has been its fundamental weakness from the beginning. If you make it so easy for users to disable the prompts, people are obviously going to do it... because they're annoying. Then viruses are just going to propegate as they always have before.

I must say Mac OS X seems to have the user authentication process right. There is no way of disabling it, but it doesn't have as many alerts as Windows does, so it doesn't get annoying. You really only need to authenticate when changing really important system settings, or installing software. Plus it doesn't go the whole "greyed out screen" thing (that's one of the things I find the most annoying). It just pops up a dialogue.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Samuel:

Actually, if UAC is disabled the system prompts the user with a critical alert at the Security Center, so the tray shows the red shield.

Nobody told us that UAC would be the perfect user security feature, it is just another step.

I agree with Dan that UAC prompts should be less than they are at present, and disabling UAC should be harder to do as installing an application and changing a registry value that defines a system security item is actually very easy.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Xepol:

streamlines the process of turning off UAC, which 99.9% of people will probably do within an hour of running vista. 5 minutes to get annoyed, 54:59 minutes of googling about it and a second to turn it off...

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Chris:

You don't even need tweakvista to disable UAC. All you have to user accounts and unclick UAC check box. But seems like most people just see a different looking GUI and then stop at that....

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

mjh:

UAC can be turned of in Vista's own Control Panel -- no extra software required. Though the consequences are as Samuel described.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Ruel Smith:

Another step? It's getting left behind. Linux has been secure for a long time now.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Jan304:

Quote from Samuel:
Actually, if UAC is disabled the system prompts the user with a critical alert at the Security Center, so the tray shows the red shield.

I know programs that disable the default windows firewall (with confirmation of the user of course) and then automatically change something in the registry so windows no longer nags about "no firewall". With this in mind, Microsoft probably has built the same feature for UAC...

So what is virus/trojan writers stopping from preventing that warning to pop-up?

Can somebody confirm this btw? I don't have vista so...

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

dh:

Jan304, Windows offers a way to do it in the Firewall Options. Is one of those programs called Windows XP?

And it no longer nags about no firewall.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Ovi:

Once the applications got the rights of an Administrator it can perform anything an Administrator is allowed. If you aprove an untrusted application to gain complete access to your system, the result is completely your resposability. Sorry but the whole story is missing the point. Application GOT explicit approval to do whatever it wants so you should not wonder that is can turn off UAC. Some users SHOULD by any mean be able to turn off UAC. This is the administrator. Any application running under Administrator credential can do anything (as control panel aplet). Please inform on security priciples before publishing inflamatory stories.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Nemo:

Somewhat was not clear, for me. I try to write down what I have understood:

1. UAC exists
2. I can disable UAC through TweakVista
3. To disable UAC, TweakVista ask me my account password
4. I provide my password to it and then I give to TweakVista process the privileges to disable UAC.
5. TweakVista disables UAC.

Ok, now I write what I didn't have undestand:

After step 5, a user is totally unprotected or totally protected without possibility to obtain admin privileges anymore? More precisely, the user account privileges were turned in to admin for all processes which will be executed in same session? Or the account were locked down to its non-admin privileges during all the time the session remain active?

In the first case, UAC is useless, because any application can ask for admin privileges and then disable UAC.

I hope I was clear.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Marc:

In a linux/unix environment, if I know the root password I can do the same thing. So why is everyone whining about this "feature" in vista? If the user doesn't have admin rights (or know the admin password), they can't turn off UAC.

29 February 2008, 8:28 PM (8 months ago)report abuse Send to a friend reply

Jack Cox:

Are you simple Marc? What this "feature" amounts to is removing the requirement for root access. You can't login to a *nix terminal and instruct to operating system to ignore the requirement for root access to perform certain functions, because it's a fundamental part of the way the environment works.

Yes, you can use the root password to stuff up your system. What this does is make it so that you can stuff Vista up just as badly WITHOUT the root password, as long as you disable UAC.

The implications are huge - for one thing UAC is clearly implemented poorly. If user X is tricked into disabling UAC protection by a bit of social engineering, their PC is all of a sudden able to be compromised without needing admin rights - exactly the thing that UAC was designed to prevent.