Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user's access token from the parent process. Both the parent and child processes, however, must have the same integrity level. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.
Integrity levels are measurements of trust. A "high" integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a "low" integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy.
Policy setting "User Account Control: Admin Approval Mode for the Built-in Administrator account" controls the behavior of Admin Approval Mode for the built-in Administrator account.
- Enabled The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.
- Disabled (Default) The built-in Administrator account runs all applications with full administrative privilege.
The UAC User Experience
When UAC is enabled, the user experience for standard users is different from that of administrators in Admin Approval Mode. The recommended and more secure method of running Windows 10 is to make your primary user account a standard user account. Running as a standard user helps to maximize security for a managed environment. With the built-in UAC elevation component, standard users can easily perform an administrative task by entering valid credentials for a local administrator account. The default, built-in UAC elevation component for standard users is the credential prompt.
Is UAC secure?
UAC is not a security feature. It’s a convenience feature that acts as a forcing function to get software developers to get their act together [4].
There’s a control panel that lets you specify how often you want to be prompted by UAC. You can set any of four levels:
- Always notify
- Notify only when apps try to change settings, use the secure desktop
- Notify only when apps try to change settings, don’t use the secure desktop
- Never notify
Although it looks like there are four settings, in a theoretical sense, there really are only two settings.
- Always notify
- Never notify
UACMe [3]
Reference:
[1] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
[2] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings
[3] https://github.com/hfiref0x/UACME
[4] https://channel9.msdn.com/
[5] https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94105
0 comments:
Post a Comment