Windows has a set of mechanisms to ensure its protected state at different stages of operation. WFP is used for network packet filtering, identification and authentication takes place using lssas.exe or AD-base, and EventLog is responsible for the auditing subsystem. But one of the most important components in this chain is UAC or User Access Control.
In this article we will consider how to configure and apply it on a local device and a domain node separately. As well as what tools and methods hackers use to bypass it, consider their mitigation.
What is UAC?
The UAC or User Access Contol security mechanism is designed to control privilege escalation on the operating system by tracking running processes. This approach will track unauthorised actions and protect the device from executing malicious files. Classically, this window looks like this:
In this case, the user is notified that the application he is launching has all the necessary signatures and the file is on the disc. This notification can have several variations, depending on the policies set on the device: launch in a secure window, with password confirmation/common consent window.
Configuration on the local device
To configure this security mechanism we will use UAC settings, which will set the basic policy and Group Policy will specify the details and finer settings. Click and type Win(button)→UAC(text in the search box)→Change User Account Control settings. You will see a window with sliders with 4 levels of proposed policy:
The fourth and topmost level is labelled as Always Notify, which means you need to be notified of every action the user performs, including Windows system settings. The request is checked in a secure window.
The third level, which offers less stringent protection, will notify of changes to the device by applications other than system settings, but will still open a window in safe mode.
The second level offers the same as the third level, only in this case the confirmation window will be launched in a normal window, which the intruder can confirm.
The first level of the policy disables any influence of UAC on running processes. In which tasks this mechanism can collide with another and interfere with the device. Therefore, the answer to the question: ‘How to disable Windows UAC?’, is the powershell command:
After running this command, UAC requirements will drop to the first level of the Never Notify policy. The finer details of verification and notification settings will be discussed below in the solutions for domain hosts, which will also work for local machines.
Configuration on a domain device
In this configuration option there are more flexible parameters that will allow you to define the behaviour for each user group separately and which verification method will be used. Let's open the run window with the Win+R keys and type the command:
Go to your domain policy configuration and a window will open in front of you:
Let's go to the folder with local domain policies at the path Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:
In fact, this is a set of the same parameters that made up the policy in the UI-interface, only in this case there are also possibilities of custom configuration and distribution to nodes. Let's consider each of the policies separately:
The key settings in this case are ConsentPromptBehaviorAdmin/User, which allow you to define the behaviour of UAC when a user's privileges are escalated, and what data should be requested. The settings will be different for each infrastructure, but there are common practices where the field settings matter:
- FilterAdministratorToken - 1 (enabled);
- EnableUIADesktopToggle - 0 (disabled);
- ConsentPromptBehaviorAdmin - 2 (requesting consent on a secure desktop);
- ConsentPromptBehaviorUser - 3 (prompt for credentials);
- EnableInstallerDetection - 1 (enabled for home) / 0 (disabled for enterprise);
- ValidateAdminCodeSignatures - 1 (enabled);
- EnableSecureUIAPaths - 1 (enabled);
- EnableLUA - 1 (enabled);
- PromptOnSecureDesktop - 1 (enabled);
- EnableVirtualisation - 1 (enabled);
- InteractiveLogonFirst - 1 (enabled for corporate) / 0 (disabled for home).
After the policy is applied, you should wait until a node in the domain receives the new rules, or force the new rules on the required node with the command:
This mechanism allowed us to set up an additional layer of protection that controls privilege escalation when requesting a change of rights. The main tools in this case are requesting account data and requesting consent in a secure window, which allows for additional verification to ensure that the subject has rights to the object!