Confusion about Vista Features: What UAC Really Is

As you may know I am just putting the finishing touches on a new book. Roger Grimes and I teamed up to write Windows Vista Security. In the course of doing the research for the book, and just keeping up with the popular press lately, it has become obvious that there is a lot of confusion about User Account Control (UAC) in Vista. The chapter on UAC in the book goes into detail on exactly what UAC is and what it is supposed to do, and I thought I would give a little preview here.

There seems to be a fairly consistent consensus that the purpose of UAC is to block malicious code on your system from horking your system completely. It is not entirely clear where this consensus comes from though. To see whether Microsoft had stated that this was the case I did a brief survey of some of the 1000 or so pages on Microsoft.com that mention "UAC" and one or more of "security feature" and "malware". I was looking for something that claimed that UAC will stop malware that is executing on your system from elevating to an administrator and taking over your system.

I did not look at all of the pages, but the only place I found that meaningfully combined "UAC" and "security feature" was in an IT Showcase white paper that claims:
 "UAC helps reduce the impact of malicious software" (http://www.microsoft.com/technet/itshowcase/content/vistasecurity_twp.mspx)

Almost exactly the same claim is made in the Windows Vista Security Guide:
"This helps reduce the affect[sic] of malware" (http://www.microsoft.com/technet/windowsvista/security/defend_against_malware.mspx)

That's a bit tenous as a claim, but it also stops just short of saying that UAC stops malware, even though it could certainly be interpreted as such by anyone who wanted to. I had more luck combining "UAC with "Malware". The "Defend againsta malware" chapter in the guide features UAC as the primary technology that does this. It recommends running with UAC turned on - for the most part - and it lists a number of mitigation considerations when using UAC to mitigate against malware. One consideration, however, is glaringly missing:

 UAC does not, nor is it intended to, stop malware.

UAC's purpose is to enable more users to run as a standard user. Microsoft may have hinted that its purpose was to stop malware - even more than hinted, in the case of the Vista Security Guide - but this is really incorrect. Of course, one cannot but claim that an attendant goal was to provide some level of protection for apps running as an admin from those that were not, but that was not by any means the primary purpose of UAC. The primary purpose was to start us on a path where more users run as standard user. This in turn will force ISVs to write more programs that work as a standard user, which reduced further the number of situations where users need to elevate. As ISVs write better apps, the number of prompts the user gets goes down, and the user experience is better. In the process we ideally end up in a situation where most people do not run as administrators and, hopefully, start questioning some of the elevation prompts they do get. The fewer they get, the more likely they are to consider them carefully before allowing them, or so the theory goes. By extension, yes, there may be less malware, but it all depends on (a) whether users keep UAC one, (b) which is dependent on whether ISVs will write software that works with it, and (c) users stop considering prompts to be fast-clicking exercises and actually consider whether an elevation request is legitimate or not.

Some of the brightest thinkers in the world regarding Windows security today, such as Joanna Rutkowska, did understand that this was the purpose. As she put it in a blog post on February 4: "User Account Control (UAC) is a new security mechanism introduced in Vista, whose primary goal is to force users to work using restricted accounts, instead working as administrators." (http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html). She has it mostly right in that one, except I would use the term "enable" rather than "force."

This, unfortunately, is also a bit scary for Microsoft. Local privilege escalation vulnerabilities, where a user can escalate from a local standard user to a local administrator, have never been particularly interesting on the Windows platform. Since somewhere around 95% of users on Windows run as administrators, what's the point of escalating? What are you going to escalate to? Another admin?

Well, with Vista the idea is that users will run as standard user instead, and suddenly, local privilege escalation issues become very interesting. Unfortunately, this is also where we run into some of the limitations of UAC. An elevated application runs on the same desktop as a low (non-elevated) application. Windows, just like other operating systems, do not implement complete process isolation between applications on the same desktop. This means that there are certainly ways for a low application to impact what an elevated application can do. There is no security boundary that isolates processes on the same desktop. The OS does include some protective measures to keep the obvious, and unnecessary, avenues of communication blocked, but it would be impossible, and undesirable, to block all. Therefore, Microsoft does not want to consider breaches of that - nonexistent - boundary as security breaches. If they were considered security breaches, it would look horrible for Vista security. Mark Russinovich, a Technical Fellow (extremely exalted engineering deity) at Microsoft pointed out as much in a blog post (http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx). And so the war of the blogs started.

Joanna responded with "And now we hear what? That this flagship security technology (UAC) is in fact… not a security technology!" (http://theinvisiblethings.blogspot.com/2007/02/vista-security-model-big-joke.html).

The first observation to draw from this is that we now apparently fight it out in blogs. The other is that, well, both are really correct. Let's sort it out.

Mark is totally correct. Microsoft is well aware of the fact that there is no security boundary between a low process and an elevated one on the same desktop. As there was never intended to be one, there really cannot be a security vulnerability when it is discovered that a particular mechanism allows communication between two processes of different integrity or running with different tokens. Obviously, that diminishes the value of UAC as a first-order way to fight malware, but we already accepted the fact that it was not designed to be a first-order way to fight malware anyway. One might only wish that Microsoft had been (a) a little more upfront about this fact and not lead people into believing that UAC provided protection; and (b) a bit more coordinated and not point to UAC as the primary way in which Windows Vista fights malware in the Windows Security Guide. It really is no wonder that people believed that UAC was making promises the product group never designed it to keep.

Does this fact diminish the stated value of UAC (the goal of which, recall, was to enable more people to run as standard user)? No. It does not have any impact on the ability of UAC to achieve that goal at all. The existence or lack of an impervious security boundary between a malicious low app and an elevated application does not change the fact that more users can effectively use UAC and run their Vista computers as a standard user. In fact, contrary to what some in the industry would have you believe, I wrote this entire blog post (and the entire book for that matter) as a standard user on Windows Vista, and not once did I get a UAC prompt asking me to accept anything that I wrote!

Is Joanna correct in taking Mark's statement to mean that UAC is not a security technology? No. It is a security technology, and she already stated, largely correctly, in a previous post, what the goal of this security technology is. The fact that UAC does not mitigate all security problems, or that it does not possess a property that many of us, myself included, would dearly like to have - first-order protection against malware - does not mean it is not a security technology. The ability to identify users by use of separate user accounts, by itself, also does not stop malware from infecting your system, but nobody would stretch that fact into meaning that user accounts, therefore, are not a security technology.

UAC leaves it up to technologies like the vastly improved Windows Firewall, Windows Defender, and other anti-malware programs, to keep malicious code off the box, and to keep it from executing if it gets there. Neither of those is 100% successful at those missions either, but that also does not mean that none of them are security technologies either. All these technologies have their place. But, as I have said many times before, even if all the technical avenues of attack are shut down, it all comes down to the user. If the person behind the keyboard choses to allow malicious code to run, no technical mitigation in the world will help.

What does that mean for UAC though? Should we not use it? No, we really should, especially if we log on as an administrator (which I am happy to say I no longer do on any of my Vista systems). However, how do we mitigate the risk of privilege escalation between processes? It depends on our risk management philosophy. In the book, I laid out the increasing order of security of different ways to become an administrator:

  • Good: Run in admin-approval mode
  • Better: Run as standard user and elevate to separate admin account
  • Best: Run as standard user and switch user to a separate admin account instead of using UAC to elevate

 Pick whichever one of these works best for you and provides you a level of protection you are comfortable with.
 

Published 01 March 2007 09:45 PM by jesper
Filed under:

Comments

# Larry Osterman said on 02 March, 2007 08:30 AM

Don't forget that even in "Best" mode, you're STILL not immune from malware.

It is perfectly possible to write malware (adware or a botnet client) that will install and run all the time on a standard user account without a single elevation prompt.  It's just not worth the effort usually.

As long as there are dancing pigs or cool icons for your email, people will still install this stuff.

# jesper said on 02 March, 2007 10:29 AM

So true Larry. You would be mostly impervious to things that compromise your system. That does not of course mean that you would be immune against things that steal your private data, or anything that tries to trick users into giving up information.

I firmly believe that as operating systems and applications get harder to attack we will see more and more attacks on people and the data they have access to.

# Chris Quirke said on 03 March, 2007 02:55 PM

It should be up to the user, but often malware works either by spoofing the user (e.g. exploiting the OS's poor file type discipline and risk UI information) or bypassing the user completely (e.g. exploiting edge-facing code such as RPC, LSASS etc.)

That, IMO, is the problem UAC attempts to address.  If it "encourages" sware vendors to write code that also works in non-admin accounts, that's nice - but IMO, account-based rights are in any case the wrong safety model for consumerland.  

Even the most limited account has the right to edit, and thus steal or destroy, user data.  Sure, it's nice for Microsoft support that they don't have to handle getting the system back from malware ownership, but if the user's data is most important, the battle's lost.

# Mark Burnett said on 03 March, 2007 07:05 PM

Jesper, I disagree, I think that UAC, as a whole, is very much a security feature. It's a first attempt that's bound to need some work, it isn't a sandbox, it isn't an anti-virus or anti-spyware feature, it isn't a firewall, and it can never be a perfect solution without seriously inconveniencing users, but it certainly is a security feature:

1. It makes it very difficult for malware to do admin-level stuff without the user knowing somewhere along the way.

2. It includes features like UIPI and MIC

3. It provides a mechanism for processes to run in a restricted mode

4. It provides file and registry virtualization

5. It facilitates protected mode IE7

Even Symantec, who has been so quick to attack Vista's security found that Vista blocked 96% or more of all malware they tested. Of course they said it the other way--that it still lets 4% through--but that's really not bad for what everyone is now claiming as a non-security feature.

# jesper said on 03 March, 2007 07:13 PM

Mark, I agree with you. I think UAC is a security feature. However, I also think it is dangerous to believe that it will stop future malware. It stops current malware, and does so well as you point out. However, future malware will certainly find a way around it. Does that make it not be a security feature? No. Does that mean UAC is not useful? No.

BTW, I am just putting the finishing touches on a tool for the new Vista Security book that might make testing UAC easier. It allows you to launch any process elevated from a command line, or to launch any process with a low integrity token. For instance, if you want to launch Firefox low (it currently won't work - firefox that is - but let's pretend it does) you would run "elevate -l firefox.exe". I'm doing final testing on the tool now.

# Alun Jones said on 03 March, 2007 07:37 PM

Even a re-worded dialog can be a security feature - changing the text, so that the user can more easily tell which is the most secure option to choose.

What's key here is that UAC isn't a security _boundary_. It's not designed to keep processes "inside" - it doesn't even have an "inside" in which it could keep processes.

Sessions are an example of a security boundary, because it provides a delineation between processes. NTFS permissions are an example of a security boundary, because it provides for a delineation between users who can have access, and users who can't.

UAC is a way for users to choose not to be administrator all the time. It's on by default, because it's the right choice for most users.

I've been a restricted user on Windows XP, and I've been a restricted user on Windows Vista, and I like it better on Vista, because I don't have to figure out how to do "runas" on an admin task whenever I need to do one.

# jinishans said on 21 March, 2007 01:10 PM

I'm using vista for the last few days. I feel, it's more of annoying feature, but, alerts the users before something goes wrong, atleast for time being.

# Dusan Drndarevic said on 01 April, 2007 05:06 AM

Short and logical post about UAC and Vista security you can find here : http://www.drdrksa.info/windows-xp-is-safer-then-vista/

# pieter said on 06 April, 2007 03:57 PM

"UAC's purpose is to enable more users to run as a standard user."

so you admit uac is a nagging tool. i tend to agree, and the result will be that users will disable it and gain standard administrator right, which will become the de facto default vista installation.

Leave a Comment

(required) 
(required) 
(optional)
(required)