UAC isn't a security feature, really?

The press has been having a field day with headlines like this one due to a recent post by Mark Russinovich which explains how  UAC and its integrity levels (user rights separation) work, among other things. The part of the post that people grabbed onto was his statement that 'It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries." he goes on to say "Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs."

What does all this mean?  Well it can be really confusing to be honest. Mark has a wonderfully detailed post that, well, you can get lost in the details of. Microsoft press materials don't really make this any clearer as they can refer to it as increasing security or helping with trust.... So lets take this down a notch to better understand it. 

UAC or User Account Control is an umbrella of technologies that are designed to help achieve the goal of running as "Standard User" or Non-Admin. Running by default as an administrator is a problem that has plagued Windows for a very long time. UAC includes many features like File and Registry vitalization, Legacy Installer Detection, ActiveX installer service, user rights separation/elevation and more.  All of these feature are designed to help you achieve running with fewer privileges which in turn makes Windows more secure, but they themselves are not in fact security features. Which was the point that Mark was making, I think.

In the features there have been some fundamental design choices made that make Windows easier to use.  These trade-offs tend to come at the cost of security. For example, the default account created in a clean Windows Vista install is called a Protected Admin (PA).  A PA account is a great example of a compromise of security for convenience of use. Because of Windows long history of having admin rights by default many app's were written assuming that this level of rights would exist, so as a compromise the PA account became the new default. It offered a reasonable increase in security by starting IE and Explorer with a low rights token, which would prevent the spread of much of today's malware, and offered easy access to a full token without the need for an ID and Password.  A trade off of security for convenience.   

A true standard user account would offer a additional incremental increase in protection by requiring the input of an ID and password. Simply adding an ID and Password to a PA account doesn't buy a whole lot on the way of additional protection because both integrity levels share the same HKCU keys and so you could be subjected to attacks focused on areas like a CMD prompts autorun key. These exploits aren't possible when you need to switch user accounts as it has a different HKCU 

The bottom line is that malware will continue to evolve and as Windows Vista's adoption rate increases so will the sophistication of the malware for it......To help protect yourself and to get the most long term benefit out of UAC you should consider running as a standard user.

Follow Me on Twitter