Wednesday, February 19, 2014

The User Access Control (UAC) Prompts

This article/blog discusses the behavior of the prompts presented by UAC when an application is requiring administrative access.



The UAC prompt is an important component UAC security control set introduced with Windows Vista to protect users from accidental misconfiguration and from intentional actions being performed by malware.



The UAC prompt shows up in case if actions similar to the following take place
       a.       Installing applications
       b.      System settings are being changed
       c.       The application has requested a privilege escalation in its application manifest. (To read more about application manifests visit this page: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html )


Controlling the UAC prompting behavior
The prompts can be controlled from Control panel -> User Account -> User Account -> Change User Accountr Control Settings and they can also be changed via the Group Policy editor, as shown below in figure Fig1
 Fig1: The Control panel app to control behavior of the UAC prompts

Types of UAC prompts
There are different UAC prompts depending on the type of activity being carried out and by who i.e. the trust level of the application being run or the application requesting elevated access.

The credentials prompt
1 - In the user is not signed in with administrative account the prompt will ask him for a username and password for an account that has administrative credentials on the system as shown in Fig2.

Fig2: The UAC prompt when the signed in user is not an administrator
Click image to enlarge

The consent prompts

When an application executes under the explorer.exe shell the following sequence takes place
a. The shell calls 'ShellExecute' to execute the application.
b. The shell checks with the Application Information Service (AIS) to see what conditions are needed for the application to execute.
c. The AIC checks the application's manifest to see if the application requires elevation. For more information about manifests go to the article on manifests: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html
d. If the application requires elevation consent.exe (C:\Windows\System32\consent.exe) is called.
e. consent.exe prompts the user for their consent.
f. If the consent is provided the AIS creates a process with an elevated token and 'reparents' the the newly created process, making it a child of the explorer.exe process that launched it in the first place.
g. If consent.exe does not provide the cosent then the application will not run.

The above sequence is illustrated in the image Fig3 below:




Fig3: Role of consent.exe in the UAC command prompt
Click to enlarge image


2 - If a Windows Signed component needs to carry out an administrative action the shield with blue and yellow quarters will come up. This is the case where the user has an administrative account. The prompt is shown in Fig4


Fig4: The UAC prompt when a Windows Signed application requires administrative access
Click image to enlarge
 



3 - If the application is not Windows native signed by known publisher then the prompt is as shown in Fig4. The non-Windows publisher can be Microsoft, Adobe or Oracle. Also to emphasize Microsoft signed applications are not trusted like Windows signed applications.

Fig4: The UAC prompt when an application by a non-Windows but known
publisher requires administrative access
Click image to enlarge

4 - If the publisher is unidentified then the prompt is as shown in the the figure Fig5.

Fig5: The UAC prompt when an application signed by an unidentified publisher
requires administrative access
Click image to enlarge

5 - If the application requiring administrative access is from an explicity blocked or untrusted publisher then the prompt is as shown in the figure Fig6.
Fig6: The UAC propmt when an application signed by an explicitly blocked
or unknown publisher is requiring administrative access
Click image to enlarge


About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.


No comments:

Post a Comment