The UAC prompt is an important component UAC security control set introduced with Windows Vista to protect users from accidental misconfiguration and from intentional actions being performed by malware.
The UAC prompt shows up in case if actions similar to the
following take place
a.
Installing applications
b.
System settings are being changed
c.
The application has requested a privilege escalation
in its application manifest. (To read more about application manifests visit
this page: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html
)
Controlling the UAC
prompting behavior
The prompts can be controlled from Control panel -> User
Account -> User Account -> Change User Accountr Control Settings and they
can also be changed via the Group Policy editor, as shown below in figure Fig1
Fig1: The Control panel app to control behavior of the UAC prompts
Types of UAC prompts
There are different UAC prompts depending on the type of
activity being carried out and by who i.e. the trust level of the application
being run or the application requesting elevated access.
The credentials prompt
1 - In the user is not signed in with administrative account
the prompt will ask him for a username and password for an account that has
administrative credentials on the system as shown in Fig2.
Fig2: The UAC prompt when the signed in user is not an administrator
Click image to enlarge
Click image to enlarge
The consent prompts
When an application executes under the explorer.exe shell the following sequence takes place
a. The shell calls 'ShellExecute' to execute the application.
b. The shell checks with the Application Information Service (AIS) to see what conditions are needed for the application to execute.
c. The AIC checks the application's manifest to see if the application requires elevation. For more information about manifests go to the article on manifests: http://securityinternals.blogspot.ae/2014/01/application-manifests-and-assemblies.html
d. If the application requires elevation consent.exe (C:\Windows\System32\consent.exe) is called.
e. consent.exe prompts the user for their consent.
f. If the consent is provided the AIS creates a process with an elevated token and 'reparents' the the newly created process, making it a child of the explorer.exe process that launched it in the first place.
g. If consent.exe does not provide the cosent then the application will not run.
The above sequence is illustrated in the image Fig3 below:
Fig3: Role of consent.exe in the UAC command prompt
Click to enlarge image
Click to enlarge image
2 - If a Windows Signed component needs to carry out an
administrative action the shield with blue and yellow quarters will come up.
This is the case where the user has an administrative account. The prompt is
shown in Fig4
Fig4: The UAC prompt when a Windows Signed application requires administrative access
Click image to enlarge
Click image to enlarge
3 - If the application is not Windows native signed by known
publisher then the prompt is as shown in Fig4. The non-Windows publisher can be Microsoft, Adobe or Oracle. Also to emphasize Microsoft signed applications are not trusted like Windows signed applications.
Fig4: The UAC prompt when an application by a non-Windows but known
publisher requires administrative access
Click image to enlarge
publisher requires administrative access
Click image to enlarge
4 - If the publisher is unidentified then the prompt is as
shown in the the figure Fig5.
Fig5: The UAC prompt when an application signed by an unidentified publisher
requires administrative access
Click image to enlarge
requires administrative access
Click image to enlarge
5 - If the application requiring administrative access is from an explicity blocked or untrusted publisher then the prompt is as shown in the figure Fig6.
Fig6: The UAC propmt when an application signed by an explicitly blocked
or unknown publisher is requiring administrative access
Click image to enlarge
or unknown publisher is requiring administrative access
Click image to enlarge
About the Author: Saquib Farooq Malik, is a senior
Information Security Specialist .
Saquib Specializes in Vulnerability Assessment and Penetration Testing,
implementations of ISO 27001 in different corporate environments in the Middle
East.
He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.
No comments:
Post a Comment