It’s true that our friends at Microsoft have come a long way toward implementing good security. No, really. Adobe and Oracle/Java have become the big targets of cyberthieves. MS operating systems no longer regularly cause the Blue Screen of Death. And, ta-da, we have User Activation Controls to protect us.
UAC, as it is called, is that annoying feature that asks if you are really sure if you want to perform an action as an Administrator, like change your settings or install new programs. It is best epitomized by the great Apple commercial, where the dumpy PC guy and the cool Apple dude are trying to talk and a secret service-looking guy pesters the PC to death. Please watch the video before proceeding:
So, why annoy the customer base? It’s an attempt to run with least privileges, an important aspect of security. The theory is that if you are compromised running as the Administrator or root accounts, the scope of damage is endless. On the other hand, if you are warned before running a dangerous program or are a lowly unprivileged user, then the damage will be limited. UAC can stop an attacker from some pillaging and plundering.
Let’s say UAC is enabled. You get warned when really important things are happening, like administrative actions or an attack that is escalating privileges. But, does that mean attackers are out of luck when they compromise your system? Absolutely not. Consider this analogy. If robbers enter a bank and find the vault locked, should they apologize and go home empty handed? No. There are still teller drawers full of loot.
We can classify the stuff stored on a PC in a few ways. Let’s review three categories and then rate their loss or compromise on the scream-scale.
A rating of 1 Scream is what you’d let out, if you stubbed your toe. The 5-scream level is achieved by surgery without anesthesia.
Perhaps the title of this blog article makes more sense now. User Account Controls are not bad. They do offer some protection to your files. But, it would be wrong to believe it effectively safeguards your most important assets: user data. That is up to you. More on defenses and some UAC bypass techniques are coming later.
If you are interested in this antivirus testing and hacking, the course Penetration Testing: Tools and Techniques includes this topic.