Leveraging User Account Control to restrict administrative privileges
Administrative privileges are a key target for hackers. Once they have landed within your environment, one of their first courses of action will be to locate and compromise an administrative “privileged” account, as these will have the technical capabilities necessary to perform the desired malicious tasks. Although not all attacks will require administrative privileges, these privileges essentially grant an attacker “god-mode” privileges, and they can make any changes they want to, down to the configuration of the operating system itself. There are two primary courses of action that I would recommend you consider implementing to mitigate this risk:
- Stop running full-time on administrative accounts and pivot to standard user accounts
- Fully engage Windows User Account Control
It is a pretty big risk to be running administrator accounts full-time, since everything done during a session is also being executed as admin. Clicked on a phishing link with some embedded malware? That will get executed as admin. Way too easy for the adversary, and the victim pays the price. For many of the small businesses that I have worked with, all of their users are running as administrators full-time, and they are not even aware of this fact. The solution here is to get far, far away from administrator accounts — create a standard (non-admin) user account that you will sign into on a full-time basis. For Windows users, you can do that in Control Panel:
On my local machine pictured above, I have a standard non-admin account (username omitted), which is the account that I sign into and run on a regular basis. I created this after I set up my machine for the first time, since the first account created out of the box is an administrator by default. I also have my privileged account, which is indicated by the name “Administrator” underneath Local Account.
The fun does not stop here. I still need to ensure that administrative privileges are being adequately controlled. To do this, we will leverage User Account Control (UAC), a security feature built into Windows operating systems. To do this, sign into your administrator account, and search “UAC” in the Windows Search bar:
Launch UAC, and you should see the following:
Once inside, you will want to fully enable UAC, so move the dial up to “Always notify”, and click OK. Then, sign out and return to your local non-admin account. When you are back in your non-admin account, attempt to perform any task as administrator. In this case, I attempted to run Command Prompt:
You *should* be presented with this window when you try to run the task as admin. This is User Account Control asking me for my administrator credentials, which are completely different from my non-admin credentials. I store these under lock and key, and I ensure that they go above and beyond the recommended password requirements. If I were to enter my non-admin credentials, it would not accept them, and the task would not run. If you are a security freak like me, you may even consider pairing UAC with an MFA solution like Yubikey, or, my personal preference, Windows Unlock (free on Windows OS).
Perhaps the greatest implication of this feature is that I can still perform my day-to-day tasks, and when I need to perform an administrative task, I can simply authenticate through UAC without having to sign in full-time to an administrator account. Furthermore, if I accidentally clicked on a phishing link while running my standard user account, there is a greater chance of preventing any malware from being installed, since doing so would likely require administrative privileges. If an adversary somehow managed to gain remote access to my machine, there isn’t much he/she would be able to do in terms of changing the configuration, since this also would require administrative privileges. This additional layer of defense may be just what is needed to make the bad guys give up.
I should also note that these changes don’t only need to apply to a single local machine. If you want to enable UAC across an entire domain, you can do this using Windows Group Policy Management, or whichever network infrastructure you use.
Are you running as administrator right now? If so, I recommend you halt immediately, and you pivot to a standard user account. If you use Windows, consider leveraging User Account Control. It’s quite easy to enable, and the additional control over your environment will go a long way.
Thanks for reading!
— Nathan
