The Windows Security Journey — UAC (User Account Control)
The goal of UAC (User Account Control) is to reduce the risk of malware by limiting the ability of malicious code from running with administrator permissions. When UAC is used an application the requests an access token (https://medium.com/@boutnaru/windows-security-access-token-81cd00000c64) with administrator permissions must prompt the user for consent (https://medium.com/@boutnaru/the-windows-process-journey-consent-exe-consent-ui-for-administrative-applications-d8e6976e8e40) — as shown in the screenshot below.
UAC (User Account Control) provides MAC (Mandatory Access Control) which was introduced as part of Windows Vista/Server 2008. Together with UIPI (https://medium.com/@boutnaru/windows-security-user-interface-privilege-isolation-uipi-db790ad173eb) UAC is used to isolate between applications with the same user on the same session. When a user tries to perform an operation that requires admin access it will trigger UAC (if it’s enabled). Examples of such operations (but not limited to) are: executing an application as an administrator, changing system-wide settings, installing a device driver, changing UAC settings, configuring windows update, opening the registry editor, changing power setting and turning on/of Windows features (https://en.wikipedia.org/wiki/User_Account_Control).
Moreover, when UAC is enabled when an administrator logs on to a system two separate access tokens are created (standard access token and administrator access token). The difference between them is that the administrative privileges and SIDs are removed from the standard one (https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works).
Lastly, UAC is composed of several technologies in order to provide its capabilities, among them are: file and registry virtualization, same desktop elevation, filtered token, UIPI, protected internet explorer and installer detection (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-user-account-control). I am going to detail all of those that weren’t covered in future writeups. See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru).
