User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks. This mitigation can be implemented through the following measures:
Enable UAC Globally:
User Account Control: Run all administrators in Admin Approval Mode
to Enabled
.Require Credential Prompt:
User Account Control: Behavior of the elevation prompt
).Restrict Built-in Administrator Account:
Set Admin Approval Mode
for the built-in Administrator account to Enabled
in Group Policy.
Secure the UAC Prompt:
User Account Control: Switch to the secure desktop when prompting for elevation
).Prevent UAC Bypass:
User Account Control: Only elevate executables that are signed and validated
.Monitor UAC-Related Events:
Tools for Implementation
Built-in Windows Tools:
EnableLUA
and ConsentPromptBehaviorAdmin
.Endpoint Security Solutions:
Third-Party Security Tools:
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL. |
|
.002 | Bypass User Account Control |
Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL. |
||
Enterprise | T1546 | .011 | Event Triggered Execution: Application Shimming |
Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions. |
Enterprise | T1574 | Hijack Execution Flow |
Turn off UAC's privilege elevation for standard users |
|
.005 | Executable Installer File Permissions Weakness |
Turn off UAC's privilege elevation for standard users |
||
.010 | Services File Permissions Weakness |
Turn off UAC's privilege elevation for standard users |
||
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons.[2] |