The three big problems with User Account Control (UAC)

User Account Control (UAC) is an essential part of your security. It has an important role to play in how we eliminate unnecessary privileges for our users and, in turn, secure our organisations.

Without exception, you should be using UAC everywhere you can.

But using User Account Control alone presents some very real challenges – pitfalls that could be the difference between productive users and a serious data breach.


#1 It can be bypassed

For Microsoft, Windows 10 represented another leap forward in terms of security. For the average home user, the operating system’s built in firewall and anti-malware technologies are a surprisingly good choice.

But when it comes to the world of business, no User Account Control is bulletproof. Using DLL hijacking and mock directories, Windows 10 UAC can be bypassed to run elevated commands without alerting anyone.

It’s an important layer in your security stack, but it’s still just a layer.


#2 It’s not exhaustive

User Account Control does a good job of mitigating some types of drive-by attack, but it doesn’t account for all the ways that user privileges can be escalated, or all the applications that may be interacting with a given workstation.

At best, UAC is one part of a much bigger picture. Too often, UAC is adopted and left to handle every type of privilege abuse by itself.


#3 It’s in the hands of your users

Finally, User Account Control keeps productivity high by letting your users enter administrative credentials and get back to whatever they were doing. But this creates a significant risk if we only account for human error.

As UAC becomes more integrated with the way we use Windows, people find themselves dealing with prompts and login screens throughout the day. In the midst of a busy schedule and our notification-intense routines, it’s too easy just to agree, hit yes, and not really think about what you’re doing.

It’s in this understandable drive to make life easier that attackers find a way in.

That’s why the answer is removing them from the process.

Next: Don’t offload privilege elevation to your help desk


Missed parts one or two of this four-part blog series. Catch up now.


Written by