Windows defender??

zebal said:

system security for windows consists of so many components, windows defender alone is just a tiny fraction.

for example firewall is also part of system security, but just having it turned on doesn't mean you're done with firewall, you will need a bunch of rules for firewall to be well set.

Then, UAC is as important as AV and Firewall, you do not want to use administrative account at all, local user instead where UAC is a gateway to administrative tasks.

next, there is browser security which in turns consists of multiple sub components, then also password security, just having strong password isn't all the part of it.

Then also encryption/signing is another component, email security is another one..

The list can be pretty much long! and configuring each component requires some time and research.

UAC is superficial. I thought it was a good layer of protection until I started learning about it. Among the security community it's a bit of a joke from what I could see. It's more to protect the user from themselves as opposed to being a superior layer of protection. All you need to do is run malware from a process that user thinks is trusted. That could be a fake update executable for example which runs code with administrator priveleges once the user runs through the UAC process. You can also get malware to run with priveleges without even triggering the UAC process. There are simple commands you can fire off in Powershell which get the job done and we're not talking endless amounts of code, we are talking a one liner. AV does tend to pick up on Powershell scripts these days as it's often used to compromise a system but that's when you run scripts through trusted programs which have their own certificates that Windows trusts.

Also you have to remember most users want to be an administrator on their own computer because this gives them all the control they need. Sounds good but all that power and control is what is often exploited by bad guys. Linux for example saw this as a security threat waiting to happen and so you'll find upon running a Linux distro administration priveleges are compartmentalized as best as possible. You can be a user with sudo priveleges (the same as being an admin on Windows) but not have full reign over the system ALL OF THE TIME without confirming your identity each and every time. After a while you have to provide your password to sudo. The admin account (root) is seperate to everything else and is rarely logged into unless specific admin tasks need to be performed. You will usually find the root account is used sparingly. With Windows the root account is active 24/7 if you are an administrator. There is no 'on' and 'off' switch. You're either admin and running full priveleges, or you're not. This presents a serious security threat in and of itself because you leave the door wide open if the account is secured, and so it's recommended your main account on Windows is a normal user. Whenever you need to do a task which requires administrative priveleges you can authorise it as and when necessary using a seperate admin account by providing the credentials on demand. This means that malware, if it's on your computer (before being executed), has to get admin priveleges. And when you're not an admin account by default, it has to go about adapting to the user environment and trying to sneak in. Malware can't migrate to a higher level process if at first it cannot even get admin priveleges to begin with. As a standard user there isn't much malware can do. If it can't get these priveleges it cannot gain control over the system as easily.

So the whole UAC thing is flawed to begin with because if you're always in an administrator account, UAC is merely a very small and insignificant wall to climb over if you are malware because the environment is ready to be exploited.

I agree on some points with you but not with all points, UAC is not as bad as you are seeing it:

All you need to do is run malware from a process that user thinks is trusted.

That depends on who is that user, me as a user for example, in addition to checking UAC is telling me that software is signed, I will also check who the actual publisher is, is it Microsoft, a well known developer or some person/company I never heard of..

AV does tend to pick up on Powershell scripts these days as it's often used to compromise a system but that's when you run scripts through trusted programs which have their own certificates that Windows trusts.

That's interesting because any software can modify powershell execution settings, but I think you can see this even in event viewer.
It again boils down to first point above, which is what software did you install that could do this? do you really trust the publisher or do you rely on that software is signed?

Also you have to remember most users want to be an administrator on their own computer because this gives them all the control they need.

These users are their own fault, because UAC purpose isn't to defend stupid user actions but to have control over administrative tasks, and to let user decide whether something is allowed or not.
Without UAC default is "allow do not notify", and if user is administrator that means he's compromised as soon as he installed the OS.

Malware can't migrate to a higher level process if at first it cannot even get admin priveleges to begin with. As a standard user there isn't much malware can do. If it can't get these priveleges it cannot gain control over the system as easily.

That's the main feature of UAC, user should delete it's own account from time to time, and create a new one, in any case it must not be administrator to reduce pollution.

In general it boils down to user, UAC is just a helper not an ultimate protection against user stupidity.

Malware can and does run through trusted programs, that's my point. When you have, say, Adobe Flash, which will use it's own validated trusted certificate, the malware can execute code through the trusted application. When you hit UAC it can show up as being a genuine certificate because all Windows is doing is validating the certificate, it's not verifying the contents of the program are free from malware. The publisher will be Adobe. The malware gets through based on implicit trust. The rest is history.

I never said UAC was bad but it's a joke to security experts. It is duped so often it's not even funny.

As for Powershell, this is the greatest tool in the arsenal of a pen tester, as far as I could make out after learning about security. It's often not the big technical movie script attacks that get through like you see in movies. It's one liners that get through. Again they get through when and if they can run through trusted programs which have their own certificates and are owned by Microsoft themselves. Use Windows against itself. Connect out using a trusted program and you are in business.

And Event Viewer. From what I could see it was very easy to remove event viewer logs with a simple Powershell command. Makes no sense to attack a computer but then leave traces. Removing event logs is basic stuff.

I agree with UAC not being ultimate protection. But so many people think it is. They see all these protective layers and believe they amount to something but they really don't. It also doesn't notify you of EVERY change being made otherwise it would be pinging you with requests, much like HIPS in paranoid mode. Therefore lots of things get through it, many of them system tasks but attacks happen at this level because these processes running have the highest priveleges ie NT AUTHORITY etc. If you can hitch a ride on these processes you have full access to the system. Again, if you are admin the attack is already far likely to be more successful as you only then need to migrate into a system process in order to steal tokens and then escalate priveleges even further to be at the top of the pile. When you're at the bottom you start with nothing and so it requires more work.

And I'm not sure if you're promoting running as an admin account on Windows or not. The bottom line is you shouldn't. You should really be running Windows a little like Linux in the way that you can call upon admin priveleges as and when you need them instead of having them at your disposal all of the time, even when you don't need them. You don't need complete control over the system all the time, only when you need it. And then you can lower your priveleges in order to reduce the attack surface.

When you hit UAC it can show up as being a genuine certificate because all Windows is doing is validating the certificate, it's not verifying the contents of the program are free from malware.

That's too much to expect from UAC, that's why system makes use of NX and implements DEP, virtualization based security etc.

And I'm not sure if you're promoting running as an admin account on Windows or not. The bottom line is you shouldn't. You should really be running Windows a little like Linux in the way that you can call upon admin priveleges as and when you need them instead of having them at your disposal all of the time, even when you don't need them.

Absolutely yes, I'm promoting to never use admin account, not even for administrative tasks.
standard user account is enough for basically everything. and if not you get UAC, which we can think of as of sudo in linux.

But why be so sceptic about UAC being "easy" to hack, aren't hacks trough browser more common and easy? just saying

UAC is great tool if one knows it's limitations, but there are many other holes that are more likely to expose system.

zebal said:

That's too much to expect from UAC, that's why system makes use of NX and implements DEP, virtualization based security etc.



Absolutely yes, I'm promoting to never use admin account, not even for administrative tasks.
standard user account is enough for basically everything. and if not you get UAC, which we can think of as of sudo in linux.

But why be so sceptic about UAC being "easy" to hack, aren't hacks trough browser more common and easy? just saying

UAC is great tool if one knows it's limitations, but there are many other holes that are more likely to expose system.

Expect nothing from UAC. It's just a flimsy superficial layer of protection. It's more cosmetic than an actual layer of security, as stated above.

UAC is not sudo for Linux. Sudo requires both a username and password depending on the permissions granted for the then current account. If you're a standard user you'll have to either login as root or login as someone with sudo permissions and who has been added to the sudo group and/or given root through visudo. Pretty much all average users login with an administrator account as they see themselves as the owner and therefore admin of the computer, which is all true however, they do not understand the implications of effectively logging in as root all of the time. Many protective layers are obsolete if you cannot isolate root. The best practice furthermore is to disable root in the first place, at least on Linux. This same approach can be applied to Windows in similiar ways. Learning the basics of system administration teaches you this. You want VERY LITTLE opportunities for permissions to be higher than what is absolutely necessary which creates an environment where only a very few limited and restricted accounts have permissions higher. We can't all be kings of the castle. If you're running a server the king is hidden away in a vault, not out on display where he can get attacked. With Windows it's actually the opposite. Everything is flaunted and very poorly protected, at least before being properly configured.

It depends what you mean by hack. Hack is a very general and broad term. Most sophisticated attacks are done using 0 day exploits which use publicly undeclared vulnerabilities. You never knew they even existed until a security researcher pops up and discovers something mysterious and alarming. All known browsers have less vulnerabilities than Windows though. Other less sophisticated attacks prey more on the user than the browser itself as the user plays into the attack and gives the attacker the power he needs ie XSS attacks. These just take advantage of browser sessions by stealing session data and use scripts to manipulate the data.These can be mitigated however using script blocking and ideally using third party tools like NoScript and uMatrix which offer granular protection. You can also harden your browser manually to deal with websites in a much more restricted way. You can block unknown or untrusted domains straight off the bat when connecting to any website. This renders their deployment of scripts invalidated. You may have just shut down an attack by closing a connection to a C2 server running the browser hook.

Even less sophisticated are downloads which have some form of backdoor/trojan accompanying them. You run the rogue program, it starts a connection initiating a reverse shell, or bind shell, depending on attack preferences. Reverse shell simply means it connects out as opposed to you connecting in. It will usually do this on very high port numbers because I believe these are often used by priveleged processes? The traffic can be analysed though and most frameworks hackers use can be detected fairly easily on the network. Now the attack begins. It will usually start with privelege escalation (something our conversation revolves around with UAC, which will get wrecked without fail) followed by gaining persistence ie through registry, services, startup etc. This will usually be an executable to runs at startup with highest permissions (usually NT AUTHORITY) and so it runs as the landlord of the computer.

I would say the most compromises come from emails these days. That is the biggest threat from what I can see. Depending on the attack quite a lot can be done to harden a browser and lock it down. Disabling all but a few cipher suites will ensure you're not running compromised and out dated encryption suites. Firefox for example ships with quite a few outdated and insecure cipher suites enabled. It also comes with default rollback to earlier versions of TLS which is a major concern considering earlier versions are broken. It also gives out lots of personal information upon simple probing (something a website can and is permitted to do). WebGL is a security flaw but this is enabled in a few guises by default. Another good example is blocking mixed content which can help to mitigate MiTM attacks. These are just a few examples.

UAC is not sudo for Linux. Sudo requires both a username and password depending on the permissions granted for the then current account.

That's unfair comparison with 2 different contexts:
UAC also requires username and password if you configure your system that way, using GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Interactive logon: don't display username at sign in

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
Enumerate administrator accounts on elevation

by default system is not configured that way, but if you use defaults on your system and then complain how defaults suck compared to unix defaults its unfair as you are comparing defaults not actual features.

If you're a standard user you'll have to either login as root or login as someone with sudo permissions and who has been added to the sudo group and/or given root through visudo.

Again you are comparing defaults not actual features, Windows Administrator can deny standard users from having access to UAC by configuring a policy in GPO:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
User Account Control: Behavior of the elevation prompt for standard users

After this administrator can create a new group and call it "sudoers" if you like just like in unix system, and add users to this group which will be allowed UAC access.

Knowing that, sudo isn't really supperior to UAC, it only takes to configure few settings.
Just because some linux defaults are more restrictive than windows defaults that doesn't make any difference for comparing security features.

And if you are referring to sudo as a command line tool that allows user from sudoers group to log in as root and do root stuff, then all this can be configured on windows machine as well.

Pretty much all average users login with an administrator account as they see themselves as the owner and therefore admin of the computer

Lack of user education does not make UAC or system features less useful or less secure, since that very same "average user" will do twice as much damage to unix system if you add him to sudoers group.

zebal said:

That's unfair comparison with 2 different contexts:
UAC also requires username and password if you configure your system that way, using GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Interactive logon: don't display username at sign in

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
Enumerate administrator accounts on elevation

by default system is not configured that way, but if you use defaults on your system and then complain how defaults suck compared to unix defaults its unfair as you are comparing defaults not actual features.


Again you are comparing defaults not actual features, Windows Administrator can deny standard users from having access to UAC by configuring a policy in GPO:

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
User Account Control: Behavior of the elevation prompt for standard users

After this administrator can create a new group and call it "sudoers" if you like just like in unix system, and add users to this group which will be allowed UAC access.

Knowing that, sudo isn't really supperior to UAC, it only takes to configure few settings.
Just because some linux defaults are more restrictive than windows defaults that doesn't make any difference for comparing security features.

And if you are referring to sudo as a command line tool that allows user from sudoers group to log in as root and do root stuff, then all this can be configured on windows machine as well.


Lack of user education does not make UAC or system features less useful or less secure, since that very same "average user" will do twice as much damage to unix system if you add him to sudoers group.

Some points I agree with. Some are speculative at best. Others are just completely wrong. The reason much of the infrastructure running our modern digital world is running on Linux based distributions comes down to the fact that Windows isn't secure enough for most tasks. It's barely secure enough for average users who just browse the internet and check email. This is just a fact. Most security professionals recommend avoiding Windows if possible. UAC doesn't take these problems away. You're getting compromised if you use Windows all day everyday. This is just a fact.

Look at this page:
CVSS Score Distribution For Top 50 Vendors By Total Number Of Distinct Vulnerabilities

Microsoft is at the top with a weighted average of severity for vulnerability at 7.5. Do you think anything that you say counteracts decades of security research into vulnerabilities across mulitple operating systems? In comparison Debian is currently ranked at number 10 with only 148 mission critical vulnerabilities. Much of their disclosures come from the fact that Debian is free and open source meaning contributions come from the community and elsewhere. This is also why Linux more secure because it's not an OS locked up in a vault that requires extensive vulnerability testing. Debian has been since time began in terms of the operating system market. Windows has... wait for it... 2240. Most disclosures for vulnerabilities in Microsoft products, especially Windows, are 9+ on a scale from 0 to 10. So let's not beat around the bush and continue to pass pleasantries about an operating system just because it's a Windows forum. The point isn't to attack Windows but to speak the truth.

When it comes down to integrated security features, this is PRECISELY what Windows lacks. If we want to cut straight to the truth security is and never will be Windows best suit. It sucks at security. There are still bugs being found in the latest versions of Windows that can be traced back to Windows 95. These bugs 9 times of 10 represent security flaws. It's a hackers paradise. Always has been. Always will be. You really need to spend time on a security forum or read a few books, study a few courses, to wake yourself up from being a blind consumer of products like Windows.

All the while I use Windows 10 and don't dislike Windows operating systems. It's the best OS for compatability and until something else comes along it's likely Windows will be king in many domains. But when you're talking about security Windows is at the bottom. UAC in any context you better know that you're only lying to yourself by telling yourself it's worth anything. It's essentially worthless in the grand scheme of things. It offers cosmetic protection. It's handy to be able to accept or deny execution of programs in whatever context but when that medium is not built into the security model of the operating system it's worthless. An operating system is only as secure as it's founding security model. Microsoft never designed Windows to be secure. Microsoft mission was to bring an operating system to the world as fast as possible in order to starch the competition at a time when the personal computer market was anyones game who could come and offer a product that would transform the environment for computer users from hobbyist projects to everyday desktop environments like we have today. They did it very effectively in a time when OS like BSD and Linux were beginning to become dominant. Their mission was to throw out what they could. If you look at the beginning of Microsoft they actually took other people's software and put their name on it. Their first OS was based on PC DOS and was in fact someone else's project they bought and then sold as their own. Both Apple and Microsoft arguably stole the idea of a desktop GUI from Xerox. Nothing you see in these operating systems are original, not in terms of foundations.

And so you're looking at an amalgamation of work that originated from all over the place and is now the operating system you use. Nowhere at this point was security the fundamental priority. But with other operating systems, this was far more important. Hence why you'll have more difficulty getting a Linux based distro to hand over keys to the castle in comparison to Windows.

I'm not hating on Windows. I thought I'd make that clear. I'm writing this message from Firefox on Windows 10. I just don't expect many things you expect to protect you to protect me but I guess that comes from education and experience.