Of course you should be careful inserting random USB devices. Apart from USB HID attacks, they could perform other attacks like DMA ones.
To help preventing automated UAC elevation, you can make it harder to activate UAC by requiring a password. I think the below registry trick and policy is supported as of Windows 7, but it could be more recent (i.e. Windows 8.1).
The video below shows the trick, but does not document it in text. So here we go [WayBack] Windows doesn’t ask for your password when changing settings – Windows 10 Forums
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f
(A more elaborate batch file with lots more hardening is at [WayBack] Win 10 edits · GitHub)
The registry trick is especially useful for Home editions of Windows which do not allow you to run the Security Policy control panel applet secpol.msc.
The first two values explained at [WayBack] How to configure Windows UAC prompt behavior for admins and users – gHacks Tech News:
ConsentPromptBehaviorAdmin
This key defines the User Account Control behavior for system administrators. The default value is set to prompt but do not require credentials to be entered. Here are all possible values:
- 0: A value of 0 allows administrators to perform operations that require elevation without consent (meaning prompts) or credentials (meaning authentication).
- 1: A value of 1 requires the admin to enter username and password when operations require elevated privileges on a secure desktop.
- 2: The value of 2 displays the UAC prompt that needs to be permitted or denied on a secure desktop. No authentication is required.
- 3: A value of 3 prompts for credentials.
- 4: A value of 4 prompts for consent by displaying the UAC prompt.
- 5: The default value of 5 prompts for consent for non-Windows binaries.
ConsentPromptBehaviorUser
- 0: A value of 0 will automatically deny any operation that requires elevated privileges if executed by standard users.
- 1: The value of 1 will display a prompt to enter the username and password of an administrator to run the operation with elevated privileges on the secure desktop.
- 3: The default value of 3 prompts for credentials on a secure desktop.
The changes should take effect immediately. You can for instance set the admin behavior to 0 so that no prompts are displayed, and user behavior to 0 as well to prevent them from running operations that require elevated privileges.
Related:
Read the rest of this entry »
Like this:
Like Loading...
The Wiert Corner - irregular stream of stuff 