Not using the Secure Desktop?
Using Local Security Policy settings (specifically the one called "User Account Control: Switch to the secure desktop when prompting for elevation"), I can modify Vista’s behaviour when showing elevation prompts, so that the elevation dialog is simply shown as a normal window on the current desktop. I like this behaviour much better, but I’m wondering if there’s any security related reason why the so-called secure desktop is actually more secure. If you know, please tell me!
As I understand it, nothing can send messages to windows an a secure desktop (and so cannot click the buttons for you, thereby circumventing the UAC prompt), and cannot otherwise communicate with it.
It’s also one of the reasons that screensavers run in a secure desktop - so when the mouse is moved and the user is asked to log on, the login entries cannot be intercepted (and an alternative login screen cannot be shown instead of the standard GINA one)
From the point of view of this being an attack vector though, although the above will now be possible, it may probably never be used by malicious software, because 99.9% of UAC-enabled Vista machines will use the secure desktop (i.e. there is a very limited number of exposed machines - and they will likely be run by savvy people who are unlikely to run the malicious software anyway)
Personally I won’t do it though - just in case something slips through
Comment by Chris — 25/4/2008 @ 11:42 am - 3 months ago