A security proposal to Microsoft, something like UAC, but for the network

Remember UAC (User Account Control)? It is a part of Windows since Vista, but when it was first introduced, it caused quite a bad stir.

People did not like because it was way too annoying. It kept pestering users for everything that required system access and elevation of privileges.

Anyway, the now refined UAC, is a part of Windows and everyone seems to be fine with it, although its defaults can be changed from the Control Panel, if we so wish.

OK, here is my proposal. Lots of hacking tools and attacks are based on the fact that Windows computers automatically send their credentials (computername, username, Kerberos ticket, password hash, what have you) to servers, in order to seemingly access their services.

So, these hacking tools and attacks gather these credentials and then use them as they are or try to further crack them.

This problems gets worse because this behavior does not occur only inside the LAN.

To understand this last statement, please refer to:
Researchers show how to steal Windows Active Directory credentials from the Internet

Here is what I propose to Microsoft: stop the automatic behavior of credential sending. Or, rather, when Windows is about to send credentials, warn the user and pause the process until the user accepts.

This exactly how UAC behaves for things that mostly pertain to the computer. And, just as UAC permits the alteration of its behavior from the Control Panel, the same can happen to this “network UAC” that I propose.

And of course, as UAC became less annoying as time went by, the same will happen to the “network UAC”. For example, when a user logins, windows will know that the user has just input her credentials, so she knows she is about to access her logon server, so there is no need to block the process with a “network UAC” here.

Advertisements

About Dimitrios Kalemis

I am a systems engineer specializing in Microsoft products and technologies. I am also an author. Please visit my blog to see the blog posts I have written, the books I have written and the applications I have created. I definitely recommend my blog posts under the category "Management", all my books and all my applications. I believe that you will find them interesting and useful. I am in the process of writing more blog posts and books, so please visit my blog from time to time to see what I come up with next. I am also active on other sites; links to those you can find in the "About me" page of my blog.
This entry was posted in Security. Bookmark the permalink.