• Secure Attention Sequence

    Home » Forums » AskWoody support » Windows » Windows 10 » Questions: Win10 » Secure Attention Sequence

    Author
    Topic
    #94719

    Ok, in previous Windows versions I always activated Secure Attention Sequence in the past on OTS elevation to have users press CTRL-ALT-DEL on Admin prompt for security reasons. I would like to bring a problem to everyone’s attention and if some of you think it is a bad idea to use SAS, well speak up.

    ; Secure Attention Sequence on OTS elevation in gpedit
    ;Computer
    ; Administrative Templates
    ; Windows Components
    ; Credential User Interface
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI]
    “EnableSecureCredentialPrompting”=dword:00000001 ; replace 1 with 0 to deactivate

    However, with Windows 10 AU (don’t know about previous versions), if you do that, the prompt often stay hidden behind other Windows instead of coming in the front, so it leaves the impression that the computer froze. You need to press ALT-TAB or do something else like a CTRL-ALT-DEL to make it appear. Anybody else experienced that issue? Maybe it does the same thing in Windows 8 if the prompt is presented with the new style of Windows too but I don’t know. One thing for sure, it doesn’t do that in Windows 7.

    Viewing 4 reply threads
    Author
    Replies
    • #94721

      Good question. I’ll defer to my more learned colleagues…

    • #94733

      the prompt often stay hidden behind other Windows instead of coming in the front

      Though I haven’t done what you’re doing, specifically, I’ve seen a number of pop-ups not come to the front in Windows (example: File Explorer’s own “do you want to overwrite” type prompts).

      I don’t use UAC at all on my Win 10 test system, so I’m not in an easy position to test this issue for you.

      That being said, there is a setting in the registry that you can tweak that might affect your systems failing to pop things to the front. If you don’t get specific input you might try an experiment with this:

      [HKEY_CURRENT_USER \ Control Panel \ Desktop]
      ForegroundLockTimeout REG_DWORD

      Setting the value to 0 is supposed to thwart the prevention of things popping to the top while the user is typing or otherwise using the system.

      It’s something to try…

      -Noel

      2 users thanked author for this post.
      • #94844

        I am curious as to why you don’t use the UAC. Do you run admin or the theoretical best practice way of running limited and never allowing an in-place elevation? I would find that horribly annoying to have to disconnect and log back as admin on Windows each time I want to do something that requires more rights.

        I really enjoy reading your opinions here. You have an interesting perspective, one I would not always have for practical considerations but that I understand and respect, and that I probably would tend to in an ideal world. I find it interesting you use IE. I didn’t like IE for some specific reasons a long time ago and that made me ignore all the good reasons. I think it didn’t show the link you were going to click in the status bar or something like that.

        I find it funny you like it starts faster and understands it is an important requirement for you how fast you get online, but to me that was due to a big annoyance: it is baked in the OS so that sometimes it meant having to restart the OS to reinitialize IE when I could just close Firefox. When i wasn’t running on SSD, I didn’t find that so great. I think I also hated IE for lots of issues it was responsible for although it wasn’t mandatory like the awful ActiveX idea that gave birth to horrible banking softwares that would break each time IE would get an upgrade. I hated the proprietary technology push, the vbscript and all those things that made lots of web sites say you need IE to see our pages. I will always be thankful to Apple for having destroyed Flash by doing exactly the opposite of the early IE which was not supporting at all this proprietary technology on mobile and having so much adoption that the companies had to move to more open technologies like html5 to address this market. I think that Edge is born of Apple too. MS realized they wouldn’t be able to rule the web and makes it play by their rules so they tried to do what they should have done much earlier.

        1 user thanked author for this post.
        • #94863

          @AlexEiffel
          I tend not to use UAC too, but it is on and off.
          The reason for me is that I do a lot of tests and I don’t make any distinction between my normal machine and/or another machine to use for testing. When testing, I find annoying not to have access to specific protected folders, owned in most cases by TrustedInstaller. Instead of taking ownership and modifying ACLs, I find it cleaner to let the ACLs as they were designed by Microsoft and use an admin account without UAC, or even use the built-in Administrator, in which case UAC would no longer be relevant. For UAC to be disabled effectively starting with Windows 8, Admin Approval Mode should be disabled in policy too.
          I don’t recommend anyone to do the same, this depends on the level of confidence and specific circumstances.

          1 user thanked author for this post.
        • #94864

          I cannot even imagine to use any other browser for the Catalog than IE with the required ActiveX control.
          Using another browser is just a workaround/hack built on top of the regular functionality which is based on the ActiveX control.
          And IE is not my preferred browser, but I claim to understand even the tiniest setting and Group Policy which can be configured, including the ones under each Security Zone.

          1 user thanked author for this post.
        • #94865

          @AlexEiffel

          I think that Edge is born of Apple too.

          Edge is built on the same Microsoft Trident engine like IE11.

          Safari and Chrome both use the WebKit engine if I know well.

          • #94991

            Oh I didn’t mean technically, but philosophically. Apple pushed the world to drop proprietary plugins in favor of the newer open web standards.

            I meant the idea of supporting web standards better, less proprietary or platform specific features and other things that made lots of IE web sites not working on later versions of IE because they were stuck with features from the older versions. I meant the idea that sometimes you can design a website that works better and will be more future-proof than using the easy way of ActiveX or Java. I can’t count how many times we had issues after an update of Java that wasn’t properly supported by the bank or another entity having their website requiring that technology. Same with ActiveX and different versions of IE.

            I understand these things might still work better today in some instances, but maybe it is because things like the catalog wasn’t optimally designed in the first place or they couldn’t have done it better at the time, I don’t know because I don’t use it. Maybe they should have made a software to access some things instead of a website if they required a deeper connection to the OS than what a website provides, too.

            Anyway, I also understand that someone who gets really familiar with IE might like it better because of its great customization and for many other valid reasons.

            1 user thanked author for this post.
    • #95009

      I am curious as to why you don’t use the UAC. Do you run admin or the theoretical best practice way of running limited and never allowing an in-place elevation? I would find that horribly annoying to have to disconnect and log back as admin on Windows each time I want to do something that requires more rights.

      I don’t use it because I’m adept enough a power user not to need it. It just gets in the way. I am at a level where I don’t need my system to protect itself from me. I need it to do what I say, when I say it – and that’s best accomplished by running with full privileges all the time.

      I disable it by setting EnableLUA to 0 in the registry. And yes, that even works with Windows 10 as long as you have no interest in Apps.

      I haven’t used UAC since the start, with Vista x64. And I haven’t destroyed anything accidentally from the start. My systems simply don’t need protection from me.

      I find it interesting you use IE. I didn’t like IE for some specific reasons a long time ago and that made me ignore all the good reasons. I think it didn’t show the link you were going to click in the status bar or something like that.

      I find it funny you like it starts faster and understands it is an important requirement for you how fast you get online, but to me that was due to a big annoyance: it is baked in the OS so that sometimes it meant having to restart the OS to reinitialize IE when I could just close Firefox.

      When i wasn’t running on SSD, I didn’t find that so great. I think I also hated IE for lots of issues it was responsible for although it wasn’t mandatory like the awful ActiveX idea that gave birth to horrible banking softwares that would break each time IE would get an upgrade. I hated the proprietary technology push, the vbscript and all those things that made lots of web sites say you need IE to see our pages. I will always be thankful to Apple for having destroyed Flash by doing exactly the opposite of the early IE which was not supporting at all this proprietary technology on mobile and having so much adoption that the companies had to move to more open technologies like html5 to address this market. I think that Edge is born of Apple too. MS realized they wouldn’t be able to rule the web and makes it play by their rules so they tried to do what they should have done much earlier.

      1. I have never had a situation where I have to reboot because of something a browser did. I’ve shown various screen grabs exhibiting my months-long uptimes.

      2. I DO have alternate browsers installed because no one browser seems to get everything exactly right. However, days go by between times I have to start one of the others. I still find most things are compatible with Internet Explorer.

      3. One thing I find with IE is that the out-of-box configuration is WAY too permissive. I shut almost everything off in the Internet Zone. ActiveX is not allowed to run at all. Very nearly all of the options are shifted to more secure / more restrictive settings. I do allow scripting, though, but in its most restrictive sense.

      4. I have almost no enabled Add-ons. I don’t allow Flash, for example. Add-ons are virtually unnecessary in a practical sense (yes, thanks to the other browsers) and in fact complicate the operation of IE horrendously. Most web sites can operate with basic scripting enabled. I suspect this is a strongest reason why I find IE stable and non-intrusive.

      5. I have implemented a security environment in which I blacklist many tens of thousands of sites at the DNS level (I run a DNS proxy server in my network). And I am conscientious about what I run. As a result, most sites don’t even try to load anything in iFrames. No malware, no tracking, no ads. Great performance and stability. Livin’ the dream, baby!

      6. IE has a quite good, controllable security model. I can do things like whitelist certain sites (via the Trusted Sites zone) to allow more functionality, should the need arise. As it turns out it’s not necessary much – I have VERY few entries in that list.

      My suggestion: Don’t judge IE based on how badly it can be screwed up. Judge it on what it can be if it’s not screwed up. 🙂

      Note my entire list of add-ons (and note that most are disabled):

      ScreenGrab_NoelC4_2017_02_17_120438

      Win81CurrentUptime

      -Noel

      2 users thanked author for this post.
      • #95020

        I missed some points above about the utility of IE…

        I think it didn’t show the link you were going to click in the status bar or something like that.

        Even though I block most, there actually ARE some Add-ons that are useful…

        Note the title bar, status bar, and search box I show in this screen grab. Those are Classic Shell and the Quero toolbar at work.

        ScreenGrab_NoelC4_2017_02_17_121549

        -Noel

        1 user thanked author for this post.
        • #95260

          Noel, I hope you don’t have employees, especially the creative types, as this would certainly generate a conflict… 🙂
          You are locking down way too much for my taste… and it probably is not only me…

          • #95388

            Noel, I hope you don’t have employees, especially the creative types, as this would certainly generate a conflict…
            You are locking down way too much for my taste… and it probably is not only me…

            First, I’m not sure what you mean by “locking down”. The restrictions I place, e.g., on web sites, serve to improve the odds of getting the data one is after, not “lock it down”.

            Second, I wouldn’t presume to restrict what ANYONE does. I’m not some ridiculous IT manager who feels things need to be “locked down”. I’ve worked with too many “Mordacs” in my career. My people, who are geographically diverse, have an entire book I’ve written on how to configure and augment their own windows for productivity. Ultimately they can set up their own systems entirely the way they like. Not surprisingly, they’ve followed my lead for a lot of the setup because it really works and it improves their productivity. Some are still running Win 7 because that’s their preference.

            -Noel

      • #95071

        Very interesting. From your description I feel it is a bit like Windows in the good ol’ days. You take lots of time to figure out how to configure it to your liking instead of having a usable (or almost) product out of the box like Firefox, but then you can surf on those tweaks for a very long time as a happy user. As with Windows, a lot of the defaults are quite bad.

        You don’t have websites that don’t load because you block some domains and the ads can’t be loaded?

        It would be interesting you publish your security settings. If I could push them automatically, it would be a good thing to have as a secure alternate browser.

        As for UAC, I understand your point of view, but for me, I prefer not to run as administrator because however careful I am, a buffer overflow could always happen if I was unlucky and I’d rather have it in the user space if I have more chance it will be there. I kind of like UAC. It warns me when a program needs more rights than a normal user.

        2 users thanked author for this post.
    • #95232

      Very interesting. From your description I feel it is a bit like Windows in the good ol’ days. You take lots of time to figure out how to configure it to your liking instead of having a usable (or almost) product out of the box like Firefox, but then you can surf on those tweaks for a very long time as a happy user. As with Windows, a lot of the defaults are quite bad.

      Exactly. For years. Couldn’t have said it better myself. I’m a tweaker at heart (look up online some time what I’ve done to improve my Corvette).

      I’ve actually been working on a “Windows 10 re-tweaker” script that gets a lot of the job done for Win 10 very quickly. That’s needed since Win 10 is re-released altogether too often.

      You don’t have websites that don’t load because you block some domains and the ads can’t be loaded?

      Surprisingly rarely. In a few cases, for example forbes.com that puts up a message saying “enable ads or you can’t see our site”, I just surf elsewhere. In actuality, with a little knowledge of how web sites work, that particular restriction can be worked around.

      I have set up, in the process that gathers the blacklist data, the ability to avoid blacklisting certain selected sites. In running this process for years I’ve only ever had to avoid blacklisting this small list of sites, for the reasons given:

      #130.211.230.53=0.0.0.0 # An invalid name entry from one of the list sites
      #a1284.g.akamai.net=0.0.0.0 # Needed to self-update Photoshop Elements
      #cdn.overclock.net=0.0.0.0 # needed to see user icons on overclock.net forum
      #hwcdn.net=0.0.0.0 # needed for PBS, FXX, and FOXNOW video access via Apple TV
      #maxcdn.bootstrapcdn.com=0.0.0.0 # needed to get page formatting on globaltuners.com
      #oimg.nbcuni.com=0.0.0.0 # Needed to watch NBC on Apple TV
      #server.iad.liveperson.net=0.0.0.0 # Needed to live chat with Comodo/InstantSSL support

      What I normally see for almost all sites is the content without the ads, tracking, malware threats.

      It would be interesting you publish your security settings. If I could push them automatically, it would be a good thing to have as a secure alternate browser.

      I’d be happy to do so… I could go through and capture my choices screen by screen I suppose. Do you know a way to share an IE configuration more easily than that?

      You might find this entire thread interesting, though make sure you read Reply #12, because that represents my current setup:

      http://win10epicfail.proboards.com/post/2284/thread

      I’ve been dabbling with the idea of turning it into a product, something like “Web Sanitizer”.

      -Noel

      2 users thanked author for this post.
      • #95567

        It would be interesting you publish your security settings. If I could push them automatically, it would be a good thing to have as a secure alternate browser.

        I’d be happy to do so… I could go through and capture my choices screen by screen I suppose. Do you know a way to share an IE configuration more easily than that?

        Here’s a go at showing all the IE config options I’ve chosen for the Internet Zone…

        ScreenGrab_NoelC4_2017_02_18_221639
        IEConfig1
        IEConfig2

        It’s important to note that these settings do not stand alone, but are part of a larger security strategy that also involves DNS-based blacklisting and the use of a firewall.

        -Noel

        2 users thanked author for this post.
    • #95233

      Consider this DNS log output for a highly ad-ridden and tracking-rich site (www.cnn.com). Note all the “not found” entries – those are the blacklisted ones.

      ScreenGrab_NoelC4_2017_02_17_192958

      Yet I seem to be able to see the content just fine…

      ScreenGrab_NoelC4_2017_02_17_193209

      -Noel

      2 users thanked author for this post.
    Viewing 4 reply threads
    Reply To: Secure Attention Sequence

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: