Blocking UAC Bypass attacks

[digip]

So I lost my USB rubber ducky(bought at Derbycon 1, not sure where I put it after moving few times) but was wondering with all these UAC bypass attacks these days, can it be blocked. I don't have a ducky to test, but even just manually typing common ducky scripts for testing, I haven't been able to bypass UAC after making some changes to beef it up a bit. Most of the time the bypass seems to work is because of admin level not, by default, required to use a password for UAC, and instead, only click ok for the pop-up. However, you can change this in the Local Security Policies settings. 

What I'd like to see, and maybe someone already posted this, so I could be making a duplicate point already given and I apologize, is someone test this and show me that you can bypass the following settings.

 

Hit the windows key, and in search type "Local Security Policy"

Now drill down to  "local policies" > security options > UAC: Behavior on prompt (for both admin & normal users) > Change to prompt for credentials on both. Now try your rubber ducky. Does it still bypass UAC? (It shouldn't be able to, but I haven't tested this extensively).

 

Post your thoughts, and any ducky script if you find a way to bypass UAC with the above settings turned on. These are things I am going to start turning on for all machines I own and setup for others in the future since I can't see a way to bypass short of remote/elevated attack channels, this should stop all HID based UAC Bypass attacks that don't run executables, and work solely on keystrokes alone.

[Enzym3]

I got the same results as you. There are, of course, plenty of payloads that can be ran on a non-administrator level of PowerShell/CMD and certain privilege escalation attacks that can be done, but this does provide a very big deterrent to many of the ducky payloads you see out there right now.