I turned off UAC

[Justin]

I am going to try to explain this again. The out of the box admin
account on Vista that is given to a user or any subsequent admin account
that is created on Vista with UAC enabled is NOT a full-rights-admin
account. It's only a Standard user account, which must be escalated to a
use the full-adminrights token to do anything requiring
admin-full-rights as an administrator.

I get it.
I don't need any escalation to admin. The problem is, what if there's
some malware. Some malware named "winenhancer." The user sees the UAC
prompt "Winenhancer must access the internet!" and the user clicks on yes.
So UAC only works when the user knows everything about the PC, which is
unrealistic for a standard dumb user whose job is to type out proposals
and reports.

 

[Jack the Ripper]

I get it.
I don't need any escalation to admin. The problem is, what if there's
some malware. Some malware named "winenhancer." The user sees the UAC
prompt "Winenhancer must access the internet!" and the user clicks on yes.
So UAC only works when the user knows everything about the PC, which is
unrealistic for a standard dumb user whose job is to type out proposals
and reports.

Oh, I get it. It's not the responsibility of the dumb user to know what
he or she is dumbly clicking on as they point and click. It's their
responsibly to know the situation, but they don't and most never will.

However, network admins take that responsibly for this type of worker
by using a network proxy that only allows the users to go to approved
sites closing the attack vector and mitigating such damage, as its their
responsibility to protect company's interest and not some office clerk,
lock them down.

Just like with Linux which has the same kind of an approval process
within its O/S, they point, click, approve and it's all bets are off.
But with UAC enabled when one does this, the damages are mitigated to a
certain degree as UAC protects critical areas and also not allowing the
malware to continuously run under the context of the user-admin
full-rights access token, to spread damage.

But rather with UAC enabled, the compromise runs under the context of
the admin's Standard user token, because admin user on Vista is returned
to using that token upon privileged escalation completion, and it's a
limit rights token, which mitigates/limits damage.

Like I said, nothing is bulletproof not even god's O/S Linux, but UAC on
the MS platform is better than have nothing at all, which is the case in
fact with the previous versions of the NT based O/S platform, open by
default O/S(s), to help protect the O/S.

 

[Jack the Ripper]

Not good enough for ???????

You are boring.

 

[Not Even Me]

I run scans weekly and don't find myself infected.
Malwarebytes, Spybot Search & Destroy, Spyware Doctor, Superantispyware, and
rootkit unhooker all report no infections.
Even Trend Micro's RUBotted shows clean.
I repair computers and I have seen machines with hundreds of spyware
programs, virus, root kits, bots, you name it.
But I clean them all up or format/reinstall as necessary.
It's amazing what you can find on a machine (and successfully remove) when
you boot from a CD and scan without allowing the OS to be active.

 

[Not Even Me]

Which is usually the case.

This is your pov, which is not good enough.

And just what makes your POV superior or more important?

 

[Not Even Me]

Oh, I get it. It's not the responsibility of the dumb user to know what he
or she is dumbly clicking on as they point and click. It's their
responsibly to know the situation, but they don't and most never will.

However, network admins take that responsibly for this type of worker by
using a network proxy that only allows the users to go to approved sites
closing the attack vector and mitigating such damage, as its their
responsibility to protect company's interest and not some office clerk,
lock them down.

Just like with Linux which has the same kind of an approval process within
its O/S, they point, click, approve and it's all bets are off. But with
UAC enabled when one does this, the damages are mitigated to a certain
degree as UAC protects critical areas and also not allowing the malware to
continuously run under the context of the user-admin full-rights access
token, to spread damage.

But rather with UAC enabled, the compromise runs under the context of the
admin's Standard user token, because admin user on Vista is returned to
using that token upon privileged escalation completion, and it's a limit
rights token, which mitigates/limits damage.

Like I said, nothing is bulletproof not even god's O/S Linux, but UAC on
the MS platform is better than have nothing at all, which is the case in
fact with the previous versions of the NT based O/S platform, open by
default O/S(s), to help protect the O/S.

Real time scanning by (even free) third party programs provides (in many
cases) superior protection with less annoyance.
So why put something in the OS that just pisses many people off and is (by
MS admission) made irritating on purpose?

 

[Saucy]

Real time scanning by (even free) third party programs provides (in many
cases) superior protection with less annoyance.
So why put something in the OS that just pisses many people off and is (by
MS admission) made irritating on purpose?

Didn't he just explain it to you? Re-read his post:

"But rather with UAC enabled, the compromise runs under the context of the
admin's Standard user token, because admin user on Vista is returned to
using that token upon privileged escalation completion, and it's a limit
rights token, which mitigates/limits damage."

Combining secutity features such as UAC and real time scanning makes systems
more difficult to compromise both directly and indirectly [say, by social
engineering].

Saucy

 

[DanS]

And just what makes your POV superior or more important?

It wasn't even a POV or opinon, but an observation.

 

[The poster formerly known as 'The Poster Formerly]

I run scans weekly and don't find myself infected.
Malwarebytes, Spybot Search & Destroy, Spyware Doctor, Superantispyware, and
rootkit unhooker all report no infections.
Even Trend Micro's RUBotted shows clean.
I repair computers and I have seen machines with hundreds of spyware
programs, virus, root kits, bots, you name it.
But I clean them all up or format/reinstall as necessary.
It's amazing what you can find on a machine (and successfully remove) when
you boot from a CD and scan without allowing the OS to be active.

How do you get anything else done on your computer if you have to spend
so much time running all those scans?!


--
"Software is like sex, it's better when it's free."
- Linus Torvalds

DRM and unintended consequences:
http://blogs.techrepublic.com.com/security/?p=435&tag=nl.e101

 

[Dave-UK]

I have turned off UAC - because I had too.

I have a couple of systems which must access a website that must
download a TIF image of a map to the local drive. I tried a number of
things to get this to work - but so far the only thing that has worked
is turning off UAC.

I can download files and save images from other websites - but for some
reason this one particular website does not work with UAC on.

Not that I am convinced that UAC is the panacea that some claim - and I
know from direct experience what a hassle virus infection can be - but
in my case - unless there is a way to get that website to work properly
with UAC on - I will have to leave it off.

I'd give you the URL - but it is a subscription only - real estate
website - so you would not be able to access the site.

I tried saving to other locations - and checked folder permissions -
etc - tried it on a Vista 64 bit and a Vista 32 bit system - no luck on
either until UAC was turned off - on XP it works fine.

How about trying the problematic website with UAC back on but with
IE in non-protected mode.
In IE, Tools > Internet Options > Security.
Clear the 'Enable Protected Mode' box.
If it works you could just disable it when you visit this one website.
(With UAC turned off you are running IE in non-protected mode permanently.)

 

[kristlebawl]

I have turned off UAC - because I had too.

I have a couple of systems which must access a website that must
download a TIF image of a map to the local drive. I tried a number of
things to get this to work - but so far the only thing that has worked
is turning off UAC.

I can download files and save images from other websites - but for some
reason this one particular website does not work with UAC on.

I'd give you the URL - but it is a subscription only - real estate
website - so you would not be able to access the site.

The weird thing is that the site saves the file - or so it claims - and
even asks if you want to overwrite it if you save again - and a browser
can see the file but then errors when trying to open it - but windows
explorer and even command line simply do not see the file even with
hidden files turned on.

I tried saving to other locations - and checked folder permissions -
etc - tried it on a Vista 64 bit and a Vista 32 bit system - no luck on
either until UAC was turned off - on XP it works fine.

<snip>

As you stated, obviously, the problem isn't with UAC but with that
private website. You need to take it up with them. Simply downloading
an image does not require UAC action!

Under normal circumstances, UAC works just fine, but most die-hard
old-schoolers resist change and are put off by a little extra click for
security. If the UAC is being triggered, and you can't find the saved
file, something more is going on than just an image.

 

[Saucy]

Right - or if the website is trusted, put it in the Trusted Zone which does
not run in Protected Mode (at least no by default).

Saucy

 

[Dave-UK]

With the site added to the trusted one and with protected mode off - the
site will not even load to the point where I can try the image download.

Perhaps you need to contact the website, see what they say about it.

 

[kristlebawl]

The problem is that there are too many "non-normal" circumstances in
Vista. This was one of those "good intentions, bad implementation"
things.

I agree, normal and real life are not always compatible. I prefer the
added security, but I haven't had any problems at the particular sites I
frequent. The real issue is compatibility and security. You have a
right to choose on your own computer.

Why would they change it in Win 7 if it worked well?

Because too many people complained so much that it was too hard to use
or too hard to get used to or too annoying, etc. Real power users do
not need it, but many regular home users do.

Why is it that when I am in the _admin_ acct I get asked to approve
something that takes admin permission?

Is it a custom full admin account you created yourself, or the default
limited admin account that is preset?

I'm the only user of my computer and my network is limited to shared
DSL, so I never bothered to setup either a user account or a real admin,
and I never have to login. It works for me because I'm not enough of a
power user to need higher powers.

The UAC prevents hidden malware from installing itself while we download
images, video clips, email and other innocent files, even before such
things are identified and included in the next AV update. On that
basis, it's a success, but at the cost of annoying visuals and extra clicks.

Personally, I like the added security, flaws included.

 

[Bill Sharpe]

I have turned off UAC - because I had too.

I have a couple of systems which must access a website that must
download a TIF image of a map to the local drive. I tried a number of
things to get this to work - but so far the only thing that has worked
is turning off UAC.

I can download files and save images from other websites - but for some
reason this one particular website does not work with UAC on.

Not that I am convinced that UAC is the panacea that some claim - and I
know from direct experience what a hassle virus infection can be - but
in my case - unless there is a way to get that website to work properly
with UAC on - I will have to leave it off.

I'd give you the URL - but it is a subscription only - real estate
website - so you would not be able to access the site.

The weird thing is that the site saves the file - or so it claims - and
even asks if you want to overwrite it if you save again - and a browser
can see the file but then errors when trying to open it - but windows
explorer and even command line simply do not see the file even with
hidden files turned on.

I tried saving to other locations - and checked folder permissions -
etc - tried it on a Vista 64 bit and a Vista 32 bit system - no luck on
either until UAC was turned off - on XP it works fine.

I do think the biggest problem with UAC is the boy who cried wolf
syndrome - along with no real information in the warning - if the
warning at least included the file name that was being modified or
something that might make it more useful. But for most users it seems to
me that the habit of simply ignoring that message will lead to ignoring
the one time a year that a real problem arises (maybe more often for
some users).

I turned off UAC almost immediately after I bought my Vista computer a
year ago. With a decent firewall and anti-virus program it's not needed.

Bill

 

[+Bob+]

I turned off UAC almost immediately after I bought my Vista computer a
year ago. With a decent firewall and anti-virus program it's not needed.

Agreed.

It's a poorly designed band-aid solution designed to mask major
architectural security flaws in MS-Windows. It's beyond annoying and
makes it difficult for anyone but a novice to get any work done. It's
akin to their moronic file protection scheme of "bar the user from
everything except c:\users\account". More band-aids.

 

[Gordon]

Agreed.

It's a poorly designed band-aid solution designed to mask major
architectural security flaws in MS-Windows. It's beyond annoying and
makes it difficult for anyone but a novice to get any work done. It's
akin to their moronic file protection scheme of "bar the user from
everything except c:\users\account". More band-aids.

But even in Linux, which as far more secure than Windows by design, the User
STILL has to provide credentials to perform system tasks....and no-one
complains about THAT...

 

[Saucy]

Right - UNIX and clones (which includes Linux and Mac SOX) are to all
intents and purposes the very same, i.e. they have accounts with user level
privileges and administrator level privileges. TO make configuration changes
on a computer running Linux, one has to log in as "root".

UAC, especially as implemented by Windows 7, is very good solution (perhaps
so far the best solution) to the major problem of desktop computing where
the user needs admin rights occasionally.

Saucy

 

[KristleBawl]

In my case - I am the sys admin - so when I "mess with it" that is work
- installing updates - patches - new apps - routine maintenance - break
fix - etc. The posts that I made to this particular thread though are
related to a specific web app that simply does not work with UAC on -
the exported file becomes a ghost which cannot be seen. It does appear
to me that the app - or rather the browser plugin - that is doing the
file export - is likely very old code - written before Vista and UAC and
64bit etc - just occurred to me that so far I have only tried this with
IE8 - I might give it a try with Safari or other browser to see what
happens. I prefer Safari for most things that I do myself - but many of
my users and some of the sites that I need to use simply don't work as
well in other browsers as they do in IE.

There really should be an easier way for SysAdmins to toggle the UAC off
when they need to and back on for the user. Right now, you'd have to
navigate through the Control Panel to the almost hidden checkbox.

In this way, too, UAC is definitely *not* designed for knowledgeable
power users and admins. The only people that really need UAC are the
*average* home and office users, less experienced and more likely to
click "ok" on the wrong popups.

 

[Gordon]

There really should be an easier way for SysAdmins to toggle the UAC off
when they need to and back on for the user. Right now, you'd have to
navigate through the Control Panel to the almost hidden checkbox.

In this way, too, UAC is definitely *not* designed for knowledgeable power
users and admins. The only people that really need UAC are the *average*
home and office users, less experienced and more likely to click "ok" on
the wrong popups.

I'm sorry, HOW much "admin" does one workstation take? In my humble
experience as a Systems Accountant in fairly large organisations - very
little! Once the machine is set up, there's not a lot to do.