Permissios

[Guest]

Apparently a ton of s are having "issues" with permissions, and I too, have
grown weary already of trying to get things to work properly. I cannot change
my OWN permissions, and I on't have write access, and it denies me the right
to change permissions. A lot of my online related programs won't work due to
failure to open or write to the files. mIrc being a good example......
Lets go ms, we have a issue here.....................

 

[Tony Hoyle]

Apparently a ton of s are having "issues" with permissions, and I too, have
grown weary already of trying to get things to work properly. I cannot change
my OWN permissions, and I on't have write access, and it denies me the right
to change permissions. A lot of my online related programs won't work due to
failure to open or write to the files. mIrc being a good example......
Lets go ms, we have a issue here.....................

UAC is a bit clunky (I believe there are plans to improve that though)
but an IRC application that requires admin privileges is just plain
broken. That is *not* a problem with vista.. in fact it's one of the
things that is good about it, because it'll force people to think about
security when they write code.

Complain to mIrc authors not Microsoft.

Tony

 

[Guest]

UAC is a bit clunky (I believe there are plans to improve that though)
but an IRC application that requires admin privileges is just plain
broken. That is *not* a problem with vista.. in fact it's one of the
things that is good about it, because it'll force people to think about
security when they write code.

Complain to mIrc authors not Microsoft.

Tony

Tony,
Thanks for the response, however, that was mearly and example, with the
real issue being, why can't I change my own permissions, and why don't I have
full access to everything ?

 

[Jimmy Brush]

Hello,

It is helpful to remember that in Windows Vista, even though you are running
as an administrator account, every program you run is running under a
*standard user* account, and does not have administrator-level permission.
The only way a program can get administrator-level permission is if the
application automatically prompts you for permission, or if you explicitly
give that application permission.

So ... what are the actual ramifications of this when dealing with the
filesystem? Let's take a look at the default access permissions for most
folders in windows:

- A user has read access to just about everything
- A user generally cannot write to anything outside of his profile directory
- Any user can create a folder almost anywhere in the filesystem
- The owner of a folder has full control over it and its contents
- Administrators have almost full control over just about everything

So... this means, that even though you are an running in an admin account,
all your explorer windows and programs you run (having normal user
credentials) will be able to read almost any file, but will not be able to
write anything unless it is in your profile directory, or a directory that
you created or took ownership of.

So, here's the major problem:

- Folders and files from a different windows installation probably won't
allow you to write to them, even if they're YOUR files you created from a
different version of windows.

- You will need to modify their permissions to give either Everyone full
access or your user account in Vista full access. Taking ownership of them
is NOT RECOMMENDED as you may have trouble accessing them from the other
windows installation.

- Managing your files and folders are going to be a real pain ... which
brings me to

HOW DO I MANAGE MY FILES AND FOLDERS if explorer run as a standard user ?!?!

Here's how:

- Click Start
- Type: explorer.exe
- When it shows up under Applications, right-click it and click Run As
Administrator

You now have an "administrator" explorer, kind of like a root shell in that
other operating system, that will allow you to change permissions and access
files as admin, just like in the good 'ol days.

Hope this helps!

- JB

 

[Peter M]

Not that it's any help but I have zero problems with Mirc.

 

[Fuzzy John]

Wouldn't turning off the UAC be easier to do? That will do away with just
about all annoyances for now.

 

[Jimmy Brush]

You are correct, this would work.

However, I think it's important that people understand why they are having
problems before they go about disabling things

- JB

 

[Guest]

Yes but at the same time MS should understand that if I am a user with Admin
rights then I should have 'admin rights' and not a restricted set of rights.
If we want to restrict users we set them up as standard users..we set up
admin users precisely because we want them to be able to do anything..so the
next logical step for almost everyone in here is to turn off UAC - kinda
defeats whatever anal purpose MS thoguht they were giving the world..You just
didn't think about it enough and used Security brainstroming as it's
rationale for this ..sometimes you need a bit of common sense....

 

[Larry]

UAC must be meant for people unfamiliar with using a computer. For me it was
a real pain untill I got to the section which told me what it did and how to
disable it. It did take me two days. UAC makes using ones computer very
frustrating.
LA

 

[Tony Hoyle]

Yes but at the same time MS should understand that if I am a user with Admin
rights then I should have 'admin rights' and not a restricted set of rights.

The problem is users *don't* have common sense and programmers are lazy.

XP SP2 supports the model you suggest.. and we still have everyone
running as admin all the time and lots of software not working as an
ordninary user becauase it tries to do things like write temp files into
random areas of the disk.

Initially I hated UAC, but then I've come to realize that it's the only
way - the only way to get people to work securely is going to be to
force them.

I'd go further TBH.. have the admin users have no interactive login
rights by default so UAC is the only way to do an admin task.. and I'd
remove 'run as administrator' too - apps that need admin rights should
be marked as such and preferably signed.

MS didn't decide to go that far but the halfway will make a huge
difference over the next couple of years while software producers
finally fix the security problems that they've ignored.

One thing I *do* hate is the virtualisation hack... it makes things look
like they work when they don't really, and just makes it harder to find
issues.

Tony

 

[Jimmy Brush]

Yes but at the same time MS should understand that if I am a user with

Admin
rights then I should have 'admin rights' and not a restricted set of
rights.

Absolutely. That is why you can turn this behavior off.

If we want to restrict users we set them up as standard users..we set up
admin users precisely because we want them to be able to do anything..

UAC doesn't stop you from doing anything, as long as you know what you're
doing. If it DOES stop you from doing something, then that is a bug and
should be reported.

so the
next logical step for almost everyone in here is to turn off UAC - kinda
defeats whatever anal purpose MS thoguht they were giving the world..

Most users aren't the people in this forum, and MS is doing a huge favor to
the world security-wise. I believe this is absolutely the best solution
microsoft could come up with.

Best security practice: standard user for everything, elevate when you need
admin to accomplish system administration stuff, full "root"-type admin user
should never be used.

(Most common) Windows security practice: All users run as full, unrestricted
admin

What microsoft is doing is giving us an environment that is exactly the same
as in other operating systems, following best security practice ... we
elevate when we need to do something admin, the rest of the time we run as
normal user.

And ... if you want to run as full root, it's only one checkbox you have to
uncheck! Best of both worlds...

Sure, this isn't the normal windows way of doing things ... and because this
is new to everyone that makes software, there will be ALOT of compatability
issues.

But now the most common windows user, the home user, is automatically, out
of the box, using BEST SECURITY PRACTICE instead of WORST SECURITY PRACTICE.

And most administrators I think will prefer using the elevation system once
it gets tweaked and they get comfortable with it. Most non-windows admins do
this type of administration already.

The only major drawback, besides application compatability, is working with
the filesystem.

Most people aren't familiar with the security offered by NTFS (and how much
more secure [read: complex] it is than just about any other file system),
and this will make system administration difficult. I can only hope
Microsoft changes the tools used to administer NTFS permissions to be easier
to use, because I think that would make this transition 60% better.

You just
didn't think about it enough and used Security brainstroming as it's
rationale for this ..sometimes you need a bit of common sense....

I have thought about this extensively.

I am not rationalizing anything. Lots of people here do not understand how
Windows Vista does security. I am explaining how this feature works and why
things don't work the way they did in XP.

- JB

 

[Fernando]

I totally agree with you, but there are a few things which I want to
talk about. I'm a Linux user from years and I love the security model. I
can run applications as normal user and only do admin tasks as root when
needed, so I love the new model Microsoft has implemented on Vista (read
UAC or now LUA). But, normal Windows users never take care of security
implications, mainly because the way Microsoft and software developers
had implemented the easy way to do things, where the only way to run
most software was as administrator. So in my opinion this new security
model will be hard to understand by old windows users, but it's the only
way to go. Also, I hope Microsoft doesn't allow to disable UAC, and
force software developers to write proper code, Who need to run a game
as administrator anyway? Why a user wants to get full access to system
folders? A lot of viruses, trojans horses and malware were written to
take full advantage of users running whith admin privileges, and this in
part is because the default user account after setup was created with
admin rights. So I think Microsoft is going the right way about
security, and old windows users need to change their mind too.

Fernando


Jimmy Brush escribió:

Yes but at the same time MS should understand that if I am a user with
Admin
rights then I should have 'admin rights' and not a restricted set of
rights.

Absolutely. That is why you can turn this behavior off.

If we want to restrict users we set them up as standard users..we set up
admin users precisely because we want them to be able to do anything..

UAC doesn't stop you from doing anything, as long as you know what
you're doing. If it DOES stop you from doing something, then that is a
bug and should be reported.

so the
next logical step for almost everyone in here is to turn off UAC - kinda
defeats whatever anal purpose MS thoguht they were giving the world..

Most users aren't the people in this forum, and MS is doing a huge favor
to the world security-wise. I believe this is absolutely the best
solution microsoft could come up with.

Best security practice: standard user for everything, elevate when you
need admin to accomplish system administration stuff, full "root"-type
admin user should never be used.

(Most common) Windows security practice: All users run as full,
unrestricted admin

What microsoft is doing is giving us an environment that is exactly the
same as in other operating systems, following best security practice ...
we elevate when we need to do something admin, the rest of the time we
run as normal user.

And ... if you want to run as full root, it's only one checkbox you have
to uncheck! Best of both worlds...

Sure, this isn't the normal windows way of doing things ... and because
this is new to everyone that makes software, there will be ALOT of
compatability issues.

But now the most common windows user, the home user, is automatically,
out of the box, using BEST SECURITY PRACTICE instead of WORST SECURITY
PRACTICE.

And most administrators I think will prefer using the elevation system
once it gets tweaked and they get comfortable with it. Most non-windows
admins do this type of administration already.

The only major drawback, besides application compatability, is working
with the filesystem.

Most people aren't familiar with the security offered by NTFS (and how
much more secure [read: complex] it is than just about any other file
system), and this will make system administration difficult. I can only
hope Microsoft changes the tools used to administer NTFS permissions to
be easier to use, because I think that would make this transition 60%
better.

You just
didn't think about it enough and used Security brainstroming as it's
rationale for this ..sometimes you need a bit of common sense....

I have thought about this extensively.

I am not rationalizing anything. Lots of people here do not understand
how Windows Vista does security. I am explaining how this feature works
and why things don't work the way they did in XP.

- JB

 

[Guest]

Ha ha ok...maybe I am generalising but admin rights should ONLY be given to
people who know what they are doing or at least understand the consequences
and are pretty switched on about ( like I think I am). I think your vision is
a bit more draconian than I could ever subscribe to but fair do's. I don't
think it's lazy programmers either just bad programmers......

Common sense is still a wonderful thing to have and work to...

 

[Larry]

UAC must be meant for people unfamiliar with using a computer. For me it
was a real pain untill I got to the section which told me what it did and
how to disable it. It did take me two days. UAC makes using ones computer
very frustrating.
LA