proposed changes to UAC mechanism, RunAs, and documentation

  • Thread starter Thread starter stumppc
  • Start date Start date
S

stumppc

Hello -

Someone please forward the comments below to people working on Vista Service
Pack 2:

The "Run as Administrator" option that appears when you right-click on a
shortcut or program should be changed in Vista to say "Run Elevated as
Current User". The Run As Administrator doesn't prompt for credentials in
instances where a Local Admin is already logged in, breaking the
functionality of "Run As" as it was previously created and used in XP/2000.
If anything, Vista should have "Run Elevated as Current User", "Run Elevated
as Different User", and "Run Standard as Different User" options instead of
the current Run as Administrator. What if you are a power user - the "Run as
Administrator" option may need to be used by that user - that is very
confusing to the user since they are not an administrator.

Vista's UAC implementation does not take into account or allow
administrative scripts to operate as they have in the past. I do not like any
of the current options for getting around UAC controls/prompts that stop or
break administrative scripts based on batch/vbs/wsh/AutoIT/KiXtart/etc. There
needs to be a straightforward method for people to execute administrative
scripts without turning off UAC. These scripts need to be able to run
administrative functions with elevated privileges without UAC prompts. Most
SMB organizations will not buy add-on (think MS SMS) or third party tools to
repackage, rewrite, sign, or execute their current administrative automation
under Vista. Only allowing signed content to run/install is not a fix of any
sort - malware writers will just start digitally signing their stuff. Also,
for most organizations only allowing installs/scripts to happen from certain
locations is just not possible.

How about a new default user group in Windows like this: Local group with
automatic, silent UAC elevation? This way UAC is left intact and
administrators can choose which accounts can silently elevate their
privileges. This group should also have some security event log auditing
turned on by default.

We need two classes of accounts - those that silently elevate their
privileges and those that do not. Accounts with the silent elevation
privilege may not even be Local Admins or Domain Admins, but with special,
custom privileges instead. Just silently elevating all Local Admins is a bad
practice that diminishes the usefulness of UAC greatly. Unfortunately that is
the best option for most admins right now.

I notice several deficincies in Microsoft documentation about UAC posted
online:

There appears to be no differentiation between Local Administrator and
Domain Administrator. There is clearly different behavior with MMC tools and
similar for users who are not Domain Admins and Local Administrators at the
same time. If you are logged in as a Local Admin but not a Domain Admin you
have to revert to things like invoking RUNAS from the CMD prompt to properly
run your MMC tools.

There is very little info about users who have rights more than a standard
user but less than a Local Admin, like power user. The document does not note
the fact that any user who logged in with privileges higher than standard
user appears to receive two tokens too and UAC applies in that instance as
well.

Thanks for listening,

James
MCSE +Security Server 2003, XP
CompTIA Security+

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communitie...b1&dg=microsoft.public.windows.vista.security
 
You're barking up the wrong tree. Try here:
https://feedback.windowsvista.micro...pport.microsoft.com/gp/cp_vista_master&scrx=1


stumppc said:
Hello -

Someone please forward the comments below to people working on Vista Service
Pack 2:

The "Run as Administrator" option that appears when you right-click on a
shortcut or program should be changed in Vista to say "Run Elevated as
Current User". The Run As Administrator doesn't prompt for credentials in
instances where a Local Admin is already logged in, breaking the
functionality of "Run As" as it was previously created and used in XP/2000.
If anything, Vista should have "Run Elevated as Current User", "Run Elevated
as Different User", and "Run Standard as Different User" options instead of
the current Run as Administrator. What if you are a power user - the "Run as
Administrator" option may need to be used by that user - that is very
confusing to the user since they are not an administrator.

Vista's UAC implementation does not take into account or allow
administrative scripts to operate as they have in the past. I do not like any
of the current options for getting around UAC controls/prompts that stop or
break administrative scripts based on batch/vbs/wsh/AutoIT/KiXtart/etc. There
needs to be a straightforward method for people to execute administrative
scripts without turning off UAC. These scripts need to be able to run
administrative functions with elevated privileges without UAC prompts. Most
SMB organizations will not buy add-on (think MS SMS) or third party tools to
repackage, rewrite, sign, or execute their current administrative automation
under Vista. Only allowing signed content to run/install is not a fix of any
sort - malware writers will just start digitally signing their stuff. Also,
for most organizations only allowing installs/scripts to happen from certain
locations is just not possible.

How about a new default user group in Windows like this: Local group with
automatic, silent UAC elevation? This way UAC is left intact and
administrators can choose which accounts can silently elevate their
privileges. This group should also have some security event log auditing
turned on by default.

We need two classes of accounts - those that silently elevate their
privileges and those that do not. Accounts with the silent elevation
privilege may not even be Local Admins or Domain Admins, but with special,
custom privileges instead. Just silently elevating all Local Admins is a bad
practice that diminishes the usefulness of UAC greatly. Unfortunately that is
the best option for most admins right now.

I notice several deficincies in Microsoft documentation about UAC posted
online:

There appears to be no differentiation between Local Administrator and
Domain Administrator. There is clearly different behavior with MMC tools and
similar for users who are not Domain Admins and Local Administrators at the
same time. If you are logged in as a Local Admin but not a Domain Admin you
have to revert to things like invoking RUNAS from the CMD prompt to properly
run your MMC tools.

There is very little info about users who have rights more than a standard
user but less than a Local Admin, like power user. The document does not note
the fact that any user who logged in with privileges higher than standard
user appears to receive two tokens too and UAC applies in that instance as
well.

Thanks for listening,

James
MCSE +Security Server 2003, XP
CompTIA Security+

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.
http://www.microsoft.com/communitie...733b1&dg=microsoft.public.windows.vista.secur
ity
 
Thanks - I looked all over for that link and could not find it for some
reason. Would you believe it only allows for a 1000 character submision?
Whoever made that feedback submission page makes MS look like they don't
really want to hear from users...
 
Thanks - I looked all over for that link and could not find it for some
reason. Would you believe it only allows for a 1000 character submision?
Whoever made that feedback submission page makes MS look like they don't
really want to hear from users...

Split your submission into smaller bits... like only one suggestion
per submission.

DUH!
 
Back
Top