A few UAC questions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've got a few question on effectively using UAC as I'd rather not disable it
(tempting as it is most days).

1) Is there a way to 'mark' a program as safe? I use a few older programs
all day long and each on is bring up the UAC prompt - I assume because
they're keping user files in Program Files. Is there a way to stop the UAC
prompt for just those programs?

2) Is there a way to easily elivate programs from the run window? As in put
/admin or something after the program name? I use the Windows key + R
shortcut for pretty much everything but it removes the efficency if I can't
change a program to admin easily from there.

3) Non-UAC - I'm constantly having problems moving and coping file - It
crashes half way and the cancel button won't work, it take hours to move
files between location on the same drive, etc... I've had to go back to
moving files from command prompt, and as much as I love reliving 1989, I'd
really like to fix this. Is this a known issue or am I all alone on this?

4) Assuming everything above is a no, I need to disable UAC as I'm pretty
much a keyboard only user and do not have the time for all the prompts I come
across in a day. So, is there a way to tell the security centre to ignore
UAC? Similar to the way you can tell onecare to ignore it's 'backup' section?
I like the security centre as it tends to give me useful reminders, but if
it's red all the time for UAC, than it is effectively useless.

5) Lastly, if the answer to any of the above questions is a no, are there
plans to add / fix these features anytime soon? I'm really enjoying Vista,
but as an admin I really need it to tone down it's warnings, and it seems all
the options to do that existed in past versions are gone, so you either deal
or disable UAC, there is no in-between, and I would really like one.

Thanks for your help,

Ryan
 
rehoult said:
I've got a few question on effectively using UAC as I'd rather not disable it
(tempting as it is most days).

1) Is there a way to 'mark' a program as safe? I use a few older programs
all day long and each on is bring up the UAC prompt - I assume because
they're keping user files in Program Files. Is there a way to stop the UAC
prompt for just those programs?

No. Doing so would incur an unacceptable loss in security.
2) Is there a way to easily elivate programs from the run window? As in put
/admin or something after the program name? I use the Windows key + R
shortcut for pretty much everything but it removes the efficency if I can't
change a program to admin easily from there.

You can from the start search bar (instead of Windows + R, just hit
Windows and start typing). Press and hold Right-CTRL, Right-Shift, and
then enter to run the program elevated.
3) Non-UAC - I'm constantly having problems moving and coping file - It
crashes half way and the cancel button won't work, it take hours to move
files between location on the same drive, etc... I've had to go back to
moving files from command prompt, and as much as I love reliving 1989, I'd
really like to fix this. Is this a known issue or am I all alone on this?

Slow file operations are a known issue and hopefully this will be
addressed in the upcomming SP1 release.
4) Assuming everything above is a no, I need to disable UAC as I'm pretty
much a keyboard only user and do not have the time for all the prompts I come
across in a day. So, is there a way to tell the security centre to ignore
UAC? Similar to the way you can tell onecare to ignore it's 'backup' section?
I like the security centre as it tends to give me useful reminders, but if
it's red all the time for UAC, than it is effectively useless.

It's all or none, AFAIK. You either get notifications or you don't.
5) Lastly, if the answer to any of the above questions is a no, are there
plans to add / fix these features anytime soon? I'm really enjoying Vista,
but as an admin I really need it to tone down it's warnings, and it seems all
the options to do that existed in past versions are gone, so you either deal
or disable UAC, there is no in-between, and I would really like one.

There are in-betweens but they are all very insecure. The prompt is very
useful and you get a lot of benefits from it that aren't obvious.

You shouldn't be getting prompts unless you are doing admin stuff. If
you are using a legacy program that is requiring admin power that
shouldn't, that is unfortunate, but it's really up to the dev of the
program to fix.

Turning off or weakening security features to allow a misbehaving app to
be less annoying isn't worth the cost IMHO, but you may consider things
differently. In any case, I don't recommend changing the default UAC
settings, but the links another poster responding with will tell you how.
Thanks for your help,

Ryan

- JB
 
rehoult said:
4) Assuming everything above is a no, I need to disable UAC as I'm pretty
much a keyboard only user and do not have the time for all the prompts I
come
across in a day.

When I'm doing a series of admin tasks, I tend to keep an elevated
PowerShell window open. To make it very obvious that the window has elevated
privileges my admin windows have a red background (instead of the normal
blue).

This post explains how to automatically set the background:
http://www.interact-sw.co.uk/iangblog/2007/02/09/pshdetectelevation
 
Hi Jimmy,

First, sorry for asking my first question before, I was tired and clearly
didn't look hard enough for the other posts about it. I imagine the question
gets old after a while. Also, you answers to the other questions were right
on.

However, I did want to make a comment on your answer regarding the ability
to mark a program as safe:
"No. Doing so would incur an unacceptable loss in security."

While it might be a step down from full UAC, I think it's 100 steps up from
disabling UAC, which is what I and many other people have decided to do. The
examples such as allowing admin level cmd without authorization are very
valid and dangerous; however, could there not be an in-between where programs
that come with windows (and hence, are written properly) can't have the flag
set? By this, I mean that programs which are asking for admin access because
they are designed to alter the system shouldn't be able to be overriden; but
older program which are being forced to ask for access because they use the
program files forder in ways they shouldn't (or other similar crap coding
techniques) could be overriden. I'd also argue for not including the option
as part of Windows so that most users don't even know about it; make it a
downloadable change from Microsoft so that only those that need it take the
time to download it.

It would be less secure, but I would argue not much, as designing a virus
that can scan for any program which has access admin with a prompt, and able
to correctly interface with said unsecure program to execute system altering
code is not something for the meak.

My interest doesn't lie in making UAC useless, but in providing a better
experience for me and the customers I support who use proprietary software
which is no longer supported; which means that having the dev fix it is not
an option. Neither is upgrading, as (for example) there are not many options
when it comes to practice management software that is customized for
optometrists. Teaching them that they need to constantly click 'ok' to run
their programs removes the security UAC provides anyways as the box becomes
nothing more than a common activity; they will always click ok. While a CS
grad might notice when the box shouldn't be appearing and click no, the
front-line beginner users won't.

Again, I'd like to point out that I agree none of this is Microsoft's fault;
it is entirely caused by coders not paying attention for the last 5 years
while Microsoft has been telling them to change their habits. But, they are
in a position to make the transition easier for millions of users who are
currently at the mercy of companies that don't want to upgrade their old
software (Even major companies such as Intuit are refusing to fix software
released mere weeks before Vista RTM). Until they do, I'm stuck recommending
that my clients stay with XP until they can find replacement software, and I
don't see how that's better for Microsoft or security in general as it
doesn't have UAC or the loads of other security advantages of Vista.

Ryan
 
rehoult said:
Hi Jimmy,

First, sorry for asking my first question before, I was tired and clearly
didn't look hard enough for the other posts about it. I imagine the question
gets old after a while. Also, you answers to the other questions were right
on.

Hello,

Actually, I enjoy revisiting these questions every now and then. They
are fun to think about. :)

could there not be an in-between where [...]
programs which are asking for admin access because
they are designed to alter the system shouldn't be able to be overriden; but
older program which are being forced to ask for access because they use the
program files forder in ways they shouldn't (or other similar crap coding
techniques) could be overriden. I'd also argue for not including the option
as part of Windows so that most users don't even know about it; make it a
downloadable change from Microsoft so that only those that need it take the
time to download it.

You bring up a great point. I'm not sure if there's really a
well-defendable right or wrong answer here, so I will just share my
thoughts and opinions.

So... how to deal with legacy programs? They don't fit inside of a
modern least-privileged environment. They do admin stuff when they don't
need to. Do we give them a break, and let them "just run" with admin
power as an advanced option, perhaps even a well-hidden option burried
where those who would not understand it would not find it? Or do we stay
hard and fast with the model?

Well, Microsoft has certainly decided to break their model as an option
in other scenarios. For example, one can always allow elevation inside
of an admin account instead of prompting -- for EVERY program -- this is
obviously more insecure than what you talk about, and yet it can be
done, albeit it is hidden very well, especially for home users.

I would point out that MS has done a lot to make legacy programs that
expect admin power work correctly WITHOUT it - thru virtualization. And
some legacy programs do legitimately need admin power, and would need
admin power even if they were Vista compliant.

But, virtualization doesn't work in all cases, so there will inevitable
be some programs that need admin power when they really shouldn't.

Your constraints are reasonable. Legacy programs only. Only if the user
turns on the feature. A security risk? Yes. But if you really take the
time to analyze what the program does when it starts up, what
files/registry keys it reads, etc, you can get a pretty good idea of
what the specific risks are, and create a plan that addresses, or at
least monitors, those risks.

So why wasn't it done like this? Even as just a little something special
to supplement virtualization for the people who need it when
virtualization doesn't work for them?

I have no idea what the actual reason was. If I had to guess, perhaps
they thought the number of people that would benefit from it when used
corectly would be too small to justify implementing it.

But here's the scenario that personally bothers me with such a feature:

It offers an easy, naughty way out to software developers who want to
push out their new software as vista-compliant without actually making
it vista-compliant. A "get out of UAC free" card.

All they would have to do is design their installer (which runs
elevated) to change the special setting or, if it is a downloadable
component, to download the setting change installer and run it in silent
mode. Then, they just make their application look like a legacy program
to the OS, and add it to the list of allowed programs.

This would go undetected by the user, as everything else would prompt as
normal, except for the "bad apps" that do this, which would appear to be
vista-compliant non-admin apps, when in fact they are not - they are
silently running as admin.

This could potentially undermine UAC in a couple of ways.

Firstly, if popular enough programs did this and it caused one to be
exploitable because of this setting change, the security of UAC would be
diminished both in fact (for the afflicted users) and in the minds of
people in general, since Microsoft and UAC would be blamed.

And secondly, if enough programs did this, UAC itself would fail in a
much broader sense, as it only works if programs end up being programmed
against the new model.

It's kind of like how many devs "get around" the driver signing prompt
for unsigned drivers on XP by faking a mouse click on the 'continue'
button so users never see the prompt. Nobody benefits here (except
possibly the developers) - users get potentially unstable drivers, have
no way to tell when they are being cheated, and Microsoft looks bad.

There are many more software devs out there than driver devs. If driver
devs actually do this, I shudder at the thought of the volume of
software devs that would do something sneaky like this.

Since all the other "security tweaks" UAC offers essentially turn off
UAC in a very noticeable fashion (the UAC prompts completely disappear),
it is much less likely that devs will use those as a way out.
It would be less secure, but I would argue not much, as designing a virus
that can scan for any program which has access admin with a prompt, and able
to correctly interface with said unsecure program to execute system altering
code is not something for the meak.

They will adapt, of course; I would rather make them work for their
money by searching for those hard-to-find technical exploits, than
letting them get by with exploiting a flaw in the security model :).

Of course, if not a lot of people used the option you talk about, then
it's kind of a moot point, as it would be unlikely that a majority of
malware would take advantage of a flaw that only exists on a minority of
computers.

Teaching them that they need to constantly click 'ok' to run
their programs removes the security UAC provides anyways as the box becomes
nothing more than a common activity; they will always click ok. While a CS
grad might notice when the box shouldn't be appearing and click no, the
front-line beginner users won't.

Actually, I would argue that for UAC, this isn't the case.

Users should expect and get used to clicking on a prompt when they run
an admin program.

Just like on *nix how you would expect to get prompted for your password
when you run an admin program. Even though you are constantly being
asked to repeatedly perform this action (click a button or enter your
password), it is always at your request, so the thing the prompt is
guarding against (an unexpected, out-of-nowhere, or unusual/incorrect
prompt) is still obvious.

Users just need to recognize that the prompt hasn't changed for that
program since the last time they ran it. This is pretty easy to do since
the prompt is so small and easily scanned, and does not require any
technical knowledge.

The prompt is designed so that in almost all cases, if something tries
to impersonate a prompt or replace a program with a malicious one, the
prompt will look different, and in many cases, significantly different.

*nix doesn't have that benefit, and this is one reason why I think UAC
is more secure than the *nix sudo model, at least in this regard.
Until they do, I'm stuck recommending
that my clients stay with XP until they can find replacement software, and I
don't see how that's better for Microsoft or security in general as it
doesn't have UAC or the loads of other security advantages of Vista.
Ryan

Excellent point. This is a tough, nasty issue :).

- JB
 
A additional idea, I like to use SrvAny to run Task Manager as Local System.
Then I go to the Interactive Services Window, log off all users, choose New
Task, and run Explorer.exe. So far, it seems I'm able to do pretty much
whatever I need from there.
 
Back
Top