ANS: "What's the deal with UAC (Windows Needs Your Permission screens)" and "...But I thought I was

[Alan Simpson]

Sorry for playing loose and fast on the value judgments and product
comparisons. Let me rephrase:

"The idea is to bring security best practices to consumers who don't
understand the risks or how to protect themselves."

As a general addendum to all my posts, I'd add "If you have a product that
does what you need, and you like it better than Vista, use that product
instead of Vista".

 

[Don Short]

Q: I'm just a average user, how am I supposed to know what needs to run and
what doesn't?

 

[Chad Harris]

Read any of the the links I provided for you to spell it out and start with
the Technet and the UAC team screenshots and Jimmy Brush's excellent writeup
on his site.

CH

 

[Colin Barnhorst]

If you know you just did something (like click on an installer) then the
prompt is understandable. If a prompt just appears for no apparent reason
investigate what is trying to run. If the name of the program doesn't make
sense to you, Google it to see what it is or simply click Cancel.

 

[Jimmy Brush]

Pretty simple:

If you were doing something that involves changing files and settings on
your computer or having full access to your computer and you get a prompt,
click Allow. Examples: Changing system settings in the control panel and
changing what programs start when your computer starts.

If you are trying to run a program that isn't working quite right that needs
access to your computer, but it doesn't ask you for permission, and you
trust it to have full access to your computer, right-click it and click run
as administrator.

If you are NOT doing administrative tasks (for example, you are browsing the
internet, reading e-mail, or writing a document) and a screen pops up asking
you for permission, CLICK CANCEL. You KNOW you weren't doing anything
special - and that you weren't starting a program - so don't give anything
permission to run.

You just have to be aware of what's going on - if you know you are working
with your computer, you should expect the prompts. Most of them should say
"Microsoft Windows" as the publisher - this means that the application was
made by microsoft.

If you see a prompt with an orange or red bar at the top, and Windows tells
you that the application publisher can't be verified, CLICK CANCEL unless
you are *absolutely sure* you know what that program is.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

 

[Chad Harris]

On numerous occassions Mr. JB, I have been told (not by UAC perhaps but by
IE7) that the page is not a trusted site.

The following pages can regularly evoke this message:

The MSFT Technet Vista Team Blog

Connect
www.connect.com

I'm left with the fact that IE made by MSFT does not trust web pages made by
MSFT. Welcome to Vista.
It's a big company--no wonder there is fear of back stabbing that's worked
its ways into error messages. Adding them to trusted sites does not impact
this and trusted sites always curiously demand you to change the url to
https:// with an "s" added that is not in the url. What's up with that?

CH

 

[Jimmy Brush]

There was an issue with the connect.microsoft.com security certificate a
little while ago where MS forgot to renew their certificate (or some such).
It messed up a lot of things. Is that what you are talking about?

If not, post a screenshot of what you are talking about the next time it
happens and we will try to to figure out what its thinking.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

 

[Chad Harris]

It happens in Vista on several MSFT sites currently besides Connect, and
I'll be glad to post screenshots of the urls and the message when I run into
them soon.

There also was a ridiculous glitch that kept many people from accessing the
FTP server for a good while that required an IE tool tweak.

CH

 

[Kerry Brown]

UAC as it is currently deployed does have it's problems but hopefully most
of those will be solved before the RTM. I think the biggest obstacle is that
everyone has to get their head around the fact that there is no need to run
with administrator level access all the time. How many Linux users run as
root all the time? Only the idiots who manage to cause havoc with whatever
OS they run. Standard users in lInux can't move system files, create folders
in system folders etc. If you need to do that you use su (Run as
administrator) or logon as root (safe boot to administrator). Microsoft has
encouraged sloppy programming and sloppy security for so long that it will
be years before there is any consensus that we don't need to run as
administrator. There should be two administrator accounts with strong
passwords. One for using "Run as administrator" or booting to safe mode to
repair something. And one in case the first one gets corrupted. Every thing
else can be done as a standard user. If Microsoft set this as the default on
install it would cause much pain but it would also cause many people to
complain about programs that have no clue about security because they
wouldn't run. This would actually speed up the changeover to the better
security model.

 

[Jimmy Brush]

It happens in Vista on several MSFT sites currently besides Connect, and
I'll be glad to post screenshots of the urls and the message when I run
into them soon.
Ok.

There also was a ridiculous glitch that kept many people from accessing
the FTP server for a good while that required an IE tool tweak.

Yeah, that's still there, at least on my computer.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

 

[Jimmy Brush]

This particular error appears to be displayed by the website and not the
browser itself.

- JB

Vista Support FAQ
http://www.jimmah.com/vista/

 

[Don Short]

and just how many millions of average windows users do you think have the
time to do that?

 

[Don Short]

on many of the UAC prompts I've seen there is no reference to a program.
Furthermore, if I click on an installer I really do want it to install.. not
be questioned again whether I wanted to run it.

I know... it would be really safe if MS just asked more times... just to be
sure.. OR maybe just make it so that you can't run anything, would be real
safe then.

 

[Don Short]

yea yea, I know this! most of the people who read this newsgroup know
that... what about the other 99.9999% of people using windows?

My point which seems to have been lost is most users don't know and don't
care. MS seems to be saying "you aren't smart enough to protect your own
computer, so now we will do it for you by asking you to decide what runs on
your computer." It just makes no sense to me at all.

BTW Thank you for your clear and concise posts, they are very informative.

 

[Mark D. VandenBeg]

I have had the same issue, Len, with several different applications. The
most common one I can recall is Logitech's "Setpoint" application suite.
Unfortunately, it is up to the software developers to write their software
that does not need to run at such an elevated level. I mean, come on, this
is mouse and keyboard settings, no need for administrative level! MSFT has
been reminding the developers of this for years, now, and it seems some of
them haven't quite learned, yet.

Also, keep in the back of your mind that turning UAC off or on is system
wide and is not a user setting.

 

[Mark D. VandenBeg]

"MS seems to be saying 'you aren't smart enough to protect your own
computer, so now we will do it for you by asking you to decide what runs on
your computer.'"

Well, after reading through this and a few other newsgroups, along with
imagining the nightmares at MST and other manufacturer support centers, is
there even an argument to make against the statement?

 

[Chad Harris]

Don--

I have enough difficulty managing my time and using what time in between to
help with links and what I know to answer their questions.

I know a lot of average windows users waste a lot of their time doing stupid
things. I know most of my country can't read one news paper to be minimally
informed. If they did, they wouldn't be so damned oil dependent driving
trucks that kill a thousand people per year with a Congress that is so
bought it won't lower them until 4 years and 4000 more deaths.

I know for a fact that the vast majority of Windows users won't use the Help
in Vista or in XP to get a lot of answers they could, and never take the
time to use http://support.micrrosoft.com now with about 80 MSKBs for Vista
and thousands for XP.

I know a lot of them like to be spoonfed to an incredible degree.

CH

 

[Chad Harris]

Don --

In one of my posts, I offered ways to tweak UAC. YOu might give some of them
a try for example the settings in secpol.msc in your run box and see how
they work for you.

If you take a few minutes, on the UAC team blog, one of their technical
writers Jennifer Allen and others like Chris Corio a PM on the UAC team,
have taken time to screenshot and explain some of the basics and tips for
UAC. Some of this might save you some time.

I tried to put some useful links up.

CH

 

[Colin Barnhorst]

You will usually know from the context of what you are doing that what wants
to write to the system is expected. If you don't understand what is trying
to do the write, cancel it. In practice, that should be seldom. In those
few cases, if a filename is given note it and Google it. If there is no
filename (maybe its a process or something) and you can't think of anything
that should be doing a write, cancel and forget.

 

[Chad Harris]

From everything I've read Don, and from listening to an excellent killer
presentation from Steve Riley [MSFT] live on UAC, I think much of the
genisis of this has been that for years MSFT has taken a ton of pressure and
criticism from all fronts--users, governments, partners, ect. for tightening
security so they have decided to give you the tools and say "Here are some
powerful tools for protecting your box that used to be only routinely
available to Sys Admins and IT Managers for mid-sized to larger companies"
and we are happy to make these tools available but ball is in your court now
for using them.

The trick is to make them user friendly enough so that everyone can feel
comfortable deploying them without getting usability hurdles that make them
throw up their hands in exasperation. It can be done, and hopefully it will
be.

See:

Steve Riley [MSFT] on Security
http://blogs.technet.com/steriley/default.aspx

Steve Riley is one of the best speakers you could hear. His blog and any
presentations/articles are well worth using.

CH