different between uac admin and standard user

[Marc Winston]

Hi all,

earlier i workes with a standard user account and if i need
administrator privilegs i logged on as an administrator directly or use
runas to start the application as an administrator.
I think this is the same security option like UAC. An administrator work
under a standard user account and will be asked if he really want
to be work as an administrator.
I read some articles but i do not understand the big security story
behind of uac.
Many users have got problems with uac and search a way to disable it or
they klick ok on the security question without thinking. Is this the
right way?

 

[Matt I.]

UAC works like this. When a user logs on, they are just that, a user. As if
it were Windows XP and they were (rarely) not an admin account. The only
thing is that the user account has the ability to become an admin account
for a length of time. This is what UAC does. When a program is ran that
requires you to be an admin (changes some system settings or something) UAC
will usually detect it and prompt you to switch to being an admin just to
run that program. The problem, however, is that since almost all home users
of Windows XP were admins, program makers simply did not care about making
their programs runnable on a user privledged account. That is why certain
programs ask for admin. Some people don't see the security in this. Under
XP, anything that you downloaded, ran, etc. was running as an administrator.
Therefore, if you happened to get some spyware, adware, etc. it could access
all setting, system files, etc. Now, anything that isn't a program you
explicitly choose to run as an admin is not, therefore blocking those bad
things I mentioned before from changing system settings or accessing system
files. Like I said, many people don't understand the importance of it, how
it will prompt you less as you use things more, how it will prompt you less
as more Vista-Compatable programs come out, and how it secures their
computer in a method that was started in the *nix OSes (and later copied by
Mac.) All that those people see is the fact that they have to move their
mouse to the "continue" button after reading a scentence. They feel that
that is too much for them, so they break down and cannot handle how tough
the job is. . Any more questions?

 

[Puppy Breath]

Well done Marc. Also some things to consider:



1) Once you're done configuring the system, you'll rarely see UAC prompts. I
can go days without seeing them. I only see them when I install an app or
click a shielded item in Control Panel.



2) You can press Enter rather than click OK or Continue.



3) The whole point of being able to elevate from a Standard account is so
that you don't have to log out then into an admin account to do one small
thing. You can stay in your safer Standard account and just elevate on the
fly. This is a well-know security best-practice that professionals have
known about and followed for years.



4) If you don't password-protect the admin account, you won't need to enter
the password every time you elevate from a standard account. Just hit Enter
or click the button to proceed. You really only need to password-protect the
admin account if you're using parental controls or some other means of
preventing other users from having too much freedom on the system.



Current thinking is that all systems should ship with widely-known and
accepted security best practices already in place, whether users like it or
not. Partly because professionals now consider trying to train users about
security is a waste of time (this article "Security expert: User education
is pointless" started quite the debate):



http://news.zdnet.com/2100-1009_22-6125213.html



But more so, it just makes sense to make security best practices the default
setting. When Windows XP first shipped it had a built-in firewall. But it
was off by default. So nobody knew about or turned it on. When the blaster
and some of the other big worms hit, they took advantage of that ignorance
and infected millions of computers. (All hackers prey on human ignorance
more than anything else). Had the firewall just been turned on by default,
those worms wouldn't have caused nearly so much damage.



Microsoft knows good an well that the average end user if going to turn off
UAC the moment they see the option or get someone to tell them how to do it.
But, that's no reason to leave UAC out of an OS. Some people drive without
seatbelts too. But that's no reason for car manufacturers to stop putting
seatbelts in cars.