turn off user account control

[Jack the Ripper]

Another possibility is that the developers might not be using the least
privileges that their software needs and instead required Administrator
privileges.

Then it's not Vista compliant software. And mostly, what is requiring
admin rights to run is old legacy COM solutions.

http://www.developer.com/net/net/article.php/3695651

One of the requirements of Vista compliant software is that it only
needs Standard user rights to execute.

 

[Mark H]

Your assumption is that Vista is the dominant, or only OS out there. It is
not. There is no reason to be Vista compliant if the majority of users are
still on XP or 2K. As a result, a larger portion of the less branded
software, and company specific software, is still written to other
standards.

I don't really care if they are, or are not, Vista compliant. I test what
the consumer's experience will be when installing, using and removing a
product. What issues or distracters arise from the various platform
specifics. On that basis, UAC may work to prevent alteration of Vista, but
it is an unnecessary burden to the consumer based on the response of the
other operating systems ability to install, operate and remove the same
products.

The typical home consumer (Note: This is not an employee workstation
viewpoint.) either lives with the prompts by duly ignoring them to install
the garbage they are sure they want, or they restrict themselves to
Vista-compliant software, thereby promoting the idea of UAC as a viable
tool. There was life before UAC and it worked just fine for the home user.

You have a different perspective as a member of the IT community supporting
protected networks with standardized software installations. I appreciate
that, but it is not a home consumer's view. The typical consumer wants a
computer that operates without nagging them. They don't understand the
difference between "super-admin", "limited-admin" and standard user
accounts. And, they just click Continue when prompted three times to install
the garbage they are sure they want to install. They paid for it and expect
that it will work. All those prompts lead the consumer to believe their
product is riddled with problems and that is seldom the case. After only a
couple of these experiences, they come to believe it's a problem with Vista
they will just have to live with and learn to just click Continue.

But, don't worry about it. It will all be better when everyone shifts to
Windows 7. Why would MS be altering the user's ability to profoundly change
the UAC experience if the prompt's were not an issue and "everyone" was
going to Vista-compliant software? Yes, the consumer needs to be better
educated on the importance of UAC. But, that is not going to happen. As the
older OS's die out, UAC will finally go quiet and work as it should:
unnoticed, without modification.

 

[Jack the Ripper]

Your assumption is that Vista is the dominant, or only OS out there. It
is not. There is no reason to be Vista compliant if the majority of
users are still on XP or 2K. As a result, a larger portion of the less
branded software, and company specific software, is still written to
other standards.

Well, your assumption of my assumption is wrong. MS had given software
vendors plenty of notification that they were going have to come into
compliance on the MS O/S platform and their software with Vista. It was
not going to business as usual on Vista, like it was on the previous
versions of the open by default NT based O/S(s), which they didn't even
follow the MS standards for developing software for those O/S(s).

I don't really care if they are, or are not, Vista compliant. I test
what the consumer's experience will be when installing, using and
removing a product. What issues or distracters arise from the various
platform specifics. On that basis, UAC may work to prevent alteration of
Vista, but it is an unnecessary burden to the consumer based on the
response of the other operating systems ability to install, operate and
remove the same products.

That's the 3rd party software vendor's fault, and their in ability to
comply. Some 3rd party software vendors have complied and more are
complying as they have to develop solutions for the Vista and Win-7
O/S(s), as there is no turning back the clock.

The typical home consumer (Note: This is not an employee workstation
viewpoint.) either lives with the prompts by duly ignoring them to
install the garbage they are sure they want, or they restrict themselves
to Vista-compliant software, thereby promoting the idea of UAC as a
viable tool. There was life before UAC and it worked just fine for the
home user.

And before Vista and UAC, those users were getting hammered and are
being hammered by malware as they run with full-admin-rights 100% of the
time, and any malware running under the context of those rights have
full access to every aspect of the O/S and everything else running with
the O/S, because they are open by default O/S(s). That's not so with
Vista and UAC enabled, because UAC midigates/limits the damage, even if
they point, click and install it, which is due to admin-user on Vista
with UAC enabled is returned to using that Standard-user access token
once the privileged escalation has been completed.

And yet, when those same users are moving over to Linux, they are
forced to deal with the same type of setup and learn how to use the O/S,
one doesn't hear a peep out of them about the approval process to
escalate rights to root-admin.

You have a different perspective as a member of the IT community
supporting protected networks with standardized software installations.
I appreciate that, but it is not a home consumer's view. The typical
consumer wants a computer that operates without nagging them.

What the home consumer wants is a protected O/S that is not so easily
attackable. What MS wants is that not every home user computer being
used by the home user can be easily turned into a bot machine that leads
to that machine attacking other machines on the Internet and on the LAN.

They don't
understand the difference between "super-admin", "limited-admin" and
standard user accounts. And, they just click Continue when prompted
three times to install the garbage they are sure they want to install.

Well, they had better figure out whats going on, because ignorance is
not bliss.

They paid for it and expect that it will work. All those prompts lead
the consumer to believe their product is riddled with problems and that
is seldom the case. After only a couple of these experiences, they come
to believe it's a problem with Vista they will just have to live with
and learn to just click Continue.

Well, I guess you have heard about UAC on Win-7 where the verbosity of
UAC can be controlled by the user. It's not going to happen on Vista, so
if anyone goes to Vista, they either run with UAC or they run with it
off, opening the machine to be attacked more easily.

But, don't worry about it. It will all be better when everyone shifts to
Windows 7. Why would MS be altering the user's ability to profoundly
change the UAC experience if the prompt's were not an issue and
"everyone" was going to Vista-compliant software? Yes, the consumer
needs to be better educated on the importance of UAC. But, that is not
going to happen. As the older OS's die out, UAC will finally go quiet
and work as it should: unnoticed, without modification.

Tell me something that I don't know. And UAC on Win-7 on mya machine
will be on *high* verbosity. I'll still be using Vista even when I get a
machine running Win-7. What I won't be doing is ever going backwards to
any of the previous *wide-open-to-attack* versions on the NT based O/S
for the workstation platforms.

And that same compliance for software vendors to make the software Win-7
compliant is just a carry-over from Vista, nothing has changed in that
regard.

 

[FromTheRafters]

As far as your testing, you do know about the hidden-full-admin-rights
at all times admin account? You can use that account to test with,
leave UAC enabled, and you will not get any UAC prompts, because it's
already escalated to full-admin-rights. And yes, it's that same
account that's on the previous versions of the NT based O/S(s).

If you use that account, would a launch of IE make use of "protected
mode"?

Just wondering...

 

[Jack the Ripper]

If you use that account, would a launch of IE make use of "protected
mode"?

Just wondering...

Yes, I just tried it, and yes Protected mode is enabled. I also have
found out that with UAC enabled, you still get prompted. That's what was
said at a blog I read that UAC wouldn't prompt super-admin with UAC
enabled. It seems that is not the case.

However, in communications with another developer about making registry
changes during software installation on Vista, he told me that with
UAC enabled using the non-super-admin account for administration, the
install was successful with UAC escalated privileges.

However, with UAC disabled and using the same admin-account, the install
blew because the registry changes couldn't be made. So, I guess that is
where super-admin would be applied, with UAC disabled.

You know, MS is closing things down with IE7 protect mode, ASLR and
other type of solutions, but most people only look at UI eye-candy and
what's happening in their face.

<http://www.securitypronews.com/news/securitynews/spn-45-20060601ASLRJoinsVistasBagOfTricks.html>

I myself, I am pleased with the implementation of closing Vista down O/S
security wise, which will carry over to Win-7, just get rid of
virtulization as that seems to be too locked-down.

 

[FromTheRafters]

Yes, I just tried it, and yes Protected mode is enabled. I also have
found out that with UAC enabled, you still get prompted. That's what
was said at a blog I read that UAC wouldn't prompt super-admin with
UAC enabled. It seems that is not the case.

Funny, they say that running IE "elevated" defeats protected mode IE.
They also say that Administrator doesn't have a split token and so can't
invoke UAC. Sometimes I wonder if *they* even know how the final release
works. )

For people that want the closest equivalent to XP's admin, maybe using
"Administrator" *and* UAC off is the answer.

However, in communications with another developer about making
registry changes during software installation on Vista, he told me
that with UAC enabled using the non-super-admin account for
administration, the install was successful with UAC escalated
privileges.

However, with UAC disabled and using the same admin-account, the
install blew because the registry changes couldn't be made. So, I
guess that is where super-admin would be applied, with UAC disabled.

Probably, sort of the point I was trying to get to - UAC and MIC are
involved, and what you call 'super admin' may still be restricted by MIC
unless you turn UAC (or at least MIC) off.

You know, MS is closing things down with IE7 protect mode, ASLR and
other type of solutions, but most people only look at UI eye-candy and
what's happening in their face.

Yeah, it's like evolution driven by "fitness factor" natural selection
is being overridden by social (sexual) artificial selection. Sure it's
insecure, but I *really* like the new skins. Peacock feathers -
disadvantageous as far as predation goes, but the peahens like them
so....

<http://www.securitypronews.com/news/securitynews/spn-45-20060601ASLRJoinsVistasBagOfTricks.html>

I'll have a look - thanks.

I myself, I am pleased with the implementation of closing Vista down
O/S security wise, which will carry over to Win-7, just get rid of
virtulization as that seems to be too locked-down.

Indeed, another thing a read somewhere is that the next (Windows 7?) OS
will not 'virtualize' to support legacy programs. So it will be even
*less* forgiving about poorly written (or non Vista standards compliant)
programs.

....maybe that's wrong too.

 

[Sam Hobbs]

Then it's not Vista compliant software. And mostly, what is requiring
admin rights to run is old legacy COM solutions.

http://www.developer.com/net/net/article.php/3695651

One of the requirements of Vista compliant software is that it only needs
Standard user rights to execute.

Where does the article say that? What if a COM object truly does need
Administrator privileges, your statement is saying that it cannot be done in
a COM object. That article even says "There will still be circumstances when
an application needs administrative privileges to carry out certain
processes, especially if the application is written for administrator use.".

 

[Jack the Ripper]

Where does the article say that? What if a COM object truly does need
Administrator privileges, your statement is saying that it cannot be
done in a COM object. That article even says "There will still be
circumstances when an application needs administrative privileges to
carry out certain processes, especially if the application is written
for administrator use.".

I did not say that it cannot be done with a COM object. I am saying that
in order for the COM legacy solution application to execute, a COM
object execution is on a given process/thread and it may need privileged
escalation to execute.

Even a .NET solution may need its rights escalated if the solution is
doing administrative tasks, like making registry changes as an example.

But the bottom line is to make the application run with only requiring
Standard user rights or least privilege, which most software developers
bluntly disregard and everything runs with full-admin-rights when 9
times out of 10 it is not required.

But that was also due to Limited account rights on XP solutions not
being able to run properly, so it became full-rights execution for just
about everything written on the XP platform.

For Vista and Win-7, if it calls for the application to be leveraged to
use Standard user rights only on a rewrite of code, then so be it.

One thing that is happening is more and more code for the MS platform
are being written in .NET, which is managed code using the CLI/CLR. And
they are looking at code intent to prevent things if hostile or dubious
intent is determined with in the code, before it is executed and stop
the execution.

However, that can be circumvented by a COM object code being called in
the solution that is not manageable by the CLI/CLR. And therefore, the
push is being made to eliminate/eradicate COM off the MS O/S platform.
Of course, not everyone will be going to .NET, and if it's not broke
them don't fix it, legacy COM solutions.

<http://msdn.microsoft.com/en-us/library/bb530410.aspx>

<copied>

How Do I Determine If My Application Has Administrative Dependencies?

To assist developers, ISVs, and organizations in evaluating their
applications, Microsoft provides the Microsoft Standard User Analyzer.
The Standard User Analyzer can be used to help identity
non-UAC–compliant behavior of an application. Microsoft recommends that
developers run this tool to identify issues with running the application
under a standard user account. These tests should be performed, even if
the application already installs and runs properly under a standard user
account on Windows XP. The application may perform operations, such as
attempting to write to system registry locations, and make decisions
based on the system's behavior, such as looking for an error response.
Windows Vista may behave differently than earlier versions of the
Windows operating system due to the addition of new application
compatibility support. Therefore, it is recommended that all
applications be tested with the new version of the Standard User Analyzer.

The Standard User Analyzer will record all administrative operations
encountered by an application, including registry/file system access and
elevated API calls. This data is stored in a log file and is displayed
within the tool. The Standard User Analyzer identifies the following
common dependencies, in addition to many others:

<copied>

 

[Gordon]

Your assumption is that Vista is the dominant, or only OS out there. It is
not. There is no reason to be Vista compliant if the majority of users are
still on XP or 2K. As a result, a larger portion of the less branded
software, and company specific software, is still written to other
standards.

Yes - the "standard" which REQUIRES users to run as Admin - that's no
standard at all and is the result of lazy and incompetent programming by the
software developers.

 

[Mark H]

So we go from garbage, to stinking garbage:
http://nudel.kelbv.com/W7E_VID_INT/W7E_VID_INT.htm

Doesn't stop a thing. Programmers still ignore the standard. Consumers pay
the price.

 

[Mark H]

Nor for those always right when they only understand the view from their own
throne.

 

[Jack the Ripper]

Nor for those always right when they only understand the view from their
own throne.

You had better take a look at yourself on the pot.

 

[Paul Smith]

Instead of simply turning UAC off like so many have recommended, I'd suggest
leaving it on, but have it auto-elevate whenever you get a prompt you can do
this by going to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
and changing ConsentPromptBehaviorAdmin to 0 (the default is 2). You can
also perform this by using secpol.msc if you're using Business or Ultimate
(I don't believe its present in Home Basic or Premium).

More details:
http://www.dasmirnov.net/blog/2008/10/23/why-you-should-never-disable-uac