UAC and IE Protected Mode?

[Doug Walch]

I'm curious to know whether there is a diffence in IE security vulnerability
between running Vista with UAC enabled (hence IE is in protected mode,
versus, running Vista with UAC disabled, with the user NOT in the local
admins group.

Thanks

 

[Jimmy Brush]

Hello,

Yes, there is a difference. When UAC is enabled, IE runs in protected mode.
This mode is much, much more restrictive than the mode IE runs in when
running under a standard user account.

When IE is running in protected mode, it cannot save/modify any files on
your computer (other than temporary internet files), save/modify any
registry keys (except for certain ones it needs to work), and it cannot talk
to any other programs on your computer (except for one that is used to ask
you for permission).

In protected mode, when IE wants out of this "protection box", it has to go
through the broker program, which asks you for permission before it
proceeds. In effect, YOU have to know about and approve IE to allow it to
touch any file, registry key, program, etc. on your computer.

In this scenario, if your IE is taken control of by some rogue program, that
rogue program will be unable to damage anything except a few IE settings,
because it will be unable to modify your files/settings/programs (unless it
asks you for permission and you give it the permission).

When protected mode disabled, IE gets the full power of your user account.
So in the same situation with protected mode off, a rogue IE will have as
much access to your computer that you do. If you are running as a standard
user, then it can access all of your documents and settings that affect your
user account. If you are an admin, then the rogue IE can do anything it
wants.

 

[Milhouse Van Houten]

Which all brings up an interesting point: is there any way to untie the two?
Now that the beta is over, I don't want to endure UAC any longer, but I was
shocked to find that IE's Protected Mode goes along with it, something I
never expected and which I think is very unfortunate, since many people are
going to disable UAC yet would never think of disabling Protected Mode.

Now, this is where someone comes along and says that it's simple to make
happen with a policy change or similar.

 

[Ben Miller]

Why on Earth would you disable UAC???? Especially for the typical end user.
This technology will be the "saving grace" of many enterprises, small
businesses, etc... I would debate your claim that "many people are going to
disable UAC." From my standpoint, UAC is the best benefits of Vista.

-Ben

______________
Ben Miller
CISSP
GSEC
Security+

 

[David J. Craig]

I can only think of two possible reasons for his post. 1) He is a bot
master and wants to keep people from implementing minimal security. 2)
Stupidity is the other.

Why can't people understand that UAC is just a technique that has been in
Unix for decades?

 

[Milhouse Van Houten]

Come on people, face it, very experienced users are not going to fly with
it. They just aren't. Further, since they are experienced, they have much
less of a need for it, since rogue programs aren't running around on their
systems in the first place.

(Note that I'm not talking about IE's Protected Mode here, which I have no
problem with, but system prompts unrelated to IE.)

I fully agree that everyone else should leave it on.

As I said in another thread, what I would have preferred is a way for it to
work where you only see a prompt for elevation when it's a result of
something that you *didn't* just ask to do yourself. All the annoyances
would fall away then, and you'd only be alerted when there's some other
action occurring on the system other than you, say, clicking to go change
your page file.

 

[Ben Miller]

Oh... so you mean only enact UAC when something bad might happen? OK...
that makes sense. So, then you would also agree that viri cannot be spread
via email, right? I opened the app to collect the mail right? So, if I
initiated the the action, the it _has_ to be good.

Give me a break.

-Ben

______________
Ben Miller
CISSP
GSEC
Security+

 

[Milhouse Van Houten]

Experienced users don't run executable email attachments in the first place.
Of course. That's one of the fundamental ways they go for years (or forever)
without their systems ever being compromised. There's also a popular
application out these days called anti-virus, not to mention antispyware
(which even comes with Vista).

And of course I'm not talking about just running an email app. You know what
I'm talking about: Making a change to the system and being asked permisson
for something you just told the system to do yourself. UAC is not designed
for people who know what they doing, and I don't think MS ever claimed that
it was. Experts would leave it enabled, however, if it worked as I suggested
(though I've never tried it, I believe I've read that OS X tends to work
more that way--if not entirely that way--and you've never heard an uproar
over the feature there).

Next.

 

[Mike Hall - MS MVP Windows Shell/User]

Corporates will make sure that UAC is running, as should home users where
multiple family units are accessing the computer.. for the rest, it is a
personal choice.. I have UAC turned off..

 

[Frank Saunders, MS-MVP OE/WM]

I keep it on to see what the normal experience is like. I'm afraid a lot of
users will get too used to clicking Continue and get infected anyway. Just
like they managed to delete user created OE folders by automatically
clicking Okay or Yes.

 

[Guest]

since many people are
going to disable UAC

only stupid people disables the UAC

 

[Guest]

I have UAC turned off..

Are you sure you're a MVP? I think you're very stupid!

 

[Ben Miller]

So you are suggesting that a "seasoned" administrator knows everything there
is to know about their system and never make mistakes. This is just one
more block in the road for those click-happy admins. Also, keep in mind
that UAC utilizes 2 tokens, standard user and admin, only invoking the admin
token when an administrative task is required. So the malicious code that
an admin might not normally see is blocked as well. When you are logged
onto any system with admin privileges, you are opening that entire system
(and possibly domain) up to multiple vectors of attack. With UAC enabled,
those malicious packages that are designed to be hidden are no longer.

I presume that you are on board with McAfee and Symantec complaining about
Patchguard also? I am interested to hear your response to those morons.

-Ben

______________
Ben Miller
CISSP
GSEC
Security+

 

[Ben Miller]

Boy mik, those last two posts were very eloquent. Grow up kid.

-Ben
______________
Ben Miller
CISSP
GSEC
Security+

 

[Mike Hall - MS MVP Windows Shell/User]

Frank

Ultimate set me up as Admin.. corporates will set their users as 'standard',
and I assume that this will take away the ease of just clicking on
'continue' to make changes or accept anything.. of course, those seeking to
mislead, will always find a way to bamboozle whatever security is in place..

For me, it was annoying beyond words, and had to go.. I was intending to
live with it, but just couldn't.. other MVPs feel the same way about it
too..

 

[Mike Hall - MS MVP Windows Shell/User]

You are entitled to your opinion, and I have and reserve the right to ignore
it..

 

[Kerry Brown]

Not all MVP's fell the same about it. I feel very strongly that uac is a
very good thing. Then again I spend a lot of time removing malware from
customer's computers. It's time Windows users moved on from the attitude
"it's my computer and I'll damn well do what I want with it". Uac actually
allows you to do what you want in a much safer way. It will take a while,
maybe years, but eventually most programs will work with the security model
in Vista and all these arguments about uac will seem silly. Use Vista as you
would Linux or OS X or any other secure operating system. Use a standard
user for every day use. When you need to do administrative tasks use Run as
administrator. I've been doing this since the September 2005 Longhorn Beta 1
and it works great. Of course I'm used to OS' that use a good security model


Vista sets up the first user created during the install as an admin user.
All subsequent users are standard users. It is always a good practice to
have two admin accounts and at least one other standard account for normal
use. It is a shame that during the install Vista doesn't set up two
accounts, one admin, one standard, then default to logging on as the
standard user.

 

[Mike Hall - MS MVP Windows Shell/User]

Ben

I looked back at what I said and can find no instance of me suggesting that
seasoned administrators know everything and never make mistakes.. what I did
say is that I don't personally like it on my home system, it being one of
five attached to the router, and I have turned UAC off..

 

[Mark D. VandenBerg]

Apparently grammar and punctuation are taught at the next grade level, as
well...

 

[Mark D. VandenBerg]

Apparently grammar and punctuation are taught at the next grade level, as
well...