UAC and IE Protected Mode?

[Mike Hall - MS MVP Windows Shell/User]

Kerry

I didn't say 'all' MVPs, but I know of some who do not like it..

I also spend my time removing 'crap' from people's systems, but is UAC going
to stop others from getting it back? Will UAC stop kids loading Lop.com onto
their systems alongside Messenger Plus, or from internet Chat afficionados
getting all kinds of stuff from Smiley Central, Comet Cursors, and free
online gaming sites?

I fully agree that there should always have been ways to prevent users
changing system settings, and UAC steps in to fill the gap..

 

[Ben Miller]

Mike,

My comments were not directed to you. They were in response to Milhouse's
last post suggesting that "Experienced Users" don't accidently or
maliciously do bad things.

-Ben
______________
Ben Miller
CISSP
GSEC
Security+

 

[Ben Miller]

Nod... apparently we are in the presence of the tip of the educational
sword


______________
Ben Miller
CISSP
GSEC
Security+

 

[Kerry Brown]

I know some MVP's don't like it. I sometimes find it exasperating until I
find out how to do what I want and keep it enabled. It's tough to learn new
things especially aa I get older I think the protection uac provides
make it worth learning how to live with it. For the most part remembering to
use Run as administrator when you are doing administrator tasks makes uac
easy to live with.

As for kids with Vista, Vista has many tools parents can use to stop their
children from abusing the computer. It has powerful parental controls. Once
a few parents buy new computers with Vista and start spreading the word to
other parents I see this becoming one of the main selling points for Vista
in the home. I can see many parents wanting to upgrade to Vista just for the
parental controls.

 

[Milhouse Van Houten]

You touch on one aspect that's unclear to me: the "admin" account that Vista
sets up as default. I believe I've read that it's not a "true" admin account
(the one that is, called "Administrator," is hidden and not accessible by
the average person), that it's some kind of hybrid. Is that your
understanding of it?

 

[Kerry Brown]

The account is a "true" administrator account. The confusion is partly
caused because Vista with uac enabled treats administrator accounts
differently than previous versions of Windows. When you log on to Windows
you get a security token. Whenever a process tries to do something the OS
requests the token of the user that started the process and either allows or
disallows the operation depending on the token. It's like a security pass
that allows you access to some areas of a building but not others. In Vista
with uac enabled an administrator gets two tokens, a standard user and an
administrator token. Under normal circumstances when the OS requests the
token the standard user token is presented. If this token doesn't have the
proper permissions to do the requested operation then you will get a uac
prompt. If you OK the uac prompt the administrator token is then presented.
This is a very simplified version of what happens. Jimmy Brush has a good
write-up on uac here:

http://www.jimmah.com/vista/security/uac.aspx

Another thing that confuses many people is that there are additional
protections built into the file system and the registry that did not exist
in previous versions of Windows. This doesn't mean that an administrator
account isn't a "true" administrator. It means that Vista is different from
previous versions of Windows and administrators will have to learn the new
way of doing things. Administrator accounts should be used for just what
they say they are: administration. For everyday use you shouldn't need an
administrator account but should be using a standard user account. Because
of the previous culture of everyone using administrator accounts all the
time programmers have either gotten sloppy or never learned how to program
for security and eventually you needed to run Windows as an administrator
just to get anything done. Uac and some of the other security features in
Vista are an attempt to work around this and allow people to run as an
administrator but still have decent security.

 

[Mike Hall - MS MVP Windows Shell/User]

Apologies, Ben.. my bad.. personally, I am quite careful and don't need
constant reminding, but found myself doing a system restore to get back to
before I installed a bad driver.. it happens..

 

[Mike Hall - MS MVP Windows Shell/User]

Kerry

Is it not true that Vista Home versions other than Ultimate will set up with
a hidden Admin account in much the same way as XP Home did, and that the
'default user' will be a standard account?

 

[Ben Miller]

No problem Mike. I'm sure you are very careful and mindful of what it is
you are doing. But like you said, it happens. Fortunately, in your case it
was a driver issue.

-Ben
______________
Ben Miller
CISSP
GSEC
Security+

 

[Kerry Brown]

You may be right. I haven't played with any of the Home versions for months.
Now that the RTM is out I plan to do some testing of the Home versions as
I'm sure many of my customers will be using them. If it is true that the
default user is a standard user that would be a bonus as far as I'm
concerned. Not having an easily accessible administrator account may not be
the best thing to do at this point though. Because of all the existing
programs that will have difficulties with this (including many Microsoft
apps) many people will quickly get frustrated, bad mouth Vista, create an
administrator user and probably turn uac off for spite. It would be better
to create two users, an admin and a standard and use help screens and demos
to educate the user as to their use. I hate to keep using 'nix based OS' as
an example but Linux and the Mac both do this. Strangely enough they don't
suffer from many of the same security problems Windows has even though they
seem to have almost as many exploitable bugs. You also don't hear their
users complaining about this. Always running as an administrator is a
Microsoft problem dating back to DOS. It's become part of the Windows
culture. When NT first came out no one ran as an administrator except when
needed. Once Microsoft quit making DOS based OS' and there was a mass exodus
of users to NT based OS' the culture carried over. If it hadn't I don't
believe malware would be the problem it is today. We also wouldn't need uac,
virtual registry, and all the other crutches in Vista.

In one sense you are right that in XP Home there are additional security
features that are only accessible in safe mode. This doesn't mean that
administrators aren't true administrators. It means that safe mode works
differently from normal mode

 

[Mike Hall - MS MVP Windows Shell/User]

Bring back the days of the ROM based OS or 3 floppy DOS.. when the only way
to customize a PC was to scotch tape a Bazooka Joe comic to the outer casing
and 'GUI' meant thick and sticky..

 

[Jimmy Brush]

Come on people, face it, very experienced users are not going to fly with

it. They just aren't. Further, since they are experienced, they have much
less of a need for it, since rogue programs aren't running around on their
systems in the first place.

I disagree. I consider myself an 'experienced user', and I am VERY concerned
about what programs on my system request admin privileges.

Personally, I do NOT want notepads running around on my home network or
domain with permission to format all the hard drives that I have access to.
I want to CONTROL the privileges that the applications I run have. I want to
KNOW when I run a program that requests admin permission, so I can DECIDE
whether it is worthy.

Disabling UAC takes this control away from me, which makes me angry.

 

[Jimmy Brush]

UAC is not designed for people who know what they doing, and I don't think

MS ever claimed that it was. Experts would leave it enabled, however, if
it worked as I suggested (though I've never tried it, I believe I've read
that OS X tends to work more that way--if not entirely that way--and
you've never heard an uproar over the feature there).

UAC was designed to implement the security model Windows has wanted for
years, instead of the XP-era model where all program have admin access.

This behavior can be taken advantage of by both admins and home users.

Do you want instances of <insert name of any program that should not need
admin power> running around on your desktop with permission to format every
hard drive on your domain? Wouldn't you like to know which programs request
admin permission and which don't? Personally, I do. If you don't, then I
agree with your decision to turn it off.

As for Mac OSX, it may have an easier-to-use implementation, but there is a
huge trade-off in security. Windows can't afford to break the security
model - applications would immediately take advantage of this incontinuity,
rendering any security afforded innefective.

 

[Kerry Brown]

I don't know why we ever needed anything more than CP/M.

pip a.new=w.old,y.old,z.old

 

[Mike Hall - MS MVP Windows Shell/User]

All so clear cut

CASE die% OF
WHEN 1,2,3 : bet$ = "lose"
WHEN 4,5,6 : bet$ = "win"
OTHERWISE bet$ = "cheat"
ENDCASE

 

[Kurt Harriger]

Administrators do make mistakes, but 99% of the time its because they
thought it was the right thing to do at that moment and a continue button
isn't going to stop them.

- Kurt

 

[Kurt Harriger]

Nor I, that is why I wish I could control the permissions for every
application via SUID, then every program could have a protected mode, why
should notepad even have access to the registry.

- Kurt

 

[Kerry Brown]

I disagree. I manage a few servers remotely. When I'm finished I sometimes
click Start -> Shutdown by habit. This would be disastrous in most cases as
I would then have to either phone the site and tell them to turn the server
back on or go there myself and do it. The warning window that pops up stops
me from doing this and I log out instead. Warnings (uac) have a purpose.
They make you think about what you are doing. Anyone that blindly clicks
continue wouldn't be working for me for long. Good administrators always
think when a warning pops up.

 

[Kurt Harriger]

I was referring more to intentional mistakes, such as deleting a specific
file and realizing later you deleted the wrong version of that file, oops,
hope backup is current. A continue button isn't going to stop someone from
doing something they are intent on doing, if doing it was a mistake then oh
well we all make mistakes. Confirmation prompts on potentially dangerous
task are always good and are not new to vista, even dos prompted before
deleting a file. But too much of a "good" thing could potentially
desensitize users, your potentially bad habit could have just as easily
included one more mouse click. If you weren't already desensitized to the
potential consequences of shuting down a computer because you do it so often
out of habit, you wouldn't have clicked shutdown in the first place.

- Kurt

 

[Jimmy Brush]

I agree that more discrimination of permissions should be assignable to
programs. But, a simple SUID solution is not perfect IMHO, as a program with
less rights could exploit a behavior of an application with more rights via
SUID in order to escalate its privileges.

Windows (or any other OS for that matter) can't tell the difference between
a user wanting to initiate a program / some action vs. a rogue program doing
the same thing.

If Windows would have allowed this feature, than it would have had serious
negative security consequences.