UAC-why-what-how

[Ray]

I hear and read a lot of complaining done over the implementation of UAC, I
know it's a pain to be prompted several times a session but I've yet to see
someone offer an alternative that would please everyone.
I'm not an IT specialist, nor am I even a worker in the field, I'm simply a
"nerd" at home with several computers on a network. But with two daughters
using one of the computers I can see where some protection has to be in
place and UAC looks like a reasonable compromise to me.

With no formal training in the field I have very limited skills and
knowledge, and other than a brief foray into Ubuntu and now a wrestling
match in trying to setup a Debian server on the network, no experience with
any other operating system other than Microsoft.

I certainly would not want to go through the hassle of, what seems to be the
norm in Linux, of entering cryptic commands into a terminal window every
time I wanted to perform some administrative task or install a program. But
I do like to know what is going on with my computer and be informed/asked
when a change is about to be made.

So I ask you "professionals in the field" what and how would you like to
have seen it done, bearing in mind that, it has to be easy for the general
public to use and it has to be difficult if not impossible for any program
to "slip by" the defenses.
Coming from someone that is closer to the bottom rung of users than most
here, I think that most users will hardly notice it, most people use
computers for browsing the 'net and playing games. Not many of them will do
something that will trigger a UAC prompt, and if a prompt does arise then
the window is changed sufficiently to cause them to do a little more
thinking than before when that little popup came up.

As I said, I'm ok with how it is now, they could have made a prompt that
flashes a red screen, now that would be annoying but it would certainly get
someone's attention.

I know that this subject has been beaten into the ground but I have yet to
see a viable alternative proposed, and I'm wondering "is there one"? That's
why I'm asking this rather explosive question to this group because from
what I've read and learned here I value all of your advice and suggestions.

Ray

 

[Colin Barnhorst]

A year and a half of feedback from the TechBeta testers led to the present
system. Originally UAC was so intrusive that the OS was downright crazy to
use for day to day stuff. It is far better now. The consensus was that a
flashing taskbar button was preferable to a popup or screen. You have to
get used to looking for it when you can't seem to get something to happen
sometimes, but I do like it better.

The only thing I hate about UAC is the Halloweenish effect when the screen
goes dark and so on. This is the Security Desktop kicking in. It is
possible for malware to grab permissions if the UAC prompt was presented on
the user desktop. The Security Desktop prevents all processes from
accepting input except the UAC. I hate the SD even though I see its
necessity. It's jarring and unattractive.

 

[Ray]

Thanks Colin, that's interesting in that the system was implemented through
user input. So it is a well thought out system after all that has been said
about it.
I never knew that about the Security Desktop being a separate entity, kind
of like a bouncer

Ray

If you don't ask, you'll never know will you?

 

[Colin Barnhorst]

Yeah. Bounce bounce.

The security experts were able to hijack the user's input and piggyback on
the permissions when the user desktop was available so they went with the
SD. Think of the SD as a way to cancel your mother-in-law's next visit.

 

[Chad Harris]

I still find at times that I'm told even though I have admin. privileges
that I don't have permission to access so and so a folder. It takes me
about 3 seconds to go to the security tab and gain access by adding the
admin (redundantly I believe) to permissions for that particular folder and
I'm in. I could also simply type users in at the security tab add dialogue
boxes, and get them permission. There are and will be many many ways to
gain access to a Vista box, despite Steve Riley's [MSFT] excellent
presentations around the U.S. and the rest of the world on U.A.C. Should
you ever have the chance to see him speak, it is a treat.

I think once in the box, it would take me no time at all having learned the
ins and outs of UAC to get into anywhere on your box.

I enclose a bit of reference to UAC for your viewing pleasure. If you do a
search in this group, although I'm not sure how far back you are able to go
archive wise on the server--it that is controlled by the end user or how
much MSFT keeps server side (probably the latter) you can find excellent
posts on UAC by Jimmy Brush and many others here.

If you use Win Mail, or you could use the very clunky inefficient web
interface but I wouldn't, to subscribe to this group you can gain a lot of
info:

***microsoft.public.windows.vista.security***

Just go to the newsgroup button on your toolbar>click it>type in vista
security and you can subscribe. Search UAC or Jimmy Brush there as well.

UAC References:

http://blogs.msdn.com/uac/

Ed Bott Author of *Windows Vista Inside Out* on UAC
http://www.google.com/search?hl=en&lr=&rls=GGLJ,GGLJ:2006-47,GGLJ:en&q=ed+bott+uac

Windows Vista Inside Out
www.amazon.com/Windows-Vista-TM-Inside-Out/dp/0735622701

www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx

Vista's UAC: Is the Cure As Bad As the Disease?
www.gottabemobile.com/VistasUACIsTheCureAsBadAsTheDisease.aspx

Microsoft Admits Vista's Vulnerable to 1/3 of Malware
www.cio.com/blog_view.html?CID=27217

www.pcadvisor.co.uk/news/index.cfm?newsid=7785

Disable UAC How To
http://www.petri.co.il/disable_uac_in_windows_vista.htm

Disable Ramnifications Jesper Johannsen MSFT
https://blogs.technet.com/jesper_johansson/archive/2006/06/22/438316.aspx

UAC blog http://blogs.msdn.com/uac/
http://blogs.msdn.com/uac/archive/2006/01/22/516066.aspx

UAC Team Beta Vista Chats:

6/22/06
http://windowsconnected.com/forums/70/ShowForum.aspx

9/28/05
http://windowsconnected.com/forums/thread/2846.aspx

and also check out these discussions:

O'Reilly Dev Center: UAC Overview
http://www.windowsdevcenter.com/pub/a/windows/2006/04/04/uac-in-windows-vista.html

Technet UAC Overview
http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx

UAC What's New in Beta 2?
http://blogs.msdn.com/uac/archive/2006/06/21/641713.aspx

UAC Articles Technet
http://www.microsoft.com/technet/windowsvista/security/uac.mspx

UAC Application Webcast
http://blogs.msdn.com/uac/archive/2006/06/26/647384.aspx

Q&A with UAC Vista PM Chris Corio
http://windowsconnected.com/blogs/joshs_blog/archive/2006/01/21/558.aspx

UAC Gone Wild (Not to be confused with Girls Gone Wild who can't decide how
to wear their T-Shirts)
http://techrepublic.com.com/5100-10877-6089415.html

Enjoy.

CH