UAC

[Susan Bradley]

In my use/testing of it, it has not turned on the red shield?

http://technet2.microsoft.com/Windo...422c-b70e-b18ff918c2811033.mspx#BKMK_AdminUAC


For the sake of having the facts straight, I just attempted both methods
of setting UAC to No Prompts:
Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

Change the value of ConsentPromptBehaviorAdmin from "2" to "0".
This immediately results in the red shield and a balloon stating UAC
has been turned off.
Check security center: UAC is turned off.
Attempt to install a cheap non-vista game: Program installs without
a prompt.
Allow computer to sleep: Nag upon return to life.
Reboot: Nag upon return to life.
Disabling nag prevents any security center issue from notifying you
it is in trouble.

Using secpol.msc to set UAC to No Prompts gave exact same results and
amazingly set the same registry value to "0."

Neither method produced a prompt when attempting to reset security
settings if set for No Prompt.
IE remained in Protected Mode for both cases.

(I did not pursue all installed programs to seek those that were now
confused and not functioning correctly as a result of switching UAC
modes, but if UAC is still running, there should be no problems. It is
actually disabling UAC that causes problems with these.)

The silently elevate in the security policy does not. UAC is still
on, it just silently elevates.

Again, it's not turning it off, it's auto elevating it.

 

[Kayman]

There isn't any single AS program that catches all spyware.

So you actually have more than one(1) real-time A-S running? ....the mind
boggles.

 

[Kayman]

Thank you, but I've done my reading.

Maybe, but you didn't understand the content.

 

[Bob]

So you actually have more than one(1) real-time A-S running? ....the mind
boggles.

No, I only run WD in real-time and periodically do a scan with others.

 

[Bob]

Maybe, but you didn't understand the content.

Thank you, my reading comprehension is more than adequate.

 

[Paul Smith]

Because it's MY box and I want to decide what has access to it. I don't
want or need "big brother's" help.
XP didn't need UAC and neither does Vista.

So what if for example, one of your games that you're running with full
rights has a security vulnerability? That gets exploited and as a result
the entire box is compromised.

Or the game runs as standard user, and the amount of damage the
vulnerability can cause is much reduced - and at this moment it time,
whatever code was being used to make the exploit simply breaks because it
was expecting admin rights.

Common sense really.

--
Paul Smith,
Yeovil, UK.
Microsoft MVP Windows Shell/User.
http://www.dasmirnov.net/blog/
http://www.windowsresource.net/

*Remove nospam. to reply by e-mail*

 

[Bob]

I don't have any games installed. In any event, I'm comfortable using AV, AS
and firewall.

It's your choice and mine whether or not we want to deal with UAC prompts.
My choice is to disable the prompts.

 

[Paul Smith]

I don't have any games installed. In any event, I'm comfortable using AV,
AS and firewall.

Fine, miss the point entirely.

Let me rephrase, your web browser has a vulnerability, your calculator has a
vulnerability, your e-mail client has a vulnerability or any other
application on the system *for example*. As you're running those as an
administrator, your AV your firewall you name it can be turned off, as the
malicious code is running as an administrator.

If those applications were running as standard user, they don't have the
authority to turn the services off, nor go and make any system-wide changes.

--
Paul Smith,
Yeovil, UK.
Microsoft MVP Windows Shell/User.
http://www.dasmirnov.net/blog/
http://www.windowsresource.net/

*Remove nospam. to reply by e-mail*

 

[Mark]

You're living in paranoia.
What if a meteor strikes? What if...

Yes, there is bad stuff out there. A little common sense goes a long way.
Make a backup.

 

[Bob]

"Microsoft and paranoid types will tell you that disabling UAC is a bad
idea, but I don't buy the argument. Serious security threats install
themselves under the radar and behind the scenes. It shouldn't take user
intervention to stop them, and in fact, I've never seen or heard of UAC
actually stopping spyware or a virus from being installed, and many sources
note that UAC can't stop everything. Turning off UAC will theoretically
reduce the security level of your computer, but if you're running antivirus
and anti-spyware software like a good PC citizen, the only thing you'll
notice is blissful freedom from those annoying messages."

Christopher Null

http://en.wikipedia.org/wiki/Christopher_Null

 

[Paul Smith]

You're living in paranoia.
What if a meteor strikes? What if...

You mean a meteorite, a meteor doesn't strike anything apart from an
atmosphere.

Yes, there is bad stuff out there. A little common sense goes a long way.

When you're dealing with a user base measured in the hundreds of millions
the "bad stuff" is happening to people all the time. Not caring, or
dismissing it as paranoia because statistically it is unlikely to happen to
any specific individual is nothing less than self-centered.

Make a backup.

What good does that do? Even if you notice the intrusion straight away it
can take a couple of hours to re-image a machine. The big money nowadays
comes from maintaining botnets, the way you maintain a botnet is by hiding
the fact the system is compromised for as long as possible, I know people
who have had their machines compromised for months without them knowing
about it - contributing to spam and exploiting more machines.

The biggest selling point of NT is the standard user, and its about time
that it is used properly.

--
Paul Smith,
Yeovil, UK.
Microsoft MVP Windows Shell/User.
http://www.dasmirnov.net/blog/
http://www.windowsresource.net/

*Remove nospam. to reply by e-mail*

 

[Mark]

Guess I should go buy a lottery ticket.

It's not protection if I must decide every time that the prompt is expected.
Would you buy an antivirus program that asked you every time it scanned a
file if it was a virus?

I understand the need in a work space where people expect the company to
protect them from being idiots.
And the use of credentials substantially improves the idea of UAC.
But, I know my home computer, what I use it for and find no need for this
garbage.

Self-centered would be those that force this method upon us and deem it good
for all.
Yes, it can be turned off, but only if you're willing to turn off the
security center prompts, IE protected mode and be willing to find that fewer
programs work because off isn't really off, but a compatibility mode.

Sorry, I just don't buy that it's protection when the number one response is
to simply learn to ignore it and hit Continue.

 

[Mark]

Amen, brother!
Preach it.

"Microsoft and paranoid types will tell you that disabling UAC is a bad
idea, but I don't buy the argument. Serious security threats install
themselves under the radar and behind the scenes. It shouldn't take user
intervention to stop them, and in fact, I've never seen or heard of UAC
actually stopping spyware or a virus from being installed, and many
sources note that UAC can't stop everything. Turning off UAC will
theoretically reduce the security level of your computer, but if you're
running antivirus and anti-spyware software like a good PC citizen, the
only thing you'll notice is blissful freedom from those annoying
messages."

Christopher Null

http://en.wikipedia.org/wiki/Christopher_Null

 

[Paul Smith]

"Microsoft and paranoid types will tell you that disabling UAC is a bad
idea, but I don't buy the argument. Serious security threats install
themselves under the radar and behind the scenes. It shouldn't take user
intervention to stop them, and in fact, I've never seen or heard of UAC
actually stopping spyware or a virus from being installed, and many
sources note that UAC can't stop everything. Turning off UAC will
theoretically reduce the security level of your computer, but if you're
running antivirus and anti-spyware software like a good PC citizen, the
only thing you'll notice is blissful freedom from those annoying
messages."

Christopher Null

http://en.wikipedia.org/wiki/Christopher_Null

Argument from authority (and not a very good one at that).

If an application only has standard user rights, it can't write to system
locations despite whatever Mr Null (who I've never heard of) says about it.

A vulnerability for example in Firefox (IE runs even lower than a standard
user), which is running as a standard user will do two things if a malicious
piece of code tries to alter system locations 1) fail or 2) ask for
elevation.

There's no secret stuff changing the system when UAC is on and in its
default configuration. UAC is more than just an annoying message. That's
what the malware writers don't want you to understand.

--
Paul Smith,
Yeovil, UK.
Microsoft MVP Windows Shell/User.
http://www.dasmirnov.net/blog/
http://www.windowsresource.net/

*Remove nospam. to reply by e-mail*

 

[Susan Bradley]

Because it's MY box and I want to decide what has access to it. I don't
want or need "big brother's" help.
XP didn't need UAC and neither does Vista.

You have access to the box. But software doesn't need to have full
access.

And let's see didn't we complain that XP got nailed with malware?

Apple and Ubuntu have a password prompt and a SUDO respectively. They
too have big brother looking out for their users. So what's the difference?

 

[Susan Bradley]

So my security advice should come from a guy who started the web site
Filmcritic.com?

 

[benedito78]

"Microsoft and paranoid types will tell you that disabling UAC is a bad

idea, but I don't buy the argument.

Linux and Apple fudbots, internet criminals, "security software" companies,
competitors, etc... will all tell you disabling UAC is a good thing, they
all have something to gain from it.

Serious security threats install themselves under the radar and behind the
scenes.

Not if they don't have the proper privilege, the last item that has ever
been installed "under the radar and behind the scenes" on any of my Windows
machines was a drive-by malware install in 2003 on a fully patched XP with a
fully up to date Norton Internet Security. This great piece of "security"
software did nothing to stop the malware install and was unable to remove it
afterwards. Incidentally, that was the last time I ever ran with
Administrator account in my normal activities and I've not had an incident
since. I frequently visit phishing pages, trojan downloader pages,
javascript exploit pages in the course of my job. IE protected mode, file
and registry virtualization and UAC have made life easier, no desire for a
3rd party sandbox for my browser now, since that is essentially what
protected mode does. No more having to type in my Administrator password
using runas (or sudo for you non Windows folks).

It shouldn't take user intervention to stop them

I like having control of my computer, I'll take the occasional pop up, I
don't view it as an annoyance but rather a very convenient way to elevate
privilege for a specific action or program.

I've never seen or heard of UAC actually stopping spyware or a virus from
being installed, and many sources note that UAC can't stop everything.

Who are these sources, are they credible? Where is the evidence, is there
any?

Turning off UAC will theoretically reduce the security level of your
computer

Flip flop flip flop... So if the writer never heard of UAC actually
stopping spyware or a virus from being installed and there are many sources
to back this up, how will turning off UAC theoretically reduce the security
level of your computer?

but if you're running antivirus and anti-spyware software like a good PC
citizen, the only thing you'll notice is blissful freedom from those
annoying messages.

While quality antivirus and antispyware are part of the security process, it
is just that, a process. Unless you are still running a pre release of
Vista, you are not seeing a large number of these UAC popups.

Christopher Null

Christopher Null is a columnist and blogger for Yahoo! Tech...
Ah, nothing like taking security advice sponsored by a major competitor of
Microsoft.