Vista file security mechanisms

G

Guest

1) I noticed that there is quite a bit of restrictions in the file system,
almost like a *nix file system since you cannot change/delete etc certain
files in certain directories (...permissions). This is awesome and only a
small example, I'm wondering though if the system asks for the admin password
to install a program ONLY if it is an install routine or ONLY if a program
tried to create directories/files in certain directories (like program
files), or both, basically how is Vista realizing that it's an install
routine and that admin is needed?

2) In Vista there is a difference between "Administrator" and an account
with administrator priveledges...or am I confused? From my experience I
needed to log into safe mode and change the Administrator password, couldn't
do it from the Admin account I created in XP before the Upgrade...NICE!!

3) Updating the Hosts file was a PITA!!! But IS possible!
 
J

Jimmy Brush

Hello,
1) I noticed that there is quite a bit of restrictions in the file system,
almost like a *nix file system since you cannot change/delete etc certain
files in certain directories (...permissions). This is awesome and only a
small example,
Click to expand...

Actually, these permissions have been in Windows NT-based operating systems
since conception... however, running as Administrator ("root") by default
negates all the nice security features of this, since administrators have
access to pretty much everything, so I'm sure a lot of people have never
noticed this :)

In Windows Vista, accounts with administrator privileges run like a user in
the 'wheel' group ... every program they open runs as a standard user. Then,
when they want to run a program with admin privileges, they have to 'sudo'
the program. The program can either request to be sudo'd (Windows needs your
permission to run this program), or you can explicitly run the program with
admin power by right-clicking it and clicking Run As Administrator.
I'm wondering though if the system asks for the admin password
to install a program ONLY if it is an install routine or ONLY if a program
tried to create directories/files in certain directories (like program
files), or both, basically how is Vista realizing that it's an install
routine and that admin is needed?
Click to expand...

Applications have to be explicitly configured to ask for admin permission by
the developer of the application.

Alternatively, Windows may "know" that a legacy application will need admin
powers via the application compatibility database, so Windows may prompt on
behalf of a legacy application if it knows it will need admin powers.

If a program is not configured to ask for admin permission, when in fact it
DOES, this program will fail to work correctly, even if you are logged in as
an administrator. To use these programs, right-click on it, and click Run As
Administrator. You can manually configure a program to always ask for
administrator permission from the compatability tab of its properties
screen.

Also, Windows Vista automatically recognizes the most common types of setup
programs and asks for admin permission for these programs when they run.

As for accessing restricted files and registry keys ... Windows Vista uses a
new concept called "virtualization" to allow old programs to run. Basically
how this works, is if a program that was not designed for Windows Vista
tries to write data to certain restricted folders or registry keys, Windows
makes the program THINK that it is writing to these places, but actually
puts the files/registry keys into a folder inside the user's folder.

In this way, these older programs can still work, but they cannot change
other user's data or affect the system state.
2) In Vista there is a difference between "Administrator" and an account
with administrator priveledges...or am I confused? From my experience I
needed to log into safe mode and change the Administrator password,
couldn't
do it from the Admin account I created in XP before the Upgrade...NICE!!
Click to expand...

Yes, there is a difference.

When logged in as an account with admin permissions, you run all programs as
a standard user, and only programs that you give permission to will run with
your administrator powers.

On the other hand, the Administrator account is like the 'root' account in
linux ... it ALWAYS runs everything with full privileges. By default in
Windows Vista, you can only access this account from safe mode.
3) Updating the Hosts file was a PITA!!! But IS possible!
Click to expand...

An easy way to do file management is to right-click the link to Windows
Explorer and click Run As Administrator. This will prompt for admin
permission FIRST, and then allow you to do any other admin-task without
needing to be prompted again (from within that window).

For more info, check out these Microsoft websites:

http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx
http://www.microsoft.com/technet/WindowsVista/library/f72d606c-ad66-403b-be70-3d59e4e5c10f.mspx
http://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx
http://www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx
http://blogs.msdn.com/uac/

- JB

Vista Support FAQ
http://www.jimmah.com/vista/
 
H

happymen

test
Jimmy Brush said:
Hello,


Actually, these permissions have been in Windows NT-based operating
systems since conception... however, running as Administrator ("root") by
default negates all the nice security features of this, since
administrators have access to pretty much everything, so I'm sure a lot of
people have never noticed this :)

In Windows Vista, accounts with administrator privileges run like a user
in the 'wheel' group ... every program they open runs as a standard user.
Then, when they want to run a program with admin privileges, they have to
'sudo' the program. The program can either request to be sudo'd (Windows
needs your permission to run this program), or you can explicitly run the
program with admin power by right-clicking it and clicking Run As
Administrator.


Applications have to be explicitly configured to ask for admin permission
by the developer of the application.

Alternatively, Windows may "know" that a legacy application will need
admin powers via the application compatibility database, so Windows may
prompt on behalf of a legacy application if it knows it will need admin
powers.

If a program is not configured to ask for admin permission, when in fact
it DOES, this program will fail to work correctly, even if you are logged
in as an administrator. To use these programs, right-click on it, and
click Run As Administrator. You can manually configure a program to always
ask for administrator permission from the compatability tab of its
properties screen.

Also, Windows Vista automatically recognizes the most common types of
setup programs and asks for admin permission for these programs when they
run.

As for accessing restricted files and registry keys ... Windows Vista uses
a new concept called "virtualization" to allow old programs to run.
Basically how this works, is if a program that was not designed for
Windows Vista tries to write data to certain restricted folders or
registry keys, Windows makes the program THINK that it is writing to these
places, but actually puts the files/registry keys into a folder inside the
user's folder.

In this way, these older programs can still work, but they cannot change
other user's data or affect the system state.


Yes, there is a difference.

When logged in as an account with admin permissions, you run all programs
as a standard user, and only programs that you give permission to will run
with your administrator powers.

On the other hand, the Administrator account is like the 'root' account in
linux ... it ALWAYS runs everything with full privileges. By default in
Windows Vista, you can only access this account from safe mode.


An easy way to do file management is to right-click the link to Windows
Explorer and click Run As Administrator. This will prompt for admin
permission FIRST, and then allow you to do any other admin-task without
needing to be prompted again (from within that window).

For more info, check out these Microsoft websites:

http://www.microsoft.com/technet/windowsvista/security/uacppr.mspx
http://www.microsoft.com/technet/WindowsVista/library/f72d606c-ad66-403b-be70-3d59e4e5c10f.mspx
http://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx
http://www.microsoft.com/technet/windowsvista/library/0d75f774-8514-4c9e-ac08-4c21f5c6c2d9.mspx
http://blogs.msdn.com/uac/

- JB

Vista Support FAQ
http://www.jimmah.com/vista/
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Game won't load saves in Vista - file access issue? 2
Standard User Setup Catch 22 8
Can not disable the activated administrator account in Home Basic 1
'Public' folder security messed up 3
Need help understanding Vista Administrator accounts. 4
Admin Password different then login password? 2
Locked out of account - Please help :( 1
Vista - Admin Account is disabled 6

Top