Vista User Account Control

  • Thread starter Thread starter Roger Stenson
  • Start date Start date
Right, no one has addressed your exact question.

Just a guess, but, (my opinion) maybe some less experienced programmers just
*thought* that because XP (Experience) used Admin Accounts, similar to a
network with user/admin accounts, that they *should* write software that
wants to be run under Admin. Lame, I know, but third-party software for home
users isn't usually written by professional IT people.

Another idea, (again, my opinion) maybe some of those "programmers" are
self-taught out of books, without the benefit of experienced instructors,
and just honestly didn't know any better.

The thing is, those programs actually worked that way in XP, now they are
less than convenient on Vista.

KB

"Jay" wrote in message news:[email protected]...
 
In message <#[email protected]> "Richard Urban"
Yes, I know that. But the program must be written to take advantage of this
capability in NT based Windows. Many programmers take the easy way out and
run their program under administrator.

Not much needs to be done to take advantage of limited users, rather,
it's a matter of not doing things which require administrative
privileges.

Usually this is just the incorrect assumption that any application can
write anywhere on the system it wants.

The only substantial change in Vista is that non-administrators can no
longer write to the root of the drive (but "Program Files" was always
locked down)
 
way of <#[email protected]>, in
microsoft.public.windows.vista.general -->

[snip]
The prompt is not really annoying for most users when it protects a
program that actually *needs* admin power, because you generally don't
run these types of programs that often.

Grant you that.
What *is* annoying is having to run a general-use program with admin
power over and over again when it shouldn't need it.

More like _extremely_ annoying.

--

Life got you down? Want nothing than to curl up with your
[insert type of fav pet here], a glass of milk, and some
really great cookies?


http://preview.tinyurl.com/yrcz9v
http://preview.tinyurl.com/ynzgas
 
Probably the same type of programs that a "limited user" can't install or
run on XP, but an admin can.
In the corporate environment, that may be a good thing, for home users, it
can be a PITA.
UAC may be a good idea for some; but I hate it & think the coders were
incompetent that made it break other things when you turn it off!
 
There is a way to turn the UAC off, but if you do that, some programs that
you download from the internet won't install because they can't get acces to
the temp folder in your user folders.

To turn off UAC:

1. Open control panel
2. Open the Users panel
3. Click the user name
4. Click "Turn User acount control on or off" (UAC) to protect your computer.

Like I said, it will stop asking your permission for everything, but you
will have to re-enable it when you install some programs (the one that gave
me the error was adobe reader 8.1) that require access to the temp folder.
5. Un check "use user acount control
 
NotMe said:
Probably the same type of programs that a "limited user" can't install or
run on XP, but an admin can.
<snip>

Nothing worng with that IMO.
It is the running of the app with admin privs that I mean not the initial
install.
When a prog is installing and doing "stuff" behind the WI interface then I
want to know *exactly* what it is doing and I welcome the Vista pop ups.
That said, when I run this app and Vista tells me this app needs admin
rights to *run* then I will be asking Qs of the app not the OS.

Jay

PS I am not an MS apologist. UAC annoys me. Coders need to find a way (and
I'm one of them) to have an app run in the user context.
 
Richard Urban said:
There is no reason why a program can not be written to run as a user. You
do not need administrator privileges. The coders are lazy.

When they write properly you will not be seeing any pop ups at all.

Vista is warning you that you have old software that is not up to current
coding standards (for the past 5 years).


Agree 100%
Regular apps DO NOT need to run as admin.
MS is doing what they have been critisised for not doing in the past... not
allowing rogue code to run with elevated permissions and thus opening up
security holes.
Damned if they do, damned if they don't.
I now recognise UAC for what it is and I welcome it.

Jay
 
Manatee said:
in said:
news:[email protected]... [snip]
You are missing the point, what reason should a program need to impersonate
an admin account?
[snip]

Perhaps what is being missed (or, at least, diminished) here is that,
while many people might not object to a given app displaying a "notice
of impending" (my words) once, they darn sure _do_ object to being
dunned, over and over again, against being required to keep
pounding-away so as to re-authorizing, and re-re-authorizing, and
re-re-re-authorizing, and . . . . perhaps the point has been made
more-clear to you, just now?

Authorize once, and be _done_ with it (whatever "it" may be).

The good way to do it would be to implement "no write up, no read down
(without permission)" for executable code. That way, normal programs
could not send any information to programs running as admin, and so you
could then safely have a "never prompt again" option for UAC.

This security policy is very old and basic (the star property), and
anybody with any knowledge of computer security would implement it that
way (or better).

Microsoft is clearly capable of employing at least one security person,
which leads me to think that the UAC dialogs are a marketting tool. If
you don't notice the extra security when you're using the OS then I
don't see how it could be sold as a 'feature'.

Alas, that's how it's implemented. Maybe they'll do it properly in the
next version.
I expect the adverts for their next version to say "no annoying dialogs"!

Alun Harford
 
The good way to do it would be to implement "no write up, no read down
(without permission)" for executable code. That way, normal programs
could not send any information to programs running as admin, and so you
could then safely have a "never prompt again" option for UAC.

There is a no-write-up policy. However, read-down is not prohibited.

In any case, this still would not allow a "never prompt again" option.

The UAC prompt determines if the user is actually starting an app (as
opposed to another program starting the app).

If you take the prompt away, lesser-privileged apps could start
higher-privileged ones. Just by virtue of starting a higher-privileged
app, without interacting with it, they could break out of their cage
(imagine the many command-line tools available for system administration).

While I do think it's possible to get rid of the prompt, I think the
problem is much harder than it seems at first glance :)

Alas, that's how it's implemented. Maybe they'll do it properly in the
next version.
I expect the adverts for their next version to say "no annoying dialogs"!

Alun Harford

So do I.
 
Jimmy said:
There is a no-write-up policy. However, read-down is not prohibited.

In any case, this still would not allow a "never prompt again" option.

The UAC prompt determines if the user is actually starting an app (as
opposed to another program starting the app).

If you take the prompt away, lesser-privileged apps could start
higher-privileged ones. Just by virtue of starting a higher-privileged
app, without interacting with it, they could break out of their cage
(imagine the many command-line tools available for system administration).

Telling Windows to never prompt you to start those tools is clearly a
security risk, and that's the stupid user's own fault then. :-)

The reason you need no read down (without permission) (or the dumb
dialog) is to prevent a program with admin rights from executing code
from a dll that a 'low' application can write to (since the
low-privileged program can inject malicious code into that dll). Users
don't know about the internals of the programs they use in this level of
detail.

The UAC dialog counters this threat (sort of - not very good at it) by
making sure that the user actually launched the application. (Otherwise,
a malicious 'low' program can modify a dll used by a legacy 'high'
program which might be a computer game, for example - something that the
user isn't going to believe could be used to attack their security - and
then the malicious 'low' program launches the 'high' program and goodbye
security system).

Users can be expected not to give "always run as admin and don't prompt"
rights to programs that are clearly potentially damaging, but cannot be
expected to counter the second threat. This second threat (I assume) is
actually why the UAC dialog exists.

Alun Harford
 
Telling Windows to never prompt you to start those tools is clearly a
security risk, and that's the stupid user's own fault then. :-)

Baloney! The problem is Microsoft doesn't have smart enough
programmers to properly write UAC as it could be. As it stands now,
any professional programmer will tell you UAC is a pile of crap. It is
so poorly written it gets nothing but contempt in the larger
programming community.

As it stands now UAC is little more than a traffic cop blowing his
whistle aimlessly like that little boy constantly crying wolf. Soon
nobody pays attention and that defeats the purpose.

One of UAC's main faults is it is dumb. It doesn't learn or remember.
That's simply sloppy programming. Anybody that says anything else
doesn't understand basic programming. The point here is computers are
extremely good at math and also extremely good at remembering to do
redundant tasks IF they are programmed intelligently.

The point being it is acceptable to warn about event X once. Something
is happening that Vista thinks is a security risk. So far, so good.
Tell me about it. However to constantly warn about the same exact
activity you've previously told it isn't a security concern it quickly
becomes a nag.

A better approach is to use a bit of artificial intelligence. REMEMBER
what it learned. Example: Oh, my boss, you the user is constantly
saying telling me (Vista) that it is ok to delete a file in folder Y.
Therefore I won't nag about it anymore.

Such logic is common in programming. It even has a name. Actually it
goes by several. Basically it is building a rules list. When event X
happens, do A, B or C UNLESS something changed. This is how firewalls
work. When you first install them they may nag like crazy any time any
application tries to go online FOR THE FIRST TIME. However as you use
your applications it "learns" by what you tell it to do in each
situation. ONCE that happens any time you repeat the same activity or
as in the example application X wishes to access the Internet it looks
up what you told it to do in a rules table. That is what UAC should be
doing.

As far as Vista being tricked by some rogue application pretending to
be something it isn't that too is covered by a bit of clever
programming that once you set up a "rule" it also learns the
fingerprint of the application. Any change in that fingerprint gets
treated as a potential threat and again the warning comes up because
something has changed. I of course over simplified things, but
basically this is the approach UAC should have been patterned on.
 
in said:
Baloney! The problem is Microsoft doesn't have smart enough
programmers to properly write UAC as it could be. As it stands now,
any professional programmer will tell you UAC is a pile of crap. It is
so poorly written it gets nothing but contempt in the larger
programming community.

As it stands now UAC is little more than a traffic cop blowing his
whistle aimlessly like that little boy constantly crying wolf. Soon
nobody pays attention and that defeats the purpose.

One of UAC's main faults is it is dumb. It doesn't learn or remember.
That's simply sloppy programming. Anybody that says anything else
doesn't understand basic programming. The point here is computers are
extremely good at math and also extremely good at remembering to do
redundant tasks IF they are programmed intelligently.

The point being it is acceptable to warn about event X once. Something
is happening that Vista thinks is a security risk. So far, so good.
Tell me about it. However to constantly warn about the same exact
activity you've previously told it isn't a security concern it quickly
becomes a nag.

A better approach is to use a bit of artificial intelligence. REMEMBER
what it learned. Example: Oh, my boss, you the user is constantly
saying telling me (Vista) that it is ok to delete a file in folder Y.
Therefore I won't nag about it anymore.

Such logic is common in programming. It even has a name. Actually it
goes by several. Basically it is building a rules list. When event X
happens, do A, B or C UNLESS something changed. This is how firewalls
work. When you first install them they may nag like crazy any time any
application tries to go online FOR THE FIRST TIME. However as you use
your applications it "learns" by what you tell it to do in each
situation. ONCE that happens any time you repeat the same activity or
as in the example application X wishes to access the Internet it looks
up what you told it to do in a rules table. That is what UAC should be
doing.

As far as Vista being tricked by some rogue application pretending to
be something it isn't that too is covered by a bit of clever
programming that once you set up a "rule" it also learns the
fingerprint of the application. Any change in that fingerprint gets
treated as a potential threat and again the warning comes up because
something has changed. I of course over simplified things, but
basically this is the approach UAC should have been patterned on.

Well said.

--

Life got you down? Want nothing than to curl up with your
[insert type of fav pet here], a glass of milk, and some
really great cookies?


http://preview.tinyurl.com/yrcz9v
http://preview.tinyurl.com/ynzgas
 
There is a no-write-up policy. However, read-down is not prohibited.

In any case, this still would not allow a "never prompt again" option.

The UAC prompt determines if the user is actually starting an app (as
opposed to another program starting the app).

If you take the prompt away, lesser-privileged apps could start
higher-privileged ones. Just by virtue of starting a higher-privileged
app, without interacting with it, they could break out of their cage
(imagine the many command-line tools available for system administration).

While I do think it's possible to get rid of the prompt, I think the
problem is much harder than it seems at first glance :)



So do I.


What is to prevent a lower admin level program from hooking into the admin
program, and then execute when the OP intentionally runs that admin program
and elevates it to run?
 
Rock said:
What is to prevent a lower admin level program from hooking into the admin
program, and then execute when the OP intentionally runs that admin
program and elevates it to run?


Ack, that should have been, what is to prevent a malicious program from
hooking into a program that asks for admin privileges?
 
What is to prevent a lower admin level program from hooking into the
Ack, that should have been, what is to prevent a malicious program from
hooking into a program that asks for admin privileges?

UAC does a few things to help prevent this:

- NTFS Permissions and the design of the prompt

Programs that elevate should really be located in
read-only-to-standard-user locations. The built-in Windows programs and
programs that are put in program files are, but of course the user is
free to put programs that elevate wherever the want.

Unfortunately, this problem is compounded by shortcuts. Shortcuts may
point to a secure admin program but live in an unprotected area.

In the worst case where a program being elevated is NOT in a read-only
location, then UAC temporarily copies the program to a secure location
before the prompt is displayed.

This prevents the 'ol switcheroo, so the program described by the UAC
prompt can be trusted to be the actual program that will be started if
accepted.

So, that means the attack vector is where malicious programs seek out
(or create) admin programs and sortcuts that point to admin programs
that live in an unsecured location and then modify or overwrite those
programs/shortcuts.

This problem is mitigated by the information shown in the prompt (name,
publisher, icon) and by showing a different style of prompt with
different button locations for higher-risk unsigned programs.

The only cases where the attacker would actually be able to display a
prompt that was EXACTLY the same as the expected prompt would be 1) if
the attacked program was not digitally signed, or 2) where the attacker
has specifically planned out and targeted a certain program and has
somehow acquired a digital certificate in the same name of the author of
the target program (not likely, but possible, and even though possible,
limited in effectiveness due to it being targeted so precisely at a
single program).

In all other cases where a signed program is being attacked, the
malicious prompt will look different, and in most cases, it will look
significantly different (either an unsigned program prompt will be
displayed, or a signed program prompt will be displayed where both the
icon and publisher will be different than expected).

This is because in the case of attacking a signed program, attackers
would not be able to actually modify the real program and inject their
code into it using virus techniques because this would invalidate the
digital signature - they would need to cause their own program to be
launched.

In order to display a prompt that looks more like the attacked program,
the attacker must both spend more resources (on digital signatures) and
narrow the scope of the attack to specific programs (making the attack
less effective).

For example, an unsigned prompt is MUCH different than a signed prompt.
If the attacker can get a digital certificate, then the difference will
only be in the publisher name and icon.

However, in the case where the attacker uses a digital signature, they
would not be able to dynamically change the information that will be
displayed in their prompt to match the attacked program (publisher and
icon) because doing so would invalidate their own digital signature.

The best chance of success would be if the attacker had pre-targeted a
specific program and could gain a digital signature that was confusingly
similar to the publisher of the program being attacked and have the same
icon.

In any case, this is still a valid attack vector, but much has been done
to mitigate this, much more than any other OS has done that has a
similar elevate-on-demand model.

- UAC prompts on secure desktop

Prevents programs from hooking into the actual prompt.

- UIPI User Interface Process Isolation and Mandatory Integrity Control

Prevents lower-privileged processes from gaining write or modify access
to higher privileged processes, or executing attacker-controlled code in
the context of the higher-privileged process.
 
Jimmy Brush said:
UAC does a few things to help prevent this:

- NTFS Permissions and the design of the prompt

Programs that elevate should really be located in
read-only-to-standard-user locations. The built-in Windows programs and
programs that are put in program files are, but of course the user is free
to put programs that elevate wherever the want.

Unfortunately, this problem is compounded by shortcuts. Shortcuts may
point to a secure admin program but live in an unprotected area.

In the worst case where a program being elevated is NOT in a read-only
location, then UAC temporarily copies the program to a secure location
before the prompt is displayed.

This prevents the 'ol switcheroo, so the program described by the UAC
prompt can be trusted to be the actual program that will be started if
accepted.

So, that means the attack vector is where malicious programs seek out (or
create) admin programs and sortcuts that point to admin programs that live
in an unsecured location and then modify or overwrite those
programs/shortcuts.

This problem is mitigated by the information shown in the prompt (name,
publisher, icon) and by showing a different style of prompt with different
button locations for higher-risk unsigned programs.

The only cases where the attacker would actually be able to display a
prompt that was EXACTLY the same as the expected prompt would be 1) if the
attacked program was not digitally signed, or 2) where the attacker has
specifically planned out and targeted a certain program and has somehow
acquired a digital certificate in the same name of the author of the
target program (not likely, but possible, and even though possible,
limited in effectiveness due to it being targeted so precisely at a single
program).

In all other cases where a signed program is being attacked, the malicious
prompt will look different, and in most cases, it will look significantly
different (either an unsigned program prompt will be displayed, or a
signed program prompt will be displayed where both the icon and publisher
will be different than expected).

This is because in the case of attacking a signed program, attackers would
not be able to actually modify the real program and inject their code into
it using virus techniques because this would invalidate the digital
signature - they would need to cause their own program to be launched.

In order to display a prompt that looks more like the attacked program,
the attacker must both spend more resources (on digital signatures) and
narrow the scope of the attack to specific programs (making the attack
less effective).

For example, an unsigned prompt is MUCH different than a signed prompt. If
the attacker can get a digital certificate, then the difference will only
be in the publisher name and icon.

However, in the case where the attacker uses a digital signature, they
would not be able to dynamically change the information that will be
displayed in their prompt to match the attacked program (publisher and
icon) because doing so would invalidate their own digital signature.

The best chance of success would be if the attacker had pre-targeted a
specific program and could gain a digital signature that was confusingly
similar to the publisher of the program being attacked and have the same
icon.

In any case, this is still a valid attack vector, but much has been done
to mitigate this, much more than any other OS has done that has a similar
elevate-on-demand model.

- UAC prompts on secure desktop

Prevents programs from hooking into the actual prompt.

- UIPI User Interface Process Isolation and Mandatory Integrity Control

Prevents lower-privileged processes from gaining write or modify access to
higher privileged processes, or executing attacker-controlled code in the
context of the higher-privileged process.

Jimmy, thanks for the detailed reply. I appreciate it.
 
You could turn off UAC, and then you won't get this warning (or any other of
the UAC warnings...). See Control Panel / User Accounts.

Mark
 
Which is a very bad idea on a number of levels. Turning UAC off defeats one
of the major security features of Vista, making the system unsecure and
subject to silent invasion by malware.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
My thoughts http://rick-mvp.blogspot.com
 
You don't need to turn it off. When you point at an icon to open a program
just right click first and select Run As Administrator.
 
I wouldn't exactly say they are poorly written since Vista in general is
poorly written and has many programs running as admin. I would say that it is
Microsoft trying to bully developers into certification.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top