Permissios

Discussion in 'Windows Vista Security' started by cj, Jun 26, 2006.

  1. cj

    cj Guest

    Apparently a ton of s are having "issues" with permissions, and I too, have
    grown weary already of trying to get things to work properly. I cannot change
    my OWN permissions, and I on't have write access, and it denies me the right
    to change permissions. A lot of my online related programs won't work due to
    failure to open or write to the files. mIrc being a good example......
    Lets go ms, we have a issue here.....................
     
    cj, Jun 26, 2006
    #1
    1. Advertisements

  2. cj

    Tony Hoyle Guest

    UAC is a bit clunky (I believe there are plans to improve that though)
    but an IRC application that requires admin privileges is just plain
    broken. That is *not* a problem with vista.. in fact it's one of the
    things that is good about it, because it'll force people to think about
    security when they write code.

    Complain to mIrc authors not Microsoft.

    Tony
     
    Tony Hoyle, Jun 26, 2006
    #2
    1. Advertisements

  3. cj

    cj Guest

    Tony,
    Thanks for the response, however, that was mearly and example, with the
    real issue being, why can't I change my own permissions, and why don't I have
    full access to everything ?
     
    cj, Jun 26, 2006
    #3
  4. cj

    Jimmy Brush Guest

    Hello,

    It is helpful to remember that in Windows Vista, even though you are running
    as an administrator account, every program you run is running under a
    *standard user* account, and does not have administrator-level permission.
    The only way a program can get administrator-level permission is if the
    application automatically prompts you for permission, or if you explicitly
    give that application permission.

    So ... what are the actual ramifications of this when dealing with the
    filesystem? Let's take a look at the default access permissions for most
    folders in windows:

    - A user has read access to just about everything
    - A user generally cannot write to anything outside of his profile directory
    - Any user can create a folder almost anywhere in the filesystem
    - The owner of a folder has full control over it and its contents
    - Administrators have almost full control over just about everything

    So... this means, that even though you are an running in an admin account,
    all your explorer windows and programs you run (having normal user
    credentials) will be able to read almost any file, but will not be able to
    write anything unless it is in your profile directory, or a directory that
    you created or took ownership of.

    So, here's the major problem:

    - Folders and files from a different windows installation probably won't
    allow you to write to them, even if they're YOUR files you created from a
    different version of windows.

    - You will need to modify their permissions to give either Everyone full
    access or your user account in Vista full access. Taking ownership of them
    is NOT RECOMMENDED as you may have trouble accessing them from the other
    windows installation.

    - Managing your files and folders are going to be a real pain ... which
    brings me to

    HOW DO I MANAGE MY FILES AND FOLDERS if explorer run as a standard user ?!?!

    Here's how:

    - Click Start
    - Type: explorer.exe
    - When it shows up under Applications, right-click it and click Run As
    Administrator

    You now have an "administrator" explorer, kind of like a root shell in that
    other operating system, that will allow you to change permissions and access
    files as admin, just like in the good 'ol days.

    Hope this helps! :)

    - JB
     
    Jimmy Brush, Jun 26, 2006
    #4
  5. cj

    Peter M Guest

    Not that it's any help but I have zero problems with Mirc.
     
    Peter M, Jun 27, 2006
    #5
  6. cj

    Fuzzy John Guest

    Wouldn't turning off the UAC be easier to do? That will do away with just
    about all annoyances for now.
     
    Fuzzy John, Jun 27, 2006
    #6
  7. cj

    Jimmy Brush Guest

    You are correct, this would work.

    However, I think it's important that people understand why they are having
    problems before they go about disabling things ;)

    - JB
     
    Jimmy Brush, Jun 27, 2006
    #7
  8. cj

    Gordon Guest

    Yes but at the same time MS should understand that if I am a user with Admin
    rights then I should have 'admin rights' and not a restricted set of rights.
    If we want to restrict users we set them up as standard users..we set up
    admin users precisely because we want them to be able to do anything..so the
    next logical step for almost everyone in here is to turn off UAC - kinda
    defeats whatever anal purpose MS thoguht they were giving the world..You just
    didn't think about it enough and used Security brainstroming as it's
    rationale for this ..sometimes you need a bit of common sense....
     
    Gordon, Jun 27, 2006
    #8
  9. cj

    Larry Guest

    UAC must be meant for people unfamiliar with using a computer. For me it was
    a real pain untill I got to the section which told me what it did and how to
    disable it. It did take me two days. UAC makes using ones computer very
    frustrating.
    LA
     
    Larry, Jun 27, 2006
    #9
  10. cj

    Tony Hoyle Guest

    The problem is users *don't* have common sense and programmers are lazy.

    XP SP2 supports the model you suggest.. and we still have everyone
    running as admin all the time and lots of software not working as an
    ordninary user becauase it tries to do things like write temp files into
    random areas of the disk.

    Initially I hated UAC, but then I've come to realize that it's the only
    way - the only way to get people to work securely is going to be to
    force them.

    I'd go further TBH.. have the admin users have no interactive login
    rights by default so UAC is the only way to do an admin task.. and I'd
    remove 'run as administrator' too - apps that need admin rights should
    be marked as such and preferably signed.

    MS didn't decide to go that far but the halfway will make a huge
    difference over the next couple of years while software producers
    finally fix the security problems that they've ignored.

    One thing I *do* hate is the virtualisation hack... it makes things look
    like they work when they don't really, and just makes it harder to find
    issues.

    Tony
     
    Tony Hoyle, Jun 27, 2006
    #10
  11. cj

    Jimmy Brush Guest

    Yes but at the same time MS should understand that if I am a user with
    Absolutely. That is why you can turn this behavior off.
    UAC doesn't stop you from doing anything, as long as you know what you're
    doing. If it DOES stop you from doing something, then that is a bug and
    should be reported.
    Most users aren't the people in this forum, and MS is doing a huge favor to
    the world security-wise. I believe this is absolutely the best solution
    microsoft could come up with.

    Best security practice: standard user for everything, elevate when you need
    admin to accomplish system administration stuff, full "root"-type admin user
    should never be used.

    (Most common) Windows security practice: All users run as full, unrestricted
    admin

    What microsoft is doing is giving us an environment that is exactly the same
    as in other operating systems, following best security practice ... we
    elevate when we need to do something admin, the rest of the time we run as
    normal user.

    And ... if you want to run as full root, it's only one checkbox you have to
    uncheck! Best of both worlds...

    Sure, this isn't the normal windows way of doing things ... and because this
    is new to everyone that makes software, there will be ALOT of compatability
    issues.

    But now the most common windows user, the home user, is automatically, out
    of the box, using BEST SECURITY PRACTICE instead of WORST SECURITY PRACTICE.

    And most administrators I think will prefer using the elevation system once
    it gets tweaked and they get comfortable with it. Most non-windows admins do
    this type of administration already.

    The only major drawback, besides application compatability, is working with
    the filesystem.

    Most people aren't familiar with the security offered by NTFS (and how much
    more secure [read: complex] it is than just about any other file system),
    and this will make system administration difficult. I can only hope
    Microsoft changes the tools used to administer NTFS permissions to be easier
    to use, because I think that would make this transition 60% better.
    I have thought about this extensively.

    I am not rationalizing anything. Lots of people here do not understand how
    Windows Vista does security. I am explaining how this feature works and why
    things don't work the way they did in XP.

    - JB
     
    Jimmy Brush, Jun 27, 2006
    #11
  12. cj

    Fernando Guest

    I totally agree with you, but there are a few things which I want to
    talk about. I'm a Linux user from years and I love the security model. I
    can run applications as normal user and only do admin tasks as root when
    needed, so I love the new model Microsoft has implemented on Vista (read
    UAC or now LUA). But, normal Windows users never take care of security
    implications, mainly because the way Microsoft and software developers
    had implemented the easy way to do things, where the only way to run
    most software was as administrator. So in my opinion this new security
    model will be hard to understand by old windows users, but it's the only
    way to go. Also, I hope Microsoft doesn't allow to disable UAC, and
    force software developers to write proper code, Who need to run a game
    as administrator anyway? Why a user wants to get full access to system
    folders? A lot of viruses, trojans horses and malware were written to
    take full advantage of users running whith admin privileges, and this in
    part is because the default user account after setup was created with
    admin rights. So I think Microsoft is going the right way about
    security, and old windows users need to change their mind too.

    Fernando


    Jimmy Brush escribió:
     
    Fernando, Jun 27, 2006
    #12
  13. cj

    Gordon Guest

    Ha ha ok...maybe I am generalising but admin rights should ONLY be given to
    people who know what they are doing or at least understand the consequences
    and are pretty switched on about ( like I think I am). I think your vision is
    a bit more draconian than I could ever subscribe to but fair do's. I don't
    think it's lazy programmers either just bad programmers......

    Common sense is still a wonderful thing to have and work to...
     
    Gordon, Jun 27, 2006
    #13
  14. cj

    Larry Guest

     
    Larry, Jun 28, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
There are no similar threads yet.
Loading...