Prompts, prompts, and more prompts...jeez

Discussion in 'Windows Vista Administration' started by alex, Feb 1, 2007.

  1. alex

    Kerry Brown Guest


    This is not my understanding of UAC. UAC is a security measure that allows
    users to either run as an administrator but have the the security of a
    standard user or run as a standard user but allow them to run programs that
    need administrator permissions without logging off and logging on as an
    administrator. While this is also very useful at fighting malware the fact
    that it stops a lot of malware is more of a side effect of good security
    rather than a design goal of UAC. Security protects against many things
    besides malware. Some things are user error, program bugs, malicious user,
    etc..
     
    Kerry Brown, Mar 20, 2007
    #81
    1. Advertisements

  2. alex

    Don Guest

    If you haven't seen this video by the guys who did UAC, you owe it
    to yourself to watch it. They are addressing the many people who
    feel the way you do:

    http://channel9.msdn.com/ShowPost.aspx?PostID=288259
     
    Don, Mar 20, 2007
    #82
    1. Advertisements

  3. alex

    Jimmy Brush Guest

    But that isn't why Microsoft added UAC at least not according to them.
    This is incorrect.

    They added it so that your system would be seperated into two modes, as I
    said. A "restricted" mode, suitable for most programs, that prevents them
    from harming the system. And an "unrestricted" mode, that allows complete
    access to the computer, at YOUR REQUEST.

    UAC isn't about fighting malware.

    UAC is about putting you IN CONTROL of your computer, by informing you when
    a program requests *full, complete control* of your computer (even if it is
    for something simple, such as deleting a folder, because as I said, once you
    give a program control, it can do whatever it wants to your computer), and
    allowing you to decide if you want that program to have complete control
    over your computer or not.
    UAC works by preventing programs from gaining complete control over your
    computer without YOUR permission.

    If UAC wasn't "all or nothing", how would it do this? If it only protected
    CERTAIN THINGS on your computer, but didn't protect others, then programs
    could simply use the unprotected things to gain control over your computer,
    completely rendering UAC worthless.
    This is so untrue as to be absurd. The system asks *YOU* when a program
    requests access to your computer. You are the only one in control here - the
    system does not make ANY decision itself.
    You can. As I stated before - UAC protects access to resources that are
    marked as "administrator access only" - if you want all programs to be able
    to access something, you just change the security to give access to your
    user account, and then all programs will be able to access it.

    <snip>
    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Mar 21, 2007
    #83
  4. Moderatly interesting video. A bit long winded. Doesn't do anything to
    change my mind and make me want to turn UAC back on. I doubt it will do that
    for most people who I think given time and getting tired of clicking dialog
    boxes over and over will also turn UAC off. There should be some user
    controll to the UAC.

    If people are so stupid as to run stuff from sources they don't know then
    they get what they deserve. Designing a security function for the brain dead
    users without any consideration for those that do know what they are doing
    is just stupid.

    =(8)
     
    Jack Splat =\(8\), Mar 23, 2007
    #84
  5. Well then Jimmy I guess the people at Microsoft don't know what they are
    talking about. I asked why they added UAC the way they did. And my post was
    the jist of why they added it they way the did.

    =(8)
     
    Jack Splat =\(8\), Mar 23, 2007
    #85
  6. Jack

    It's not a matter of being a "stupid user." If you've been around for
    awhile, you know how sophisticated the bad guys have become. UAC is an
    attempt to give control back to the user, as far as what can be run on their
    system or not. Most other operating systems have had this same control for a
    lot of years.

    Also, UAC is tightly integrated with Virtualization and Compatibility.
    Turning UAC off can cause problems with some software.
     
    Ronnie Vernon MVP, Mar 24, 2007
    #86
  7. On Fri, 23 Mar 2007 16:55:06 -0700, "Jack Splat =\(8\)"
    Whenever I read comments like this, I just shrug and think "there's
    someone else who just doesn't 'get' it".

    It's like "...bbbbut the attachment was from someone I know!"

    Surely there are enough dots out there to join them up?

    "Why do I keep open buckets of petrol next to all the
    ashtrays in the lounge, when I don't even have a car?"
     
    cquirke (MVP Windows shell/user), Mar 24, 2007
    #87
  8. On Fri, 23 Mar 2007 16:56:17 -0700, "Jack Splat =\(8\)"
    The reasons why MS add a feature are interesting, but may turn out to
    be of limited relevance.

    As an MS Office user at the turn of the century, 99% of "document"
    macros encountered would be malware. Does it matter that MS intended
    this to be a Useful Feature [TM]? Nope. Same thing goes with the
    "useful feature" of scripts automatically running in unsolicited email
    "message text", as was designed into OE4 and OE5, and was STILL left
    On by duhfault in post-Kak WinME.

    So yes, I'm interested in why MS does things, but I don't stop
    thinking after I've read their stuff.

    MS 2007 isn't MS 2000, in that they aren't as ignorant of adverse
    implications as they were in those Polyanna days. You may well find
    the reverse is true where UAC is concerned; maybe it was intended as a
    temporary compatibility smooth-over from XP to Vista application
    design, but the main value may be as a malware trip-wire.

    It's also not an entirely unexpected phenomenon.

    Firstly, elevation prompts are common enough in MacOS and Linux that
    even a toe-in-the-water dabbler such as myself hasn't had a day on
    these OSs without encountering them at least once.

    Secondly, there's a trend in safety add-ons to generalize the firewall
    egress monitoring "alert and learn" model to internal events. PrevX
    and All-Seeing-Eye are two examples of this that work much as UAC
    does; they don't attempt to understand why something is being
    attempted, they just step in and give you a chance to Just Say No.

    Finally, UAC has already demonstrated its value to me. Yes, I'm
    peeved about the 200+ times I've had to nod through "yes, I really
    want to rename this Start Menu item" alerts, but I was happy to see an
    unexpected UAC alert pop up when looking for drivers for an old
    scanner. As one of the "found" pages started to dribble down the
    screen, UAC popped up asking whether it was OK to... ("NO")


    Tip Of The Day:
    To disable the 'Tip of the Day' feature...
     
    cquirke (MVP Windows shell/user), Mar 24, 2007
    #88
  9. alex

    Jimmy Brush Guest

    UAC is as much for power users as it is for "everybody else" (I won't use
    the term of endearment that you use ;)

    Very simply, UAC draws a line between admin actions and non-admin actions,
    and ensures that any program wanting to cross that line gets your approval.

    I mean, as a power user, do you really want notepad to be able to format
    your hard drive?

    And if you download some utility from the internet and run it, don't you
    want to know FOR SURE (not just trust or guess, but know with certainty)
    that it WILL NOT be able to do admin things unless it asks you?

    And what about trusted system components? Do you want any program that
    happens to run on your computer (whether they prompt or not) to be able to
    run format.exe? Or any other system utility?

    Because if UAC didn't prompt every time you ran system utilities or trusted
    programs, this is what would happen. Any program you ran would be able to
    start a trusted program and use it to perform whatever action that program
    does.

    Now think about all the trusted system utilities on your computer, as well
    as any that you may have downloaded. These programs can be used to do a lot
    of nasty things.

    Preventing programs that don't prompt from directly doing admin things is
    worthless if they can just start some trusted system utility to perform
    admin things by proxy :).

    I don't want notepad to be able to start format.exe and format my hard
    drives.

    UAC doesn't prompt to make sure you "know what you are doing." UAC prompts
    to make sure that IT KNOWS that you INTEND for something to happen. Because
    this is the only way it knows, and the only way it can enforce the rule that
    "only programs that you intend to have admin power will be allowed to have
    it."

    And this is why it works with everyday users. Because the only thing the
    system is interested in is if the user intended to start a program that
    would have full control over their computer. The user doesn't need to know
    anything technical about whats going on.

    UAC is not a gimmick, and it is not a means of controling what you do. It is
    actually very simple. All it does is let you choose which programs have
    control over your computer, and prevents any program from gaining full
    control over your computer without in some way gaining your permission.


    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Mar 25, 2007
    #89
  10. Right. People who repair computers for a living just love it when consumers
    click on an attachment they get in the email and install malware onto their
    computer. 95% of computers users are NOT knowledgeable and need protection
    from others, and from themselves.

    It helps pay the rent.

    --


    Regards,

    Richard Urban MVP
    Microsoft Windows Shell/User
     
    Richard Urban, Mar 25, 2007
    #90
  11. PMJI -- I'm largely on your side on this discussion but I do feel that
    what you say above is also the weakness of the situation:

    (1) It is inevitable that human beings, whether the highly intelligent
    ones like me or the normal users, will autorespond "Of course I wanted
    that program to run; I would not have done what I did if I didn't"

    (2) When you start to run an "untrusted" application it just asks if
    you wanted this program, that you know where it came from, that you've run
    it before (approximation from memory).

    I don't see anything about full control over the computer or even why this
    might be dangerous. Perhaps it is in the tutorials or guided visits that
    everyone jumps over? <s>

    I'm in favor of the concept of UAC and I recognize the difficulty of
    making it a selective control that can be turned off by the "qualified"
    user but at present it just disappears into mist like most nag screens.

    I wish I could suggest a perfect solution .....
     
    Hugh Wyn Griffith, Mar 28, 2007
    #91
  12. alex

    Jimmy Brush Guest

    You're right, it doesn't say anything about full control... I think they
    should have thrown that in there somewhere. I assume the reasoning is that
    they wanted to make the message as short as possible, and so they went with
    "If you started this action, click continue".

    That really does get down to the point, and is really the only reason the
    prompt exists ... to make sure the user started the action, as opposed to
    software.

    That does make it seem like a nag screen, which is unfortunate (it is not
    really a nag screen as it is not warning the user about what they are doing,
    just making sure that they want it to happen).

    99% of the time, the user will have started the action, and will continue.
    And at first glance and by just by reading and thinking about that, it would
    seem to make the prompt useless, as wouldn't the user get used to clicking
    continue over and over.

    But, after having used the prompting system for a while, I can tell you that
    yes, i get used to clicking continue, but *only* when I expect to get a
    prompt ... I notice *very much* unexpected prompts, or prompts from programs
    that I don't recognize.

    Here's why I think this works:

    - The prompts hardly come up at all
    - When they DO come up, users inspect them and get used to clicking continue
    when they start that program
    - Even with being used to clicking continue for expected prompts, unexpected
    prompts still have that "stop!" effect

    So, when an UNEXPECTED prompt comes up, it is *very* noticable to me,
    because the only prompts that I click on are the ones that I expect.

    For example, Adobe updater likes to throw up a UAC prompt randomly, and it
    scares me every time it pops up... while I quickly dismiss all the prompts
    that I expect to happen.

    Of course, that might just be me, I don't know.

    --
    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    http://www.jimmah.com/vista/
     
    Jimmy Brush, Mar 28, 2007
    #92
  13. I think the screen dim, that I've seen people complain about, is a
    brilliant idea.

    Do you know if UAC does have a learning curve -- after NN accesses it
    will stop asking -- or will it go on flagging forever?

    I ask partly because before replying to your message I thought I'd
    better check the wording that comes up and it took me quite a few tries
    on desktop icons that I reckoned predated VISTA and should be flagged as
    non-conformist.
    That's what I see as the progression that is inevitable, and so
    defeating the UAC
     
    Hugh Wyn Griffith, Mar 28, 2007
    #93
  14. For those that don't know or maybe haven't experienced it yet, there
    are DIFFERENT nag screens with differnt color title bars and other
    changes based on the "threat level" of any preceived security breach
    to the system. Only one that really matters is red. This you can't
    dismiss, there being no continue button to click through.
    Like everytime time you turn the water on at your bathroom sink a neon
    sign would flash saying don't forget to use soap then another one that
    said dry hands afterwards and oh... don't forget to hang up the towel
    and another sign over the toilet reminding you to put seat down. ;-)

    The point there are WAY TOO MANY nag screens.
    That's the biggest design flaw. Prompts get ignored if they happen for
    operations you do constantly. Its like crying wolf, people just ignore
    it after awhile, so it's purpose is severely muted if not outright
    defeated.
    Vista should be smart enough to ONLY come up when something unexpected
    happens. Hint: According to the two main Microsoft engineers that
    wrote the code behind UAC, that is how it is suppose to work. Duh...
    remember we're talking about a computer. It should (can be) programmed
    to learn and come to logical decisons on its own based on past
    behavior.
     
    Adam Albright, Mar 29, 2007
    #94
  15. UAC is a user "aid" and will always depend upon the user applying some
    thought before responding to a prompt.

    It is no different that all the prompts that ZoneAlarm Internet Security
    Suite throws up when run under Windows XP. If a user clicked on something to
    initiate an action - accept. If a user "did NOT" initiate the action - they
    had better not accept and say no. Something else is trying to control your
    computer.

    Common sense rules. Unfortunately, all too many people show a complete lack
    of this god given talent when it comes to using a computer. I have a younger
    brother, 59 years old, who should use a shoe box and index cards. Even then
    he would screw up.

    --


    Regards,

    Richard Urban MVP
    Microsoft Windows Shell/User
     
    Richard Urban, Mar 29, 2007
    #95
  16. UAC is VERY different than ZoneAlarm which uses a rules list and
    remembers what you tell it. UAC keeps showing the same nag screen the
    first time you try to do something it don't like or the 1000th time.
    Excuse me, the most serious of these have a red title bar and no click
    through option. This is where UAC should have stopped instead of
    trying to be a Net Natty and throw a fit for moronic things like
    trying to delete a desktop shortcut.
    Indeed. There often called MVPs.
     
    Adam Albright, Mar 29, 2007
    #96
  17. True, but any psychologist, or parent, will tell you that repetitive
    warnings breed contempt!

    Sad but true. I can't think of a good solution.
     
    Hugh Wyn Griffith, Mar 29, 2007
    #97
  18. The reason egress-monitoring firewalls can do that, is they can bind a
    "allways allow this" to clearly-defined values of "this" - i,e, not
    just the name of the file and where it is, but an MD5 checksum that
    would change if the file were infected or replaced.

    I don't know whether UAC has that level of awareness. If it is fuzzy
    (i.e. spoofable) in terms of context (i.e. loose values for "this")
    then that would be one good reason not to allow UAC alerts of a
    particular type to set to "always allow".

    The other reason why one may not want to allow UAC exclusions, is that
    MS OSs enjoy far less "security by obscurity" than one particular
    3rd-party firewall, and as such settings are likely to be stored
    somewhere, malware can write itself a "blank cheque" once active.

    We've already seen this effect with XP firewall, which gets clobbered
    by several malware in ways that make it impossible to turn back on
    unless the relevant registry settings are re-asserted.

    It may be that the UAC team learned from this, and did not add a
    setting to "always allow..." for this reason.


    Just to be clear here: I'm not defending the design so much as
    speculating why it might have been designed this way.

    "Why do I keep open buckets of petrol next to all the
    ashtrays in the lounge, when I don't even have a car?"
     
    cquirke (MVP Windows shell/user), Mar 29, 2007
    #98
  19. See http://cquirke.mvps.org/exblog/natural.htm

    That's mainly about WiFi, but the point of "Use hard scopes as natural
    cover" is that modern OS design strives to dissolve such scopes - so
    that the context of "the user is doing this interactively" is lost.

    In the old days, features would be primarily accessible from user
    interaction, then possibly exposed to automation, then later there
    would be exposure to "remote administration" via network.

    Often the end-point functionality would be reproduced depending on
    method of access - interactive, code or network - making it quite easy
    to block any one of these.

    By the time you get to XP and Vista, the way of initiating an action
    may be completely unlinked from the actions themselves. If you
    capture an attempt to do something at the point that the action is
    called, it may be impossible to deduce whether this was initiated
    interactively, via code, or via network.

    And remember; to be malware-safe, the above deduction has to be
    unspoofably accurate.

    That's one of the reasons UAC "stops the clock" with a modal dialog
    box, greyed screen, and reset display state - to protect against faux
    mouse clicks or keystrokes that might automate the "user" response.


    The point of all the above is that the way UAC operates may make it
    impossible to deduce whether the alerted operation was initiated via
    user interaction, code automation, or network "administration".


    Tip Of The Day:
    To disable the 'Tip of the Day' feature...
     
    cquirke (MVP Windows shell/user), Mar 29, 2007
    #99
  20. Take it back to the logical conclusion. Microsoft has waved the white
    flag of surrender and now admits all prior versions of Windows were
    major security risks and much of that was due to how Windows was
    written including how many Microsoft developers, including those
    inside Microsoft wrote applications. They further admit by deploying
    UAC, they can't fix Windows to make it safer so they tossed the ball
    in the user's court by flashing a simplistic warning; the UAC nag
    screens.

    The real solution would be to rebuild Windows from the grown up, 100%
    redo and make it secure that way. That of course would cause a huge
    chunk of their customers to run away screaming since little if any
    current hardware or software would work in such a totally new from the
    ground up radically different Windows. So Microsoft was stuck between
    a rock and a hard place and picked UAC as a "solution". All UAC really
    does is create the illusion of security in most situtations because we
    all know 9 times out of 10 once a user, any user starts out to do
    something, some nag screen he can click through isn't going to stop
    him from doing what he planned to do in the first place.
     
    Adam Albright, Mar 30, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.