Run As Adminstrator - why hasn't it saved us?

Discussion in 'Windows Vista Security' started by riix, Aug 14, 2008.

  1. riix

    riix Guest

    Hi all, I'm totally confused and wondering if I got this wrong or, after
    2 decades of NT its still microsoft that's got this wrong.

    - I figure that better than UAC would be to run as Power User, and use
    the "Run As Administrator" when needed - which is often - Visual Studio,
    Event Viewer, IIS, SQL Server, etc.

    - so I enabled the Administrator id, turn off UAC (after all, won't
    need it anymore and might speed up this doggy), downgraded my id to 'PU'
    and try it out.

    - Boots and I log on (so far so good). Go to run VS - what? "Run As
    Administrator" is grayed out ??? so I google this and find out you
    gotta have UAC running to get this to work .. DUH Microsoft ??? what's
    the connection between these two concepts ??

    - But ok, log on as Administrator, turn UAC back on, reboot and log on
    again as a 'PU' . OK, let's try VS again - "Run As Administrator" works
    ! and voila a (big) box pops up (what ever happened to respect for
    screen real estate?) and I have to select an id - it lists my PU id even
    if its not an administrator (so why??) but, anyhow, I select
    "Administrator", enter password and ..

    ... sure bloody enough it works - I'm now running VS as the
    "Administrator" id ..

    ... err ... you gotta be kidding right? Because I'm running as
    "Administrator" .. like I have the Administrator's (My) Document and
    preferences etc ..

    ... Unbeliveable - what's wrong with this picture Microsoft?

    I didn't want to run as the Administrator ID - I just wanted to run
    with Administrator RIGHTS - i.e., to be ethereally in the Administrators
    Group for the life of this single process !!!!!

    Jumping heck, I can't believe we've been with this since NT3 and
    Microsoft still don't seem to get it.

    Wouldn't this solve so many darn problems? Even to the point of making
    UAC unnecessary????

    SO .. I'm bitterly disappointed in MS, in Vista. Back to being
    Administrator and the ever constant UAC nag.

    Or back to XP .. (anyone have XP64 experiences?)

    Or just give up, and jump over to Eclipse, Java and Linux ..
     
    riix, Aug 14, 2008
    #1
    1. Advertisements

  2. UAC is a complete must for your average day to day user as Vista is very
    easily seriously corruptible. Particular programs can save to protected
    system directories which could lead to complete system malfunction. As
    far as XP is concerned I feel the benefits gained by using such a great
    system like Vista by far outweighs a downgrading to XP because of a UAC
    prompt ?

    To learn a new operating system because of this would be obsurd, I have
    been using Linux for 14 years and still feel that I am an average user
    due to the complexity of the Unix based operating systems.
     
    Ultimate User, Aug 14, 2008
    #2
    1. Advertisements

  3. riix

    Mr. Arnold Guest

    Mr. Arnold, Aug 14, 2008
    #3
  4. Here's what to do: just make your normal user account an Administrator
    account, and re-enable UAC.

    You still run as a normal user, except that when elevation is required you
    just get a confirmation box, rather than the whole "Administrator's username
    and password" prompt.

    It takes one click of the mouse, or two key presses. And to be honest you
    give nothing away in terms of security, unless other people can get
    unauthorised access to your machine.

    Like you, I run a few programs that need elevation, and this is how I run my
    machine. It's great: whenever something that might affect the integrity or
    security of the OS is about to happen, UAC gives me a single "are you sure?"
    prompt. This should have been implemented years ago, to be honest. It's
    known as Administrator Approval mode, and is very low hassle.

    SteveT
     
    Steve Thackery, Aug 15, 2008
    #4
  5. riix

    riix Guest

    To all that replied - thanks for your comments and no disrespec
    intended please, but seems we missed the issues

    1) when attempting to run as a Power User, the "RunAs Administrator
    seems to be completely wrong in concept, yet has been around since .
    NT3? Can this really be? Or am I totally not understanding how it
    supposed to work

    2) Why does disabling UAC also disable "RunAs.." - again: these ar
    totally different concepts, why are they coupled

    3) UAC is _not_ a minor inconvenience, it is a *major* hassle fo
    members of a development shop. Its not just a click. Its the constan
    jarring effect of the screen going dim (or even black) for a second o
    two, the box, the click, the blink back to reality, then a few second
    later .. Event Viewer, IIS Admin, SQL studio, etc

    Doing this, maybe 30-40 times a day? When XP just worked?

    And all this because the Vista product, and Microsoft narrow-mindness
    won't allow me to work in a more intelligent fashion - which is: as
    Power User and *not* as an Administrator

    4) and maybe that's a bottom line - why does Vista install and creat
    its users as Administrators? A while ago my son bought a new Ace
    computer with Vista Home Exceptional (or whatever its called). Firs
    thing I did was create an Adminstrator id, write the password on hi
    monitor, then downgraded his ID to Normal User. He's now been using i
    for over a month and HAS NOT EVEN NOTICED he's not an Administrator
    that is, it hasn't affected him at all.

    Why doesn't Vista do this by default

    5) I've just found references to "UAC Manifest" files - does anyon
    have real, honest, practical experience with this as a way of calmin
    UAC

    Cheers
     
    riix, Aug 15, 2008
    #5
  6. riix

    Kayman Guest

    TweakUAC for Windows Vista.
    http://www.tweak-uac.com/home/
    Windows Vista Secret #4: Disabling UAC
    "...you probably consider yourself a power user. You pride yourself in the
    responsibility of having full and absolute control over your machine
    environment..."
    http://blogs.msdn.com/tims/archive/2006/09/20/763275.aspx
    Speed Vista: Turn off UAC, or at least make it less annoying
    http://www.pctipsbox.com/speed-vista-turn-off-uac-or-at-least-make-it-less-annoying/
    Understanding and Configuring User Account Control in Windows Vista.
    http://technet.microsoft.com/en-us/library/cc709628.aspx

    User Account Control Step-by-Step Guide.
    http://technet.microsoft.com/en-us/library/cc709691.aspx

    How to disable UAC
    http://www.vista4beginners.com/How-to-disable-UAC
     
    Kayman, Aug 15, 2008
    #6
  7. riix

    Beoweolf Guest

    Your question, seems more an indictment than a genuine question. My comment,
    much as yours, is offered as an opinion or view, except from an
    administration point of view, no disrespect intended or hidden agenda. The
    fact that development is hindered by having to respect secure calls should
    be a warning to development that your intended audience will similarly be
    affected. Business as usual, shortcuts and all is not acceptable in Vista.
    Just as users are having to deal with a more secure environment, seems
    development is going to have to learn a new way building code.

    As I'm sure you already know, Vista Home(?) is built with the intent of
    servicing less knowledgeable consumers/users. Further it is intended to run,
    seamlessly without use of administrator, due to its limited target user.

    Back on topic, I continue to find it strange when the biggest historical
    complaint against Microsoft client OS's has been lack of security, yet when
    it finally assumes a much more secure posture, the reward is more complaints
    about it being "too" secure.

    I would expect, that if developers complain enough, Microsoft may take a
    step toward making a developers version Vista with all the offending
    safeguards removed. However, I would expect it would lengthen the test
    cycle, since at some point the code must run in the real world of the
    ultimate consumer.

    Bottom line - You can turn UAC off. If you are the administrator, why would
    you need "run as"? It does not seem logical to want the rights and not want
    to accept the responsibility.

    Power user had been inactivated/removed, since W2K/XP/XP-Pro, when client is
    installed on a domain...hasn't it?
     
    Beoweolf, Aug 15, 2008
    #7
  8. riix

    riix Guest

    Others can say it more succinctly that me
    'Am I at risk if I disable UAC?
    (http://www.tweak-uac.com/am-i-at-risk-if-i-disable-uac/

    I'm not sure what you're referring to; certainly I don't anticipate ou
    product buyers ("intended audience") to have to use Event Viewer, II
    Admin, or SQL Server Studio (at least not to use our product)

    Yes a tedious, non-productive and irritating way .

    I don't disagree. This is why I wonder that Vista Home doesn'
    'promote' creation of basic accounts but instead creates Administrato
    accounts

    Are you referring to my post or to comments 'out there' in general? M
    issue is not about it being "too" secure (refer again to above link fo
    a better stating of facts than I could ever do), my issue instead is ho
    intrusive and irritating this supposed 'safeguard' is

    You missed the point. I do not want to run as administrator. I don'
    think I should need such lofty privileges just to write programs. And i
    I turn off UAC then RunAs doesn't work

    However .. to end this thread - thank yous Kayman for pointing ou
    Tweak-UAC; I think its an acceptable compromise
     
    riix, Aug 15, 2008
    #8
  9. riix

    oscar Guest

    In the spirit of friendly and informative dialogue I submit this:

    First thing one needs to do when migrating from XP to Vista is to forget
    about XP. Vista is not an upgraded version of XP. Vista is a new and
    different OS with more powerful features than XP.

    I've had Vista for a year now. No blue screen. No need to reinstall OS
    because of a corrupt file. I think that the UAC has contributed to protecting
    the integrity of the OS.

    I've run Vista with various kinds of UAC configurations.
    Right now I find the best set up for me is using a standard account
    everyday with the administrator account sitting on the sideline in case I
    ever need to access it (which I rarely do.)

    Yes, the UAC will ask me for the administrator password once in a while but
    only for global operations that will affect other users. I do not find the
    occasional UAC prompt a nuisance anymore than I find my home security
    lighting system.

    If I had the money I’d replace all of my XP machines with Vista.
     
    oscar, Aug 15, 2008
    #9
  10. riix

    Mr. Arnold Guest


    There is no more Power User on Vista, as stated in the article.

    UAC and Run As Administrator are tied together on Vista and are the new
    security profile for the Admin and Standard user accounts. Even Admin on
    Vista is locked down to Standard User and must have its rights escalated, as
    stated in the link.

    1) You disable UAC.
    2) You use something like TweakUac.
    3) You set your account to be Super Admin so that you still have UAC enabled
    because some applications will not work correctly with UAC off, those
    applications using the Vista UAC manifest as an example, and by being Super
    Admin, UAC will not prompt you as Super Admin, as stated in the link.

    That's because Standard user on Vista has more rights than Limited user on
    XP as an example, which was preventing a Limited user on XP from doing
    things. This as been corrected on Vista. However, if the user your son was
    running a solution as Standard user or as Admin, because Admin on Vista is
    locked down to a Standard user, and UAC is enabled, the user is going to be
    prompted for credentials for privilege escalation.
    Ask MS.
    A programs running on Vista with UAC enabled, the developer can present the
    UAC credentials to Vista for privilege escalation by using the manifest.
    That UAC challenge box is still going to pop in the user's face, to allow or
    disallow as Admin or if Standard user give user-id and psw for an Admin
    account.

    <http://community.bartdesmet.net/blo...cation-by-adding-a-manifest-using-mt.exe.aspx>
     
    Mr. Arnold, Aug 15, 2008
    #10
  11. riix

    Kerry Brown Guest


    The whole point of UAC is to allow you to run with an administrator account
    when needed (as in a development environment) but still maintain better
    security than previous versions of Windows. With UAC enabled when you logon
    with an administrator account you get two tokens, a standard user token, and
    an administrator token. The administrator token is never used unless UAC
    steps in and allows it. In effect you are running as a standard user until
    you see a UAC prompt. When you see a UAC prompt if you respond in the
    affirmative the admin token is unhidden and the process will run with the
    admin token. The key point is only that process has the admin token.
    Everything else is still running as a standard user.

    For development either turn UAC off or leave it on and run with an
    administrator account. With UAC off you will need a different computer
    (possibly virtual) for testing.
     
    Kerry Brown, Aug 16, 2008
    #11
  12. riix

    DevilsPGD Guest

    In message <> riix
    This is *exactly* what UAC does. Users are using a basic "user" level
    token at all times, until a program requests administrator privileges.
     
    DevilsPGD, Aug 17, 2008
    #12
  13. riix

    DevilsPGD Guest

    In message <> riix
    First, there is no such thing as a power user in Vista. If the group
    exists from an AD context, it has no particular rights on the desktop.

    Second, if you're running as a standard user, "Run As Administrator"
    hasn't changed, it still allows the user to run a program under a
    different security context.

    If you're running as an administrator already, then the UAC popup by
    default doesn't require credentials (it already knows who you are, and
    that you are authorized), so this is technically a regression as you
    used to be able to run programs as any user. Luckily you can use group
    policies to change this, if you need to be able to launch programs in a
    different user context.
    UAC controls the elevation process, and is largely what allows processes
    from two different security contexts to interact on the same console.
    If XP "just worked" then you were running with administrative access
    already, or you're using a program that requests administrative access
    but doesn't need it.
    A Power User is just an administrator who hasn't promoted themselves
    yet.
    Because the majority of users actually use their computers. They
    install software (Flash come to mind anyone?), upgrade software, stuff
    like that.

    iTunes, Adobe Reader, Adobe Flash have all had security updates
    recently, so either your son is horribly insecure, or uses the
    administrator password. If he users the administrator password when
    doing these activities then he's doing what UAC would have done for him.

    UAC doesn't pop up randomly, it only happens when Vista detects an
    activity happening that requires administrative privileges, or an
    application or user specifically requests administrative privileges.
     
    DevilsPGD, Aug 17, 2008
    #13
  14. riix

    riix Guest

    thank you. please no more responses. i'm buying a mac for me and my son
     
    riix, Aug 18, 2008
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.