turn off user account control

Discussion in 'Windows Vista Security' started by John A Grandy, Feb 16, 2009.

  1. Then it's not Vista compliant software. And mostly, what is requiring
    admin rights to run is old legacy COM solutions.

    http://www.developer.com/net/net/article.php/3695651

    One of the requirements of Vista compliant software is that it only
    needs Standard user rights to execute.
     
    Jack the Ripper, Feb 21, 2009
    #21
    1. Advertisements

  2. John A Grandy

    Mark H Guest

    Your assumption is that Vista is the dominant, or only OS out there. It is
    not. There is no reason to be Vista compliant if the majority of users are
    still on XP or 2K. As a result, a larger portion of the less branded
    software, and company specific software, is still written to other
    standards.

    I don't really care if they are, or are not, Vista compliant. I test what
    the consumer's experience will be when installing, using and removing a
    product. What issues or distracters arise from the various platform
    specifics. On that basis, UAC may work to prevent alteration of Vista, but
    it is an unnecessary burden to the consumer based on the response of the
    other operating systems ability to install, operate and remove the same
    products.

    The typical home consumer (Note: This is not an employee workstation
    viewpoint.) either lives with the prompts by duly ignoring them to install
    the garbage they are sure they want, or they restrict themselves to
    Vista-compliant software, thereby promoting the idea of UAC as a viable
    tool. There was life before UAC and it worked just fine for the home user.

    You have a different perspective as a member of the IT community supporting
    protected networks with standardized software installations. I appreciate
    that, but it is not a home consumer's view. The typical consumer wants a
    computer that operates without nagging them. They don't understand the
    difference between "super-admin", "limited-admin" and standard user
    accounts. And, they just click Continue when prompted three times to install
    the garbage they are sure they want to install. They paid for it and expect
    that it will work. All those prompts lead the consumer to believe their
    product is riddled with problems and that is seldom the case. After only a
    couple of these experiences, they come to believe it's a problem with Vista
    they will just have to live with and learn to just click Continue.

    But, don't worry about it. It will all be better when everyone shifts to
    Windows 7. Why would MS be altering the user's ability to profoundly change
    the UAC experience if the prompt's were not an issue and "everyone" was
    going to Vista-compliant software? Yes, the consumer needs to be better
    educated on the importance of UAC. But, that is not going to happen. As the
    older OS's die out, UAC will finally go quiet and work as it should:
    unnoticed, without modification.
     
    Mark H, Feb 21, 2009
    #22
    1. Advertisements

  3. Well, your assumption of my assumption is wrong. MS had given software
    vendors plenty of notification that they were going have to come into
    compliance on the MS O/S platform and their software with Vista. It was
    not going to business as usual on Vista, like it was on the previous
    versions of the open by default NT based O/S(s), which they didn't even
    follow the MS standards for developing software for those O/S(s).
    That's the 3rd party software vendor's fault, and their in ability to
    comply. Some 3rd party software vendors have complied and more are
    complying as they have to develop solutions for the Vista and Win-7
    O/S(s), as there is no turning back the clock.
    And before Vista and UAC, those users were getting hammered and are
    being hammered by malware as they run with full-admin-rights 100% of the
    time, and any malware running under the context of those rights have
    full access to every aspect of the O/S and everything else running with
    the O/S, because they are open by default O/S(s). That's not so with
    Vista and UAC enabled, because UAC midigates/limits the damage, even if
    they point, click and install it, which is due to admin-user on Vista
    with UAC enabled is returned to using that Standard-user access token
    once the privileged escalation has been completed.

    And yet, when those same users are moving over to Linux, they are
    forced to deal with the same type of setup and learn how to use the O/S,
    one doesn't hear a peep out of them about the approval process to
    escalate rights to root-admin.
    What the home consumer wants is a protected O/S that is not so easily
    attackable. What MS wants is that not every home user computer being
    used by the home user can be easily turned into a bot machine that leads
    to that machine attacking other machines on the Internet and on the LAN.
    Well, they had better figure out whats going on, because ignorance is
    not bliss.
    Well, I guess you have heard about UAC on Win-7 where the verbosity of
    UAC can be controlled by the user. It's not going to happen on Vista, so
    if anyone goes to Vista, they either run with UAC or they run with it
    off, opening the machine to be attacked more easily.
    Tell me something that I don't know. And UAC on Win-7 on mya machine
    will be on *high* verbosity. I'll still be using Vista even when I get a
    machine running Win-7. What I won't be doing is ever going backwards to
    any of the previous *wide-open-to-attack* versions on the NT based O/S
    for the workstation platforms.

    And that same compliance for software vendors to make the software Win-7
    compliant is just a carry-over from Vista, nothing has changed in that
    regard.
     
    Jack the Ripper, Feb 21, 2009
    #23
  4. If you use that account, would a launch of IE make use of "protected
    mode"?

    Just wondering...
     
    FromTheRafters, Feb 21, 2009
    #24
  5. Yes, I just tried it, and yes Protected mode is enabled. I also have
    found out that with UAC enabled, you still get prompted. That's what was
    said at a blog I read that UAC wouldn't prompt super-admin with UAC
    enabled. It seems that is not the case.

    However, in communications with another developer about making registry
    changes during software installation on Vista, he told me that with
    UAC enabled using the non-super-admin account for administration, the
    install was successful with UAC escalated privileges.

    However, with UAC disabled and using the same admin-account, the install
    blew because the registry changes couldn't be made. So, I guess that is
    where super-admin would be applied, with UAC disabled.

    You know, MS is closing things down with IE7 protect mode, ASLR and
    other type of solutions, but most people only look at UI eye-candy and
    what's happening in their face.

    <http://www.securitypronews.com/news/securitynews/spn-45-20060601ASLRJoinsVistasBagOfTricks.html>

    I myself, I am pleased with the implementation of closing Vista down O/S
    security wise, which will carry over to Win-7, just get rid of
    virtulization as that seems to be too locked-down.
     
    Jack the Ripper, Feb 22, 2009
    #25
  6. Funny, they say that running IE "elevated" defeats protected mode IE.
    They also say that Administrator doesn't have a split token and so can't
    invoke UAC. Sometimes I wonder if *they* even know how the final release
    works. :eek:)

    For people that want the closest equivalent to XP's admin, maybe using
    "Administrator" *and* UAC off is the answer.
    Probably, sort of the point I was trying to get to - UAC and MIC are
    involved, and what you call 'super admin' may still be restricted by MIC
    unless you turn UAC (or at least MIC) off.
    Yeah, it's like evolution driven by "fitness factor" natural selection
    is being overridden by social (sexual) artificial selection. Sure it's
    insecure, but I *really* like the new skins. Peacock feathers -
    disadvantageous as far as predation goes, but the peahens like them
    so....
    I'll have a look - thanks.
    Indeed, another thing a read somewhere is that the next (Windows 7?) OS
    will not 'virtualize' to support legacy programs. So it will be even
    *less* forgiving about poorly written (or non Vista standards compliant)
    programs.

    ....maybe that's wrong too.
     
    FromTheRafters, Feb 22, 2009
    #26
  7. John A Grandy

    Sam Hobbs Guest

    Where does the article say that? What if a COM object truly does need
    Administrator privileges, your statement is saying that it cannot be done in
    a COM object. That article even says "There will still be circumstances when
    an application needs administrative privileges to carry out certain
    processes, especially if the application is written for administrator use.".
     
    Sam Hobbs, Feb 22, 2009
    #27
  8. I did not say that it cannot be done with a COM object. I am saying that
    in order for the COM legacy solution application to execute, a COM
    object execution is on a given process/thread and it may need privileged
    escalation to execute.

    Even a .NET solution may need its rights escalated if the solution is
    doing administrative tasks, like making registry changes as an example.

    But the bottom line is to make the application run with only requiring
    Standard user rights or least privilege, which most software developers
    bluntly disregard and everything runs with full-admin-rights when 9
    times out of 10 it is not required.

    But that was also due to Limited account rights on XP solutions not
    being able to run properly, so it became full-rights execution for just
    about everything written on the XP platform.

    For Vista and Win-7, if it calls for the application to be leveraged to
    use Standard user rights only on a rewrite of code, then so be it.

    One thing that is happening is more and more code for the MS platform
    are being written in .NET, which is managed code using the CLI/CLR. And
    they are looking at code intent to prevent things if hostile or dubious
    intent is determined with in the code, before it is executed and stop
    the execution.

    However, that can be circumvented by a COM object code being called in
    the solution that is not manageable by the CLI/CLR. And therefore, the
    push is being made to eliminate/eradicate COM off the MS O/S platform.
    Of course, not everyone will be going to .NET, and if it's not broke
    them don't fix it, legacy COM solutions.

    <http://msdn.microsoft.com/en-us/library/bb530410.aspx>

    <copied>

    How Do I Determine If My Application Has Administrative Dependencies?

    To assist developers, ISVs, and organizations in evaluating their
    applications, Microsoft provides the Microsoft Standard User Analyzer.
    The Standard User Analyzer can be used to help identity
    non-UAC–compliant behavior of an application. Microsoft recommends that
    developers run this tool to identify issues with running the application
    under a standard user account. These tests should be performed, even if
    the application already installs and runs properly under a standard user
    account on Windows XP. The application may perform operations, such as
    attempting to write to system registry locations, and make decisions
    based on the system's behavior, such as looking for an error response.
    Windows Vista may behave differently than earlier versions of the
    Windows operating system due to the addition of new application
    compatibility support. Therefore, it is recommended that all
    applications be tested with the new version of the Standard User Analyzer.

    The Standard User Analyzer will record all administrative operations
    encountered by an application, including registry/file system access and
    elevated API calls. This data is stored in a log file and is displayed
    within the tool. The Standard User Analyzer identifies the following
    common dependencies, in addition to many others:

    <copied>
     
    Jack the Ripper, Feb 22, 2009
    #28
  9. John A Grandy

    Gordon Guest

    Yes - the "standard" which REQUIRES users to run as Admin - that's no
    standard at all and is the result of lazy and incompetent programming by the
    software developers.
     
    Gordon, Feb 22, 2009
    #29
  10. John A Grandy

    Mark H Guest

    Mark H, Feb 23, 2009
    #30
  11. John A Grandy

    Mark H Guest

    Nor for those always right when they only understand the view from their own
    throne.
     
    Mark H, Feb 23, 2009
    #31
  12. You had better take a look at yourself on the pot.
     
    Jack the Ripper, Feb 24, 2009
    #32
  13. John A Grandy

    Paul Smith Guest

    Instead of simply turning UAC off like so many have recommended, I'd suggest
    leaving it on, but have it auto-elevate whenever you get a prompt you can do
    this by going to

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    and changing ConsentPromptBehaviorAdmin to 0 (the default is 2). You can
    also perform this by using secpol.msc if you're using Business or Ultimate
    (I don't believe its present in Home Basic or Premium).

    More details:
    http://www.dasmirnov.net/blog/2008/10/23/why-you-should-never-disable-uac
     
    Paul Smith, Feb 27, 2009
    #33
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.