Windows 7 UAC

[Faustus]

Just go into msconfig & turn UAC right off. Thats what i've done!

Yes that's what I do when I go out - I don't arm my home security and I leave large notices everywhere so burglars know I'm not at home - OH DEAR!

 

[Barno]

I'd be happy to leave UAC on if it didn't interfere so much. I just installed MyDefrag and like the games it didn't cause a UAC pop up in the old RTM version of windows 7 but now it does. Something tells me its not functioning as it should, it feels like I'm getting way too many UAC pop ups.

 

[no_1_dave]

Yes that's what I do when I go out - I don't arm my home security and I leave large notices everywhere so burglars know I'm not at home - OH DEAR!

Very constructive
If everyone was as constructive as you the internet would be a better place.

 

[v0n]

Turning UAC off isn't the sign of an experienced or power user, it's the sign of an ignorant user because they clearly don't understand the importance of a layered security model.

Trouble with UAC and people disabling it was always drawn from the fact MS does not understand how layered security model should work. They understand it was important, they saw it working - sudo in Unix/Linux, simple elevation in OSX, but when it came to implementing it, they never understood what it should do and still don't.

User accessing application is not security risk, if program is run with user permission and doesn't enter system libraries or kernel space. Accessing program files/application directory to view files is not system wide security risk. Application writing to users home directory should not be system wide security risk. Accessing graphics, desktop acceleration libraries or changing resolution should not be system wide security risk. Even completely killing user console or desktop and restarting it should never be system wide security risk. And once we agree on that, suddenly comes realisation that there is no game, under the sun, that should ever, in any way, shape, form, ever need to be run as administrator or trigger sudo or equivalent UAC. No program working purely in user space should ever need to be root or Admin - the "master of all" except maybe during installation process if installation is for all users?

The fact there is a shield on game icon on any Windows computer out there , if there is even one single computer out there that requires administrative level and elevated permissions to run what should be self contained, user sandboxed program, then it only proves how insanely far MS is from understanding what layered security model should look like.

Switching off UAC is not as much sign of user ignorance as it is a sign of programmers incompetence. It's ultimately like saying - we couldn't clean up how the system works, and any app can still screw around with kernel and system libraries and kill it, it's just now you have to agree to it before it does. It's a bit like saying "we didn't remove red button that allows anyone to blow up your car, instead we put a plastic cover on it that says "are you sure you want to press it?""

 

[Dolph]

Trouble with UAC and people disabling it was always drawn from the fact MS does not understand how layered security model should work. They understand it was important, they saw it working - sudo in Unix/Linux, simple elevation in OSX, but when it came to implementing it, they never understood what it should do and still don't.

User accessing application is not security risk, if program is run with user permission and doesn't enter system libraries or kernel space. Accessing program files/application directory to view files is not system wide security risk. Application writing to users home directory should not be system wide security risk. Accessing graphics, desktop acceleration libraries or changing resolution should not be system wide security risk. Even completely killing user console or desktop and restarting it should never be system wide security risk. And once we agree on that, suddenly comes realisation that there is no game, under the sun, that should ever, in any way, shape, form, ever need to be run as administrator or trigger sudo or equivalent UAC. No program working purely in user space should ever need to be root or Admin - the "master of all" except maybe during installation process if installation is for all users?

How many microsoft programs do require this?

The fact there is a shield on game icon on any Windows computer out there , if there is even one single computer out there that requires administrative level and elevated permissions to run what should be self contained, user sandboxed program, then it only proves how insanely far MS is from understanding what layered security model should look like.

MS program creation guidelines have said what should be done since NT, the fact is that most programmers didn't do it, especially during the XP era. This is not microsoft's fault. This is the fault of third party developers.

Switching off UAC is not as much sign of user ignorance as it is a sign of programmers incompetence. It's ultimately like saying - we couldn't clean up how the system works, and any app can still screw around with kernel and system libraries and kill it, it's just now you have to agree to it before it does. It's a bit like saying "we didn't remove red button that allows anyone to blow up your car, instead we put a plastic cover on it that says "are you sure you want to press it?""

The failure of the average user to implement good security practice (ie using standard user accounts) is not the fault of Microsoft, UAC is a response to the failure of users, not a failure of MS. Those turning it off are only perpetuating the mistakes of users past.

The NT kernel has always had and supported good user level access control systems, the problem is everyone and their idiot half-brother installed XP and created an admin account, because the others were too much hassle to run their crappy windows 98 software. Idiot programmers then decided that as people would be running in admin mode, they didn't need to follow the programming guidelines.

How this is MS' fault, I'm really not sure, and why everyone gets on their case now they are trying to fix the fact that they forgot the average user is a moron is beyond me.

 

[Fire Wizard]

have your antivirus and a firewall and becareful what you install and you be ok

Along with running as a standard user. If you are not willing to run as a standard user, then you should be at least running in Administrator Approval Mode i.e. using the Protected Administrator account which is slightly better than running as an administrator with User Account Control disabled. You are kind of defeating your own security configuration of your system by running an anti-virus program and a firewall but are also running as a full blown administrator.

The fact that by simply running with standard user rights, you instantly break a ton of malware that assumes administrator privileges. All of that malware that was written for pre Windows Vista based systems is simply rendered useless in Windows Vista and Windows 7 default configuration.

How about vulnerabilities in well known and widely used pieces of software, like for example Mozilla Firefox, Adobe Flash Player, Microsoft Office etc. If an attacker exploits a vulnerability in your web browser, like Mozilla Firefox for example, the damage the attacker will be able to cause will be far less if Mozilla Firefox is running with a minimum amount of privileges for it to run correctly than if it was running with much higher privileges.

Software will also be able to cause a lot less damage if they are simply buggy. They won't be able to interact with core parts of the operating system which if tampered with, could potentially crash your system.

There is also the Virtualization aspect of UAC. As well re-directing writes to per user locations to help users migrate over to a standard user environment, it also helps the stability and the security of the operating system which you can read more about in the following articles:

Protecting System Files with UAC Virtualization (Part 1)

Protecting System Files with UAC Virtualization (Part 2)

You then also have the ability to further restrict processes that are maybe highly vulnerable to attacks. An obvious one is your web browser. If you only run your web browser with the least possible privileges to be able to operate, privileges even lower than that of a standard user, the amount of damage attackers will be able to cause to your system will be greatly reduced, depending on the type of attack obviously. Internet Explorer takes advantage of this by default by running in Protected Mode which means it runs as a low integrity process. There is a good article about Internet Explorer Protected Mode here.

The following few articles are about why you should be running as a standard user as opposed to an administrator:

Aaron Margosis: Not running as admin...

Aaron Margosis: Why you shouldn't run as admin...

Aaron Margosis: "Zero-day" attacks and using limited privilege

eWeek: Least Privilege Can Be the Best

eWeek: User Privileges, Malware and the Sony Rootkit Debacle

eWeek:Is System Lockdown the Secret Weapon?

Zdnet: Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts

 

[Fire Wizard]

if it's any consolation Dolph, i've turned UAC off because it asks me every time i try and do anything work related with my laptop.

User Account Control isn't about trying to second guess everything the user does. You are obviously doing a lot of tasks that require administrator privileges and / or the applications that you're using are requesting administrator rights which is why UAC is bringing up an elevation dialogue.

as far as UAC is concerned, the software i use every day is a security risk, which is definitely is, but i need to use it, and the pop-ups cause considerable problems with my other programs, so UAC had to go.

UAC isn't showing you an elevation dialogue because it thinks a particular program is a security risk. If that was actually the case then it would be rather self defeating because if a certain program was potentially dangerous then giving it administrator privileges certainly isn't going to help the situation.

As said above, the reason why you're receiving a UAC elevation dialogue is because that particular application is requesting administrator privileges. If an application doesn't need administrator privileges and can run absolutely fine with standard user privileges and yet it's requesting administrator rights, get rid of the application and then write a letter to the developer to get them to start writing their programs correctly.

Also, which programs are you having problems with out of interest?

 

[Faustus]

Very constructive
If everyone was as constructive as you the internet would be a better place.

Well you have to ask why people are responding in this way! A well tried security system is put in place to assist the user and the user's response - to hell with that lets turn it off. Like most security systems they are there for a reason and to circumvent them is only for the advanced user or those that like to live dangerously.

 

[Aod]

User Account Control isn't about trying to second guess everything the user does. You are obviously doing a lot of tasks that require administrator privileges and / or the applications that you're using are requesting administrator rights which is why UAC is bringing up an elevation dialogue.



UAC isn't showing you an elevation dialogue because it thinks a particular program is a security risk. If that was actually the case then it would be rather self defeating because if a certain program was potentially dangerous then giving it administrator privileges certainly isn't going to help the situation.

As said above, the reason why you're receiving a UAC elevation dialogue is because that particular application is requesting administrator privileges. If an application doesn't need administrator privileges and can run absolutely fine with standard user privileges and yet it's requesting administrator rights, get rid of the application and then write a letter to the developer to get them to start writing their programs correctly.

Also, which programs are you having problems with out of interest?

i know that UAC isn't about saying that program "x" is a security risk - i was extrapolating from program "X" requests Admin rights, which could then allow program "X" to damage the system - thus, Program "X" could possibly be a security risk

almost all the programs i use require direct access to the system drive and other associated Disk I/O hardware, and UAC has decided (rightly so) that such access requires Admin priviledges.

software wise, i can't tell most of the bespoke software i use (NDA) but i can tell you that i use VMware Workstation with direct local-network access and translation, and direct disk access on startup. i also use a number of other forensic programs which require a similar level of direct disk access.

some of the software i use probably doesn't need the Elevation it requests, but i can't Ask the devs for new versions that don't ask, mostly because those Dev's aren't allowed to use computers anymore...

 

[Jakus]

Good points for and against here, but the bottom line is there should be an option to turn that and locked files off with one setting !
It, like any extra layer of security really is not going to ever totally save the incompetents it's Just a pain for the power user

 

[Broken Hope]

almost all the programs i use require direct access to the system drive and other associated Disk I/O hardware, and UAC has decided (rightly so) that such access requires Admin priviledges.

software wise, i can't tell most of the bespoke software i use (NDA) but i can tell you that i use VMware Workstation with direct local-network access and translation, and direct disk access on startup. i also use a number of other forensic programs which require a similar level of direct disk access.

Why is that software trying to write to the system folders instead of your user folder though? Properly written software should only be using those folders for installation, so you should only get UAC prompts when installing software, then afterwards you shouldn't be since that software shouldn't be trying to write user data to those folders.

 

[Aod]

Why is that software trying to write to the system folders instead of your user folder though? Properly written software should only be using those folders for installation, so you should only get UAC prompts when installing software, then afterwards you shouldn't be since that software shouldn't be trying to write user data to those folders.

the software isn't trying to write to the system folders - it's requesting R/W/M Access to the entire drive

 

[stifler]

UAC was the first thing i turned off in vista and win 7

this, i think its very annoying.

 

[mmj_uk]

this, i think its very annoying.

Same here and it's never had any detrimental effect, there's a fine line between being secure and paranoia.

 

[Fire Wizard]

*Snip*

I haven't really got much to add that Dolph hasn't already said in his post. Other than to reiterate the point that the fact that when you run certain programs, if the user is shown a User Account Control elevation dialogue and thus that particular program is requesting administrator privileges it is not because of Microsoft's lack of understanding of things or the way UAC works, but purely because of the way some developers had written their programs.

Which moves us onto another misunderstood part of UAC, the elevation dialogues. When you log into the default account in Windows Vista and Windows 7, you are running with standard user rights. However, users will obviously want to do things that require administrator privileges from time to time, so the user would need to be able to access administrator rights. One possible way for users to do tasks that require administrator privileges would be to switch to a dedicated administrator account and then switch back. However, the majority of users wouldn't be prepared to do that and once they have switched a couple of times, in the end, they would just stay in the administrator account and no progress would be made.

Which is why we have the elevation dialogues. Instead of the user having to switch accounts when ever they need to do anything that requires administrator privileges, the user can conveniently elevate the privileges for that particular operation by simply accepting the elevation dialogue whilst still remaining in the same account. If you have logged into the default account in Windows Vista and Windows 7, you will be running in Administrator Approval Mode and will simply need to accept the consent elevation dialogue. If you are running as a standard user, you are presented with the Over The Shoulder elevation dialogue which would require you to enter the credentials of the administrator account before continuing. Though, there are potential avenues of attacks with the elevations and malware could compromise an elevated process to gain administrator privileges:

Elevations and Security Boundaries:

It’s important to be aware that UAC elevations are conveniences and not security boundaries. A security boundary requires that security policy dictates what can pass through the boundary. User accounts are an example of a security boundary in Windows because one user can’t access the data belonging to another user without having that user’s permission.

Because elevations aren’t security boundaries, there’s no guarantee that malware running on a system with standard user rights can’t compromise an elevated process to gain administrative rights. For example, elevation dialogs only identify the executable that will be elevated; they say nothing about what it will do when it executes. The executable will process command-line arguments, load DLLs, open data files, and communicate with other processes. Any of those operations could conceivably allow malware to compromise the elevated process and thus gain administrative rights.

Elevated AAM processes are especially susceptible to compromise because they run in the same user account as the AAM user’s standard-rights processes and share the user’s profile. Many applications read settings and load extensions registered in a user’s profile, offering opportunities for malware to elevate. For example, the common control dialogs load Shell extensions configured in a user’s registry key (under HKEY_CURRENT_USER), so malware can add itself as an extension to load into any elevated process that uses those dialogs.

Even processes elevated from standard user accounts can conceivably be compromised because of shared state. All the processes running in a logon session share the internal namespace where Windows stores objects such as events, mutexes, semaphores, and shared memory. If malware knows that an elevated process will try to open and read a specific shared memory object when the process starts, it could create the object with contents that trigger a buffer overflow to inject code into the elevated process. That type of attack is relatively sophisticated, but its possibility prevents OTS elevations from being a security boundary.

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer.

Inside Windows Vista User Account Control

Because elevations and ILs don’t define a security boundary, potential avenues of attack , regardless of ease or scope, are not security bugs. So if you aren’t guaranteed that your elevated processes aren’t susceptible to compromise by those running at a lower IL, why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

Without the convenience of elevations most of us would continue to run the way we have on previous versions of Windows: with administrative rights all the time. Protected Mode IE and PsExec’s -l option simply take advantage of ILs to create a sandbox around malware that gets past other security defenses. The elevation and Protected Mode IE sandboxes might have potential avenues of attack , but they’re better than no sandbox at all. If you value security over any convenience you can, of course, leverage the security boundary of separate user accounts by running as standard user all the time and switching to dedicated accounts for unsafe browsing and administrative activities.

PsExec, User Account Control and Security Boundaries

So, to summarise, the elevation dialogues are a convenience and not a security boundary.

The following is also a good article regarding UAC and the trade of between security and convenience:

Security Features vs. Convenience

Same here and it's never had any detrimental effect, there's a fine line between being secure and paranoia.

When did running as a standard user become about being paranoid? Do you class all of the Linux users who don't run as root paranoid as well? The principle of least privilege is a very important security concept and not just exalting paranoia.

If you were the person in charge of setting up computer systems for a company, would you give all of your users the maximum amount of privileges possible or the minimum amount they need to be able to do their job correctly? You would obviously do the latter. The same also applies to software, you should only give software the minimum amount of privileges they need to be able to perform the task they were designed for. Processes running at a lower privilege level will be able to cause a lot less damage if either a vulnerability is discovered and then exploited or are simply buggy compared to if they were running at a higher privileged level. By given software more privileges than they need, you are opening up a completely unnecessary security hole.

 

[meths]

Personally now that I'm up and running on Windows 7 I'm going to reinstall the OS and set it up properly with a Standard User account as my main day to day account.

I liked UAC in Vista though and found it reassuring to have and generally unobtrusive.

I only use one program that requires elevated admin rights to function properly and personally don't mind typing in a password to get it to run.

 

[Tripnologist]

UAC was the first thing i turned off in vista and win 7
i did ok with out it since 1995, so its just a pain

I did okay without AV from 1995 until I first installed it in 2001. Doesn't mean it would be smart not to have it now.

 

[_Jimlad_]

i don't get why people turn off UAC, it was a pain in Vista, but you live with it and in Win7 its tweaked down anyway.

Also doing my MS training they recommend that you use your pc as a standard user as default, which i don't do but i do keep UAC on

 

[Burnsy2023]

i don't get why people turn off UAC, it was a pain in Vista, but you live with it and in Win7 its tweaked down anyway.

Also doing my MS training they recommend that you use your pc as a standard user as default, which i don't do but i do keep UAC on

Just to further this. In Vista, I used TweakUAC to put it to silent. I kinda forgot to do that in 7, in fact I haven't touched it from the default settings and the only thing that I use regularly that requires elevation is Everest Ultimate which only requires elevation on startup. That's not an issue either as my machine is rarely restarted.

 

[cokecan]

would just like to ecco the above from Burnsy, since setting up my PC, the only times I've ever seen the UAC is when installing things....but how often do we usually need to install stuff once you've set your pc up?

I'm finding the UAC much less intrusive than it was in Vista, it generally does feel a bit more toned down