Sigh.
It appears I will need to re-write most of this post again. As I was adding some additional information, I lost my Internet connection and as I reconnected and refreshed the page, the vast majority of my post had disappeared. I'm not quite sure why that has happened. I must have accidentally removed some of the information I had written along with saving my post.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I ran Vista for about a year as an administrator for simple reason that i only created one user when i installed it and didn't know any better. After installing Windows7 i started reading a bunch of threads on the forums, particularly ones by firewizard. He seems adamant that you should always run as a standard user with UAC enabled for security reasons.
The only way to be truly secure is to run as a standard user but then switch to a dedicated administrator account for any administrative operations. However, the vast majority of users would consider this a major inconvenience. The first time they switch to an administrator account because they need to do something which requires administrator rights, they simply wouldn't want to switch back and they would just end up staying in the administrator account. The elevation dialogues feature of User Account Control is there to counter this problem.
When the user is running in a standard user account, whenever they need to do an administrative based operation, they will receive an Over The Shoulder (OTS) elevation dialogue which will ask them to enter the credentials of the administrator account to continue with that given administrative task. Apart from being able to conveniently access administrator rights from a standard user account due to the User Account Control elevation dialogues, standard users are roughly the same in Windows Vista and Windows 7 compared to previous version of Windows.
What has changed though is the administrators account. The default administrator account and any administrator accounts created thereafter from the User Accounts section in the Control Panel is a Protected Administrator (PA). When the user logs into a Protected Administrator account, they are given two identities, one with standard user rights and the other with administrator rights. The standard user identity is used by default. When the user needs to do something which requires administrator rights, they will receive the consent elevation dialogue which they would simply need to accept to carry out the administrative operation.
Since the default account in Windows Vista and Windows 7 is a Protected Administrator, Independent Software Vendors (ISVs) must now assume that everyone will be running with standard user rights. This then forces them to start writing their applications so they work correctly in a standard user environment:
Mark Russinovich said:
The PA account was designed to encourage developers to write their applications to require only standard user rights while enabling as many applications that share state between administrative components and standard user components to continue working. By default, the first account on a Windows Vista or Windows 7 system, which was a full administrator account on previous versions of Windows, is a PA account. Any programs a PA user executes are run with standard-user rights unless the user explicitly elevates the application, which grants the application administrative rights. Elevation prompts are triggered by user activities such as installing applications and changing system settings. These elevation prompts are the most visible UAC technology, manifesting as a switch to a screen with an allow/cancel dialog and grayed snapshot of the desktop as the background.
*Snip*
When UAC is enabled, all user accounts—including administrative accounts—run with standard user rights. This means that application developers must consider the fact that their software won't have administrative rights by default. This should remind them to design their application to work with standard user rights. If the application or parts of its functionality require administrative rights, it can leverage the elevation mechanism to enable the user to unlock that functionality. Generally, application developers need to make only minor changes to their applications to work well with standard user rights. As the
E7 blog post on UAC shows, UAC is successfully changing the way developers write software.
Inside Windows 7 User Account Control
Whilst running in a Protected Administrator account is securer than running as a full blown administrator, the security benefits are simply a side effect of its primary purpose which has been stated above and it's still recommended to run in a standard user account.
When you elevate, either from a Protected Administrator or from a standard user account, you are opening up a security hole. Malware which has infected your account could then be able to potentially gain administrator rights due to the opportunities which are presented:
Mark Russinovich said:
Elevations and Security Boundaries:
It’s important to be aware that UAC elevations are conveniences and not security boundaries. A security boundary requires that security policy dictates what can pass through the boundary. User accounts are an example of a security boundary in Windows because one user can’t access the data belonging to another user without having that user’s permission.
Because elevations aren’t security boundaries, there’s no guarantee that malware running on a system with standard user rights can’t compromise an elevated process to gain administrative rights. For example, elevation dialogs only identify the executable that will be elevated; they say nothing about what it will do when it executes. The executable will process command-line arguments, load DLLs, open data files, and communicate with other processes. Any of those operations could conceivably allow malware to compromise the elevated process and thus gain administrative rights.
Inside Windows Vista User Account Control
This is why the elevations are not for security, but convenience. Without being able to conveniently access administrator rights, no one would run as a standard user or the best part of one and Independent Software Developers would continue to write their applications assuming everyone has administrator rights:
