Windows 7 fake security

[anything I don't mind]

Moan about UAC and other windows 7 "security" features. At home i have it all disabled so i completely forget about it. But I have had to set up new laptops at work with windows 7 on and just brought back my old annoyance with windows 7.

-What is the point of uac? if i do something then it asks me if i want to do it, when would i ever not want to install an application if i have just clicked on it?
-What is the point of prompting the user when copying files to program files directories, it comes up with a continue prompt. It says i need administrator rights to copy there and then all i do is click continue, how is that security?
-The administrator account is marked as disabled and even if you have domain admins account you still need to right click on some install applications and other things and click run as administrator for it too work, where it does not even prompt for a password.

I know that i can disable uac, i know that i can disable program files security prompts. I am just asking if you think these "security" measures will prevent anything malicious or just give the illusion of security to the end user and create unnecessary clicks and annoyances.

 

[Philtor]

Half the problem with Windows XP was that the user was running with full Admin rights by default and thus the system was wide open to all sorts of Malware and viruses. The idea behind UAC is limit application software to standard user privileges until an administrator authorises an increase/elevation. So only applications trusted by the user are installed and so malware etc is kept out. Of course if you have a user who just clicks 'yes' or 'allow' to every prompt then UAC is as much use as a chocolate fireguard.

 

[edscdk]

"-when would i ever not want to install an application if i have just clicked on it?"

the computer does not know for sure you actually wanted to install the application, or that it was even you and initiated the install.. you are running as a user not an admin unless you say ok to the security prompt...

"-What is the point of prompting the user when copying files to program files directories, "

the computer cannot read your mind it does not know for sure it was actually you that initiated the copy, maybe it was a script? maybe a program tricked you into initiating the copy... also you are running as a user not an admin unless you say ok to the security prompt... (the user does not have access to copy files to some folders)

"-...click run as administrator for it too work, where it does not even prompt for a password. "

when logged in as an admin you run with user privilages not admin....

the hole setup is to provent programs alters critical system / startup stuff without you being aware...

yes these security measure will help stop IT PEOPLE from getting a virus, however most home users will simply click OK to the security prompts and get infected anyway....!

 

[edscdk]

though UAC drives me mad at times and I find myself verbally abusing it, its a step in the right direction....

I thought this was very basic IT stuff..... I consider myself about as confident computer user as is possible, however I do NOT turn UAC off (despite me swearing at it a lot)

 

[Ev0]

With your first 2 points, the idea of UAC is to catch and alert you to any malware that is trying to do those things in the background without your knowledge.

 

[anything I don't mind]

OK. i see.

What i do now is removed the domain admins then run cmd as a domain admin by right clicking with shift, then using that cmd to install software.

edit: Adobe flash won't install as regular user and does not prompt for high privileged user account to enable the installation. Adobe dose not offer standalone installer anymore only their pointless download manager. You can not run explorer as another user and gain access to the system folders. Say i want to copy something to program files, i have to log in with a local admin or domain admin.

 

[SiriusB]

That's precisely what you should do.

In day to day use, you have no reason to copy files to system files. You have no reason to install software or make changes to the system.

When you need to do those things, you log onto an account with administrator privileges. In many cases, with UAC, you can get an opportunity to enter Admin credentials without needing to switch accounts.

You can run any .exe/shortcut as an Administrator if you right-click on it and click Run as Administrator.

If day to day you make frequent changes to system settings and folders, and install lots of software etc, then a standard User account is not for you. This would presumably mean you are an administrator and should have some modicum of sense. That is where the protected Administrator accounts come in. You still get the UAC prompts, but no password required. It is assumed you know what you are doing when you click OK.

For the home user, this is just an extra click in their goal to **** up their PC, but no amount of security can prevent that. The power of the average PC user's will to download crap, install crap and generally spread crap surpasses all!

 

[anything I don't mind]

From a network admin perspective, they have not improved the non admin user privilege escalation with windows 7. So UAC sounds good etc. But in real terms, what usually happens is that because windows does not offer any way to do certain things without an administrator account, they end up enabling local admin on the pcs because it is nightmare to administrator. What would be ideal is if they offered a specific account level that was allowed to install applications and you could give users that account or something similar. So when they want to install they can double click and then enter the install login and password.

It would be better if when running an application as non user it would prompt for a login and password. Instead it just comes up with errors. You would probably find that malware or virii would circumvent UAC anyway. So it just ends up getting disabled because it is annoying.

 

[Ev0]

Adobe dose not offer standalone installer anymore only their pointless download manager.

Yes they do, I regularly roll out flash updates.

https://www.adobe.com/cfusion/mmform/index.cfm?name=distribution_form&pv=fp

Fill in form, you get sent the link to the page with the links to the standalone installers in either exe or msi format.

Or a couple of second google will probably throw up the links as you don't have to login or anything

Same is available for other Adobe products such as Reader and Shockwave.

 

[paradigm]

From a network admin perspective, they have not improved the non admin user privilege escalation with windows 7. So UAC sounds good etc. But in real terms, what usually happens is that because windows does not offer any way to do certain things without an administrator account, they end up enabling local admin on the pcs because it is nightmare to administrator. What would be ideal is if they offered a specific account level that was allowed to install applications and you could give users that account or something similar. So when they want to install they can double click and then enter the install login and password.

It would be better if when running an application as non user it would prompt for a login and password. Instead it just comes up with errors. You would probably find that malware or virii would circumvent UAC anyway. So it just ends up getting disabled because it is annoying.

I have zero problems administering the PC's on the network here. For example, I just had to install iTunes on a user's laptop, she wasn't anything locally bar a "standard user", I launched iTunes setup and the UAC prompt appears WITH a login box.

Really don't see your argument, perhaps your environment is configured incorrectly?

Malware and Virii cannot circumvent UAC as essentially (with UAC enabled) you are sandboxed until elevated (and the default sandboxed desktop has no way of addressing the UAC dialogue).

 

[SiriusB]

Viruses! Gah. Virii? *shakes head in despair*

I also have no issues with the Windows 7 machines I administer. One particular user needs local admin rights since a piece of software for making payments refuses to work in a standard user account. That is the fault of the software, not Windows 7.

 

[Dirk]

Always just disabled it. Bloody annoying carp that has no right to be on my PC tbh.

UAC is more of a bother than the malware it's trying to protect you from.

 

[reflux]

Always just disabled it. Bloody annoying carp that has no right to be on my PC tbh.

UAC is more of a bother than the malware it's trying to protect you from.

+1. cba with it, always turn it off.

 

[SiriusB]

First of all UAC is not a security boundary. It is not there to protect you from malware, was never intended for this and probably never will be. The whole point of UAC is to grant admin access to processes/software on a case by case basis. It allows you to say install a program or make a change to the OS without logging out of your Standard User account and logging into an Admin account. Stopping something untoward is just a happy side-effect.

Microsoft wants developers to write software that does not need any kind of administrative access to run. There is absolutely no need for many pieces of software to need admin access other than to install it. It takes time for developers to change their practices - hence UAC. It is a stepping stone between the bad and the good. As more developers write software with security and Standard Users in mind, you would see the UAC prompt far less often on a day to day basis.

It may well turn out that you wont be able to disable UAC in Windows 8 or whatever equivalent system Windows 8 will use. This would bring Windows more into line with Unix systems, they nearly always require you to enter your full root/admin credentials when something needs to be elevated, even if you are an administrator.

My clients who use Windows 7 are all Standard Users, save one. They rarely ever see UAC prompts as the majority of the software they use day to day will run correctly in User mode.

 

[NathanE]

First of all UAC is not a security boundary. It is not there to protect you from malware,

That's being unnecessarily pedantic. It is a kick ass security boundary. Far better than any AV product. And it will protect you from malware providing you don't blindly click Continue all the time. I've used UAC to lock down friends/family PC's with great success. Many years can go by without a single malware infection.

 

[J.B]

I cant believe people think its just there to cause them grief??

It's a really simple and effective feature which allows the user more control over what's going on!

 

[tntcoder]

I cant believe people think its just there to cause them grief??

Users will always be users

 

[GoogalyMoogaly]

It just annoys me that I have to allow every program I want to run every time it runs, even if it's a program that starts with windows. Would be nice if there was a way you could get it to remember some choices so it didn't prompt me every time I tried to open notepad or HWMonitor or my AV program or my Firewall program. Every time I want to play a game or use a video player.

Has anyone ever been prompted by UAC for something they didn't ask for (i.e. malware)? I don't think I have.
How do you actually get malware, etc.?

 

[mrk]

I never get malware on my machines at home, both with and without UAC. I only have UAC off on my main machine because of a major annoyance with MediaPlayer Classic and yes I know it's up to the dev to sort out compatibility but MPC is too good and used too often that I'm perfectly capable of using common sense and my resident AV (MSE) to catch stuff out when the need comes about - Couple with a rigorous weekly maintenance routine to keep an eye on things means I'm always safe on my own machine. It's a routine out of habit of being a neat freak, not literally because stuff goes to **** every week!

The MPC issue is that bookmarked sections of films and videos are not stored in the bookmarks file MPC writes to in the installation folder when UAC is enabled.

For most users UAC should be used, for some users it's just an annoyance.

 

[Fire Wizard]

-What is the point of uac? if i do something then it asks me if i want to do it, when would i ever not want to install an application if i have just clicked on it?

User Account Control isn't about trying to second guess everything you're trying to do on your system. Ever since Windows Vista, the initial account which is created during setup, now known as a Protected Administrator, runs with standard user rights by default, due to UAC. Therefore, any operations which request administrator rights will need to be confirmed by you, as the user.

The reason for this is to encourage software developers to develop their applications so they work correctly with standard user rights. If everyone was still running as an unrestricted administrator, software developers would continue to develop their applications under the assumption they have administrator rights. This is also the reason why there is no white-listing capability so you can choose which applications automatically gain administrator rights.

-What is the point of prompting the user when copying files to program files directories, it comes up with a continue prompt. It says i need administrator rights to copy there and then all i do is click continue, how is that security?

The elevation dialog aspect of UAC aren't for security purposes, they're merely there as a convenience. If there was no other way for users to gain administrator rights other than switching accounts, the majority of users would switch to the administrator account once and not switch back. Software developers would then see everyone is still running as an administrator and would develop for that administrative model.

-The administrator account is marked as disabled and even if you have domain admins account you still need to right click on some install applications and other things and click run as administrator for it too work, where it does not even prompt for a password.

The reason why you may need to manually direct an operation to request administrator rights has already explained above. As far as requiring a password for anything which requests administrator rights, you have already authorised yourself as the administrator by logging into an administrator account. So, there is no reason for it to request administrator credentials from that account. If you want any administrative operations to request for the administrator credentials, run as a true standard user instead.

I know that i can disable uac, i know that i can disable program files security prompts. I am just asking if you think these "security" measures will prevent anything malicious or just give the illusion of security to the end user and create unnecessary clicks and annoyances.

UAC, with possibly the exception of Internet Explorer Protected Mode, has never been about malware protection. It's about changing the way software developers write their applications and also enabling users to run as standard users, which in-itself is beneficial from a security perspective.

From a malware point of view, running as a protected administrator, while it will likely prevent malware which assumes administrator rights from functioning correctly, this is merely something of a side effect. If malware manages to infect the administrator account and has been written to work correctly with standard user rights, there are a number of opportunities for it to gain administrator rights.

Even if you're running as a true standard user, if you're elevating from the account which has also been infected with malware, there are also ways for malware to gain administrator rights as well. Though, this is a lot harder to do than from an administrator account. This is simply a standard case of affairs though because elevation always introduces an insecurity to the system. Security and convenience are very closely related; increase one, and you will all most certainly have a negative impact on the other.

It's also important to highlight that malware doesn't even need to be running with administrator rights to be able to do meaningful things. Malware running with standard user rights will still have access to the one thing which is most important to the user, their data.

Whether you will find UAC anoying or not is going to be dependent on how you would like to use your system. If you have no inclination of running as a standard user and like to act as "God" p), there is no reason why you're going to find UAC anything but annoying. However, if you're interested in running as a standard user, or at least working towards it, UAC is a tool which helps you to do so.

A couple of articles which you may be interested in:

Inside Windows Vista User Account Control

Inside Windows 7 User Account Control

PsExec, User Account Control and Security Boundaries