Windows 7 UAC

mrk · 8 Feb 2010 at 16:42

Same here, UAC is good but not for everyone (as has been discussed, under normal usage conditions day to day it should not prove to be a problem but for people who go beyond this it is an annoying problem) the small group of people who like to do everything manually and don't need hand holding beyond their active resident AV packages and malware/spyware weekly runs.

Never had a virus before because my existing security and routines work effectively and it's a damn sight less tedious being pinged an accept dialogue every time you make a change.

Guest2 · 8 Feb 2010 at 17:00

silworth said:
Also, making users local admins? WTF?

I didnt say we make all users local admin. "I have local admin rights on my machine"

I understand about nothing be altered but whilst i have been here no virus or spyware has got into the system. Sophos blocks the slightest trace of spyware. Thats if anyone gets through the Net filter which locks down many sites.

The worst i have seen was when someone went onto a food and dining site that had been hacked. I jumped straight onto their machine and nothing became of it

edit - if we had it on on 100 machines, they all start up in the morning and run through the usual login process. When it gets to the items that need to be copied to the system, wouldnt it chuck up a UAC notice?

theheyes · 8 Feb 2010 at 17:06

Guest2 said:
What are the benefits of UAC? I had a quick read about software is being developed for standard user access but couldnt see how that would make anything more secure.

From a network perspective if you have a piece of software that won't run in a standard user account, then you have to give that user a local administrator account. This gives them the freedom to pretty much install/uninstall what they want, override your policies, open dodgy email attachments and basically make more work for you.

reflux said:
I always turn it off....but the other week I had a massive malware infestation that appeared from nowhere, so I'm wondering if having UAC on would have prevented it.

It's hard to say, but probably not. If it installed with something else then you would have ok'd the UAC prompt anyway. Although theoretically with UAC off IE Protected Mode is disabled if that's your browser and as such a possible vector.

Guest2 · 8 Feb 2010 at 17:24

theheyes said:
From a network perspective if you have a piece of software that won't run in a standard user account, then you have to give that user a local administrator account. This gives them the freedom to pretty much install/uninstall what they want, override your policies, open dodgy email attachments and basically make more work for you.

and what if they dont have local admin access? None of our users have local admin rights on their machines. domain users has been added to power users, thats all. When i remote onto their machine and need to install something i will select run as > local administrator

reflux · 8 Feb 2010 at 17:28

theheyes said:
It's hard to say, but probably not. If it installed with something else then you would have ok'd the UAC prompt anyway. Although theoretically with UAC off IE Protected Mode is disabled if that's your browser and as such a possible vector.

Nah, was using Chrome and it just literally appeared, changed my wallpaper, edited the hosts file to redirect Google searches and disabled security centre, throwing up a fake one instead. Think it was called AntiVirus Plus or something.

theheyes · 8 Feb 2010 at 17:38

Guest2 said:
and what if they dont have local admin access? None of our users have local admin rights on their machines. domain users has been added to power users, thats all. When i remote onto their machine and need to install something i will select run as > local administrator

That's fine and the way it is supposed to be, but you'd have to break that policy if you had some software that didn't play nice. With Vista/W7 being the way they are the chances of that happening are now much reduced. I'd be careful with those Power User accounts though as they are a bit too powerful and have been depreciated in Vista onwards.

theheyes · 8 Feb 2010 at 17:45

reflux said:
Nah, was using Chrome and it just literally appeared, changed my wallpaper, edited the hosts file to redirect Google searches and disabled security centre, throwing up a fake one instead. Think it was called AntiVirus Plus or something.

Like I said it's hard to say, if I had to guess I think it may have been installed previously and it was a coincidence you were browsing the web at the time. I'm getting into the realms of speculation now.

Whether UAC would have saved you or not would depend on how it got on there in the first place. If it was packaged with another .exe you were installing then no, as you would have unwittingly ok'd it (this is why getting software from trusted sources is important), but if you were just browsing and a UAC prompt appeared out of the blue then clicking no perhaps would have.

NathanE · 8 Feb 2010 at 20:56

Banding around advice on public forums to "turn off UAC" is incredibly bad practice and is to be frowned upon.

Running without UAC is a risk you take upon yourself, if you decide to do it. Trying to then start a "herding effect" (which are easily started on OcUK) by recommending others to do it is not a good idea.

There are countless security vulnerabilities which are mitigated (some 100%) by UAC. For instance the recent "Chinese IE exploit" completely had its testicles chopped off by UAC. Likewise a flaw in Adobe Acrobat last month was entirely mitigated by UAC.

Publishing advice on a public forum to disable UAC is a bit like publishing advice on how to disable a certain brand/model of security alarm for a car or house.

System administrators (or anyone in the I.T. profession) that take it upon themselves to disable UAC for anything but their own machine should be sacked. Immediately.

mrk · 8 Feb 2010 at 21:03

It may be bad practice in the eyes of some but it's a problem solver for the rest of us and until every piece of software keeps UAC in mind when being developed or updated then it will remain so.

The risks (even though small in actual occurrence ) have been completely made aware to the Op and he obviously understands them anyway going by his 2nd post.

Plus I've yet to read a user on any technical forum I frequent complain about being victim to the above mentioned exploits, it's commonly drone/ machines or machines that have rarely been updated and ones that unaware users click "yes yes yes" to everything without paying attention to.

AV packages now also have behaviour engines that look for changes being made by unknown software in the background so at least there's some level of security there.

UAC won't stop lack of common sense!

You also have to remember there was a time when UAC wasn't as effective (Pre Vista SP1) or didn't exist at all - there were plenty of exploits and viruses about then too yet we all went on unaffected by them.

NathanE · 8 Feb 2010 at 21:07

@mrk

Every once in a while you will encounter a day which cannot be filed under your "day to day" folder.

Sooner or later. You will get infected by something. Maybe then your perceptions of UAC will change. Mark these words and mark them well

PS: For the few pieces of remaining software which still aren't UAC friendly. Just right-click->Run As Administrator. Problem solved.

PPS: I had a website just the other day try to execute Adobe Acrobat in a bizarre fashion. A UAC prompt appeared asking me to elevate for Acrobat even though I had not visited any web page containing a PDF file. I respectfully declined. And no it wasn't even a "black background" website. I was a millimeter away from being infected. Scary. I've since updated my Acrobat to latest release. So I'm protected on two layers now.

mrk · 8 Feb 2010 at 21:12

It's entirely possible I agree even if the chances of my machine getting infected are pretty miniscule at best

Also, even when run as Administrator Speedfan won't deliver SMART hdd temp readings on my system, only with UAC off will the readings be visible. This is on the latest 4.4 and with the latest Intel Matrix storage manager (AHCI enabled).

NathanE · 8 Feb 2010 at 21:21

Fine here:

Required me to elevate using Run As Administrator. Then it showed up my non-RAID hard disks. I'm yet to find any utility that can get the temperatures and other SMART statistics from RAID'ed disks though.

mrk · 8 Feb 2010 at 21:25

That's the SMART readout itself, on the "Readings" tab does it show the HDD temps like this:

NathanE · 8 Feb 2010 at 21:27

mrk · 8 Feb 2010 at 21:30

Hmm interesting, I'll give it a retry but I don't hold much hope as I did look into it pretty thoroughly when I installed Win7 back in Nov!

Also, might want to untick the sensor reading -2

NathanE · 8 Feb 2010 at 21:31

I've no idea what I'm doing in this utility. Overclocker-ware scares me. What do the flames mean? :eek:

mrk · 8 Feb 2010 at 21:32

It takes a bit to figure out but is well worth it (moreso if you have dualscreens as the gadgets on sidebar interface with it too) but anyway, quick question, are you using AHCI for your drives?

NathanE · 8 Feb 2010 at 21:36

Nope my ICH8R is running in RAID/IDE mode. Unfortunately there isn't an option for AHCI/RAID otherwise I would have chose that.

mrk · 8 Feb 2010 at 21:42

Ok, I'll be giving it a go right after this L4D game finishes as a reboot will be required

If this works and none of my other utilities break under UAC then I will just leave UAC on but on the low option.

paradigm · 8 Feb 2010 at 21:46

NathanE said:
System administrators (or anyone in the I.T. profession) that take it upon themselves to disable UAC for anything but their own machine should be sacked. Immediately.

100% agreed. But then giving "normal" domain users "power user" status on local machines is just as bad.

If I caught any of my staff performing such tasks on my AD, I'd give them a stern talking to.

You listening to me silworth