Vista, Admin rights, UAC, and You

[tja1618]

Users still need to be educated.
The something bigger I described in another thread- but MS needs to get rid of the registry.
All programs needs to utilize something similar to U3. Obviously the same technology wouldn't work in an OS environment- but this is what it needs. Run it, and when you close it- no dependancies upon anything.
This eliminates programs writing to or using ANY OS files/functions. It basically turns programs into data... You would be able to copy/paste the program's directory and move it to another computer. No more registry.
Obviously piracy would need to be re-thought as well, which I see going into Internet-based authentications...

Im sorry, but I don't see many programs being written that don't use OS system calls (functions). Besides Java programs I suppose.

Point is, most modern, complex applications require knowledge of an underlying API for the most part. Does this mean the registry is required? No, but I am just pointing out that programs with no knowledge of the underlying OS applications are more akin to Java programs than most applications used on your PC now. Java programs run without any knowledge of the underlying operating system. Yet, I imagine their are Java-based programs that modify the Windows registry, which would seem counter-intuitive, but I am sure there is some example of such an app.

As far as having programs you can bounce around the hard drive? For many programs I can easily do this in Linux. A lot of open *nix software simply installs to a defined directory, and then places symbolic links to the programs executables inside the users PATH.

So this means moving a programs directory usually involves simply updating the associated links. Things aren't always like this and get more complex, but I thought I would relate my experience.

 

[zacdl]

While your points are for the most part valid, you must at least acknowledge the fact that UAC may not be the answer.
Is it more secure than older Windows? Of course. Is it the best solution? Probably not.

Bottom line? Until we get more educated users, I think it is pretty close to being the best we can do.
Either that, or Microsoft needs to dictate exactly what software companies are doing, and how they are working with Vista. MS could say "Do it this way- or we aren't going to let it run on Vista". Obviously UAC would be eliminated if everything were tested by MS.
We are already there SOMEWHAT. MS has at least forced companies to apply more time and testing on their products, but it is still largely free.
Of course then you will have people complaining about that, so you never make anybody happy.

I'd argue this, actually. In theory, sure it's more secure. In practice, we're teaching users just to click "OK" at every window that comes up. Which makes it worse that previous versions.

You can yell all day long about user education, but the fact is users don't want the education. The OS can and should do more than windows does. UAC is a determent not a feature.

And I partially agree. This is why people need an Administrator that knows what they are doing- so they can't just simply hit OK.

The ONLY other option is to educate users. You and I both know, if we click certain things- we expect UAC prompts and just hit Allow without thinking about it.
However if we are doing our own thing, and a prompt comes up- we take time to look at it.

Users HAVE to be taught this. The only other way is to guarantee the software won't harm anything... and we are back to above: Microsoft approving all software to run on Vista.

As far as having programs you can bounce around the hard drive? For many programs I can easily do this in Linux. A lot of open *nix software simply installs to a defined directory, and then places symbolic links to the programs executables inside the users PATH.

Linux does not use a Registry such as Windows does.
Linux is also a pain- hence why it will never become a mass-used product like Windows. The only way it would be is if so many hours were put in- it wouldn't be free anymore. Then people would expect you to develop drivers for everything- if they are paying for an OS. (and then we are back to what Windows is). My point- is Linux isn't a terribly great example to contrast the two. Don't get me wrong- I like some Linux features. I would actually consider running Ubuntu if I had an extra box. I would probably even run Linux as a webserver if I had to. But for the masses- it just isn't the way to go.

I realize Linux handles stuff differently- and that is the way Windows would need to, for programs. Copy/Paste.
Again, we end up back at my piracy point though. Linux software is mostly free, so piracy isn't an issue.
With Windows- what would stop a person from downloading the file, and copying it to 100 computers? This is something that would need to be thought out.
The closest thing I could think of is online activation- Matching every key against their databases. If it has been used- no go. If a reinstall, maybe you enter your info to prove you are who you say you are. I really don't know- its something that would have to be thought out.

My whole point- is UAC is the best way we can do it right now.
The only way we could improve on the way we do things is with the compliance of software vendors. It isn't all Microsoft. Microsoft has made a tiny move in the direction we need to go- and already we are seeing how bad software vendors truely are.

 

[Monkey34]

Good write. Sub'd.

 

[Frosteh]

There is no more Administrator account as it has always existed in Windows versions prior to Vista. Now all users have standard user accounts, or tokens which denote the level of access they have when logged in. The standard user account is what forms the basis of the new security model in Vista. To gain access to Administrative options, the user must provide the necessary credentials (by bringing that particular token into play)

This cannot be the case? How can you elevate an account to admin privilages if all accounts don't have admin privilages?

One account must remain the admin account and forcefully have it's permissions lowered when UAC is turned on, in which case this is still the admin account just with it's abilities removed until otherwise turned back on.

I think the problem with my understanding is that I have UAC turned off, If I dont want something installed on my PC then I wont run the exe in the first place, I don't need a prompt there to tell me that. Although I do aknowledge that a lot of "joe average" users will do.

I also think that it's a well intended feature, but due to frustration of repeatedly having to use it for everything including scratching your own arse, it's probably going to become a reflex action to simply accept the prompt and move on, no matter what you're doing.

 

[Frosteh]

Also another question, I understand the part about junction points, I have delt with these (somewhat carefully) in the past in XP for various reasons. It sounds like a good idea re-mapping the program files and program files (x86) [under x64] to user account spaces.

My question is how is it decided when to write to the actual program files directory and when to write to the spoofed copy in the user space? (you mention legacy apps, how is it decided what is legacy and what isn't?)

Or is the "c:/program files/" and "c:/program files (x86)/" folders ALWAYS mapped to user account space no matter what?

For example if I wanted to manually edit an ini file of an application to change a setting, if I browse to c:/program files/ is this taking me to my account space, or the real c:/program files/ folder? Im assuming here the junction points are used in explorer to redirect users (invisibly) to their own personal copy of this folder?

 

[zacdl]

This cannot be the case? How can you elevate an account to admin privilages if all accounts don't have admin privilages?

The first thing you need to do is forget everything you know about permissions, like XP has.
You have two accounts, "Standard" and "Administrator". When you are running like normal, these accounts are no different from one another. The only difference, is the prompts from within the Administrator account won't ask you for a password.
When you run something that needs permission, it asks you for the Administrator account password (which is why you don't have to enter a password in the Administrator account. But, it still prompts you just exactly as much).

Really, the only accounts Vista has are Standard. You get prompted just as often in both.
If you logon as Administrator within XP or Server 2003, you don't get prompted for squat.
Not true anymore. You will get prompted all the time.

The problem this solves is stupid home users running under the Administrator account all the time when they don't have a clue what they are doing.

I think the problem with my understanding is that I have UAC turned off, If I dont want something installed on my PC then I wont run the exe in the first place, I don't need a prompt there to tell me that. Although I do aknowledge that a lot of "joe average" users will do.

I also think that it's a well intended feature, but due to frustration of repeatedly having to use it for everything including scratching your own arse, it's probably going to become a reflex action to simply accept the prompt and move on, no matter what you're doing.

I really don't think you know anything about UAC. If you knew anything about UAC and why it is there, you wouldn't have disabled it.

Also, if you would have been using Vista more than two weeks, you would have already found out once you get your initial configuration done, you rarely see UAC prompts.
Some days I don't see a single one. I might get 1-2 a day if I install a new program. That's it.

The problem is people like you that judge Vista based upon the intial installation and configuration. OBVIOUSLY it is going to take time/work. Just like in every OS that ever was- it takes work to configure it how you want it.

For example if I wanted to manually edit an ini file of an application to change a setting, if I browse to c:/program files/ is this taking me to my account space, or the real c:/program files/ folder? Im assuming here the junction points are used in explorer to redirect users (invisibly) to their own personal copy of this folder?

Program Files is still Program Files. It's just restricted now.

Which is a problem software makers needs to overcome. 90% of applications have no need to be writing to system folders. They can install in the User's local account, and require no UAC or permissions to get their jobs done.
Sure, it takes more work, which is why few have done it. They just execute their whole program with Administrator rights, and they don't need to worry about what to write to and where. This is also the same way Malware is written- and that's where the problem coms in.
Having all programs run at user-level would mean no prompts. It wouldn't be able to change anything the system needs without getting a prompt.
Which means any malware would trigger a prompt right away.

 

[Frosteh]

OK well I think i follow.

I've disabled UAC because I don't need to be informed when things needed elevated permissions, I'm perfectly happy running in admin mode 100% of the time and never needing to "run as" or click "accept".

While I aprecaite how helpful UAC is to other users, I'm the only person who has access to my PC, and it's the only account on there, I've been running Vista ever since early november when the RTM version was finalised and a number of months before that with RC and Beta copies, I've never once had a problem with UAC disabled.

Nor have I had any viruses or malware/spyware/trojans in about the last 5 years

UAC is staying firmly off for me, it's just this guide is a little hard to understand from the perspective of someone who doesn't use UAC, it explains the situation as if everyone is running it, which of course isn't true.

 

[LhasaCM]

That is true - the post explicitly says that if you're running the default options, how UAC behaves, and why it is a good thing for users. For those not running UAC (I believe disabling UAC was called "the Devil's work"), the post illustrates what you're missing out on.

 

[zacdl]

I've disabled UAC because I don't need to be informed when things needed elevated permissions, I'm perfectly happy running in admin mode 100% of the time and never needing to "run as" or click "accept".

Good for you, I guess.
Whenever you have some sort of virus that wipes out all your files, that ran with Administrative rights, I don't want to hear "woe is you".

While I aprecaite how helpful UAC is to other users, I'm the only person who has access to my PC, and it's the only account on there, I've been running Vista ever since early november when the RTM version was finalised and a number of months before that with RC and Beta copies, I've never once had a problem with UAC disabled.

Just because you have used Vista for a few months doesn't mean you are immune from what roams the internet.
It doesn't matter if you have been doing it since you were 5 years old, security measures still apply.

Nor have I had any viruses or malware/spyware/trojans in about the last 5 years

Again, that doesn't certify you to blow off security.


Like I said- don't complain when something screws your system over.
UAC is in place for a reason.
UAC is not a pain.
Everyone needs UAC.

And the crazy thing about it is... I bet you were one of the many who wanted better security over XP, but don't actually use it when you have it?
Then when a virus wipes you out, you'll say "Now, why didn't Vista do something about that?"

I swear... you can never make anyone happy...

 

[djnes]

Nor have I had any viruses or malware/spyware/trojans in about the last 5 years

It absolutely blows my mind how ridiculous this logic is, and yet so many people still argue on this platform. This is supposed to be an advanced computing forum, and this type of thinking is just scary. I'd expect this level of noobishness on an AOL support forum, but certainly not here.

 

[jimmyb]

Like I said- don't complain when something screws your system over.
UAC is in place for a reason.
UAC is not a pain.
Everyone needs UAC.
[...]

I swear... you can never make anyone happy...

Except that people have clearly stated that it is a pain. Telling them otherwise will not magically make it not a pain.

I'm of the opinion that it's an excellent addition, but I'm not so presumptuous to assume everyone will feel the same way. If you never get viruses or malware (something I find a little difficult to believe), then quite clearly, there isn't a point for it. Some people are making this claim.

The poster also quite clearly states he is 100% happy running in admin mode, so I don't know what your final comment is about. The people who want UAC are happy, those who don't seem to be as well.

 

[zacdl]

I'd expect this level of noobishness on an AOL support forum, but certainly not here.

lol, it always makes me laugh when someone takes a shot at AOL. I intially think "poor AOL", but always remember that they have done it to themselves.

If you never get viruses or malware then quite clearly, there isn't a point for it

You are following the same logic as Frosteh.

 

[Frosteh]

And the crazy thing about it is... I bet you were one of the many who wanted better security over XP, but don't actually use it when you have it?
Then when a virus wipes you out, you'll say "Now, why didn't Vista do something about that?"

I swear... you can never make anyone happy...

Actually, no, I disabled all of the security features of Windows XP as well, firewall was off, as was security centre, and there was no firewall software or antivirus software installed.

It absolutely blows my mind how ridiculous this logic is, and yet so many people still argue on this platform. This is supposed to be an advanced computing forum, and this type of thinking is just scary. I'd expect this level of noobishness on an AOL support forum, but certainly not here.

The best form of security is edcuation, learn whats going on with your PC and how stuff works and protect yourself, get a router with a decent firewall on it, block all your ports off and dont be a moron and run dodgy software or exe files sent to you.

It's not difficult to keep your PC safe theres probably only a handful of rules you need to abide by to keep it free of all that crap.

1) Get a good hardware firewall
2) Keep all your software and OS patched
3) Don't download anything from the web/emails/IM that is not a trusted source

In fact down download anything executeable from emails/IM EVER, theres plenty of trusted websites for media.

UAC is for Joe Average, you know the guy who has 500 toolbars installed for Internet explorer and opens all those Oh so funny joke.exe's he gets in his email, granted this makes up about 90% of the population.

Disabling UAC isn't the end of the world, we didnt have UAC in any of the OS's before this and I never had any problems then either, in either case Im smart enough to have backups of everything important and decent disaster recovery plans.

UAC is irritating as hell and no doubt uses system resources to sit their monitoring your PC, same for software firewalls and anti virus, plenty of reason not to use them, extra 5 FPS for me in Crysis when it hits

 

[jimmyb]

It's sound logic though. If you truly never get viruses or malware, then there isn't a point.

I'd by very interested in hearing why some believe this not to be the case.

 

[zacdl]

I guess since I've never had a broken bone, that means I can survive a 30 foot drop intact?

I'd by very interested in hearing why some believe this not to be the case.

I guess the fact there are 10-15 new viruses discovered per day, that even virus scanners don't know about, doesn't mean anything either?

 

[jimmyb]

Ok so you question the validity of the claim, "I never get viruses"? I do as well, but you must admit, if they don't (for whatever reason), then there isn't a point to UAC.

 

[LhasaCM]

Ok so you question the validity of the claim, "I never get viruses"? I do as well, but you must admit, if they don't (for whatever reason), then there isn't a point to UAC.

Nobody can predict the future. Saying you've been good (and lucky) enough to not have gotten them in the past doesn't mean you won't have one tomorrow. You can discuss likelihood, but not absolutes. The point of UAC is to help protect the user from himself/herself. It does not mean it is the only thing you should do as protection, but it is a good measure to take. Like a railing on a balcony.

 

[djnes]

I couldn't agree more about the education part, but that also shoots a hole in the logic. The more you learn about security and attack vectors, the more you realize why you need those shields up. To continue the logic, does this mean someone who's a good driver doesn't need seatbelts, airbags, or reinforced frames anymore??? The people who travel the most and spend the most time behind the wheel of a car know you'd be foolish to do without extra protection. Same goes for computing. Talk to some real security professionals and network admins. See how many of them would be foolish enough to do without security.

The thing I don't get is why. AVG is free and uses very few resources...to the point where it's not even noticeable. Why or how could anyone justify that this is too much work or an unneccesary step? Sounds like a lot of laziness if you ask me. Cost isn't an issue. Resources aren't an issue. Any reason NOT to run security software is easily shot down. Scientifically speaking, that kills any chance of turning that hypothesis into a fact.

Another reason why I think it is laziness is this UAC debate. I've been using Vista for over 6 months now. I use it at home, and on my work computer, used to manage a domain. UAC doesn't prompt me more than a few times a day. Someone please tell me how this is annoying or irritation?

Not that I want to over-emphasis my title, but I think it's time people take their heads out of their asses and use some common sense.

 

[Frosteh]

It's sound logic though. If you truly never get viruses or malware, then there isn't a point.

I'd by very interested in hearing why some believe this not to be the case.

I stopped using a virus scanned after I went about 3-4 years without so much as a hint of a virus, running something like norton or macafee has a massive memory footprint and gobbles up CPU speed, not to mention causes all sorts of other problems with installing software etc.

I guess since I've never had a broken bone, that means I can survive a 30 foot drop intact?

I guess the fact there are 10-15 new viruses discovered per day, that even virus scanners don't know about, doesn't mean anything either?

Thats a bad anaolgy. I'm not saying I've never got a virus so I can discard all measures of Virus protection, it's not a reckless thing, it's done with a sound understanding of how viruses and other undesireables spread and how to avoid them. As you mention theres new viruses every day which kinda proves the point that things like anti Virus and possibly even UAC aren't 100% safe solutions anyhow, so this is just a sliding scale, some people chose more protection than others, and some people most certainly do need the additional protection while they learn how to use a PC safely.

It doesnt really matter if theres 10-15 new viruses per day or 10,000 - 15,000 the same rules apply I posted above, it's really not that hard to avoid viruses at all, but that comes with experience and not everyone has that, for the majortey of people I still highly recommend using Anti Virus, firewall software and UAC.

 

[jimmyb]

I agree, but if someone tells me they never get viruses, rather than accuse them of lying to me, I'll point out that I find it very unlikely, but if that is indeed the case then there is no harm in turning off UAC.

Perhaps their computer is disconnected from the internet and they only install trusted software on it. Who knows...

 

[Frosteh]

Nobody can predict the future. Saying you've been good (and lucky) enough to not have gotten them in the past doesn't mean you won't have one tomorrow. You can discuss likelihood, but not absolutes. The point of UAC is to help protect the user from himself/herself. It does not mean it is the only thing you should do as protection, but it is a good measure to take. Like a railing on a balcony.

It's a scale of protection, UAC doesn't gurantee anything either since it's possible to be cracked also. The argument then falls back onto how much is enough, you might argue you need as much as possible but you probably woulnd't agree with disconnecting yourself from the internet as a form of security because it has negative side effects, as does applying UAC.

It's down to the user to decide if the benefit is worth the payoff, In my case it's not, I don't download viruses, no one has access to this PC other than me, I can say with a reasonable amount of certainty that this PC will remain Virus free as long as I stay the sole owner and user. Even if a virus gets onto the machine there is backups in place to sort that out anyhow.

 

[djnes]

I stopped using a virus scanned after I went about 3-4 years without so much as a hint of a virus, running something like norton or macafee has a massive memory footprint and gobbles up CPU speed, not to mention causes all sorts of other problems with installing software etc.

I think it's time to get rid of your Pentium III and upgrade then. AV software, aside from Norton's home line and Mcafee, have no noticeable effect on a computer. Also, please give me some examples of software that conflicts with AV software? In the last 9 years, I've never encountered any. Given your logic and way of thinking...that means, based on past experience, this simply doesn't happen.

Thats a bad anaolgy. I'm not saying I've never got a virus so I can discard all measures of Virus protection,

If you don't like his analogy, check mine. Just like being on the road...much of your own safety is dependant on those around you.

 

[jimmyb]

I really don't think it's necessary to speak in analogies. Everyone here is perfectly capable of understanding the concepts without resorting to metaphors.

It's conceivable to me, that there are situations where UAC does not benefit the user in any perceivable way. Running an isolated system is one. Running a system that "never gets viruses anyways" is another.

 

[Frosteh]

I couldn't agree more about the education part, but that also shoots a hole in the logic. The more you learn about security and attack vectors, the more you realize why you need those shields up. To continue the logic, does this mean someone who's a good driver doesn't need seatbelts, airbags, or reinforced frames anymore??? The people who travel the most and spend the most time behind the wheel of a car know you'd be foolish to do without extra protection. Same goes for computing. Talk to some real security professionals and network admins. See how many of them would be foolish enough to do without security.

The thing I don't get is why. AVG is free and uses very few resources...to the point where it's not even noticeable. Why or how could anyone justify that this is too much work or an unneccesary step? Sounds like a lot of laziness if you ask me. Cost isn't an issue. Resources aren't an issue. Any reason NOT to run security software is easily shot down. Scientifically speaking, that kills any chance of turning that hypothesis into a fact.

Another reason why I think it is laziness is this UAC debate. I've been using Vista for over 6 months now. I use it at home, and on my work computer, used to manage a domain. UAC doesn't prompt me more than a few times a day. Someone please tell me how this is annoying or irritation?

Not that I want to over-emphasis my title, but I think it's time people take their heads out of their asses and use some common sense.

I'm no security professional but I've been a systems admin for a while now and do have several responsabilities when it comes to security on our business network. This network is full of many uneducated users and might under circumstances attract a targeted attack specific to the company, security is important and yes I agree no security professional would use any of these practices themselves in a coporate network which they're paid to defend.

However the environment I'm in, which is a closed network of which I control all access, I am confident that it's safe from the outside world. There router doesn't respond to any outside requests unless initiated from inside the network, basically it's invisible unless I make it visible. All applications that do run on the net are fully patched at all times. All email attachments are stripped and killed outside the network, only trusted software and media is installed onto the machine.

It's not 100% safe but I consider it MORE safe than the average joes machine even if they have anti virus installed, UAC installed etc.

 

[zacdl]

I really don't think it's necessary to speak in analogies. Everyone here is perfectly capable of understanding the concepts without resorting to metaphors.

*sigh*. Why do you think we've had to resort to metaphors? Could it possibly be because you DON'T understand this concept?

It's not 100% safe but I consider it MORE safe than the average joes machine even if they have anti virus installed, UAC installed etc.

Really? I don't. I would trust the anti-virus software with my machine before I would trust you with it.

 

[jimmyb]

I do understand the concept. There is a big difference between comprehending something, and agreeing with it. You're saying that it is impossible to safeguard against viruses and a claim that one never gets them is untrue. I fully understand that and agree for the most part.

I am saying, suppose a user does indeed "never get viruses" (as some are claiming), then there is not a point to using UAC. This is my only claim.

 

[Frosteh]

I think it's time to get rid of your Pentium III and upgrade then. AV software, aside from Norton's home line and Mcafee, have no noticeable effect on a computer. Also, please give me some examples of software that conflicts with AV software? In the last 9 years, I've never encountered any. Given your logic and way of thinking...that means, based on past experience, this simply doesn't happen.


If you don't like his analogy, check mine. Just like being on the road...much of your own safety is dependant on those around you.

Pentium 3 LOL

I have a E6600 @ 3.0Ghz with 4Gb of RAM

Just because I have a fast system is not a good reason to start using software I don't need, If I was to installing everything that only gave me a tiny benefit no matter how small i'd have a system running 2000 processes and a trillion tool bars in my browser :>

Ithink the road analogy is only appropriate on a shared system/network

This is a few lone PC's behind a firewall, no one has access to it but me, others use does not effect the security of the network since all other users are external to it.

 

[bbz_Ghost]

As the creator of this thread, all I can ask all of you to do is please keep it civil. I know a lot of people would love to see this thread stickied (as well as the companion thread with the best advice, etc...) but if people go off their rockers and this thread gets locked, that means it dies, it falls down and can't be bumped back up if someone cares to do so.

Please, I like spirited discussion as much as the next person, but do try to keep it civil and don't go over those lines the Mods feel is unacceptable and end up getting threads locked down.

If this one or the other one or even both get locked down, a lot of people are going to miss out on the info and the discussions. Comprende?

Thanks... and thank you for the "votes" for stickiness, also.

 

[Frosteh]

*sigh*. Why do you think we've had to resort to metaphors? Could it possibly be because you DON'T understand this concept?


Really? I don't. I would trust the anti-virus software with my machine before I would trust you with it.

You dont know me at all, that's hardly supprising, I dont even let other people make my coffee much less protect my PC, so hardly a unique situation here, but dont worry I dont feel bad about it.

I do understand the concept. There is a big difference between comprehending something, and agreeing with it. You're saying that it is impossible to safeguard against viruses and a claim that one never gets them is untrue. I fully understand that and agree for the most part.

I am saying, suppose a user does indeed "never get viruses" (as some are claiming), then there is not a point to using UAC. This is my only claim.

Actually that not strictly true, It's entirely possible for someome to go through their entire life and never get a virus, with any level of protection, although that maybe unlikely. By the same standards it's entirely possible for someone who has all the security measures under the sun to also get a virus at some stage, again unlikely.

As the creator of this thread, all I can ask all of you to do is please keep it civil.

Sorry my intentions are not to overstep any lines here, I apologise this has probably taken the thread a little off course, my intention was to learn about UAC when posting here, just digressed a little. It is good information and people should take notice, my own personal usage doesn't apply to most people who are probably in a more vulnerable position, and most users should ignore my comments on disabling UAC.

From a coporation standpoint UAC is a godsend, the biggest problem corporations face is DDOS attacks where thousands of PC's are turned into remotely controlable drones and can be instructed to "attack" all at the same time, the only realy decent solution to this problem is to keep all user PC's as safe as possible, UAC will do a good job of helping this.

 

[mucker]

Very nice work bbz!

 

[Sovereign]

Personally I got sick of UAC and turned it off. My laptop also runs sans AV or Firewall, but then again it's hardly ever connected to the 'Net because I use it for notes. If it is connected, it runs through my desktop (which has AVG on it, plus the University's firewall). And when it is online, the only person using it is me, and I consider myself computer smart enough to keep it clean.

Now for people who aren't so great with computers, UAC, AV and firewalls make sense. Just because you don't use a firewall doesn't mean everyone else shouldn't, and the opposite is true. What kind of security software one should have depends on one's situation, which takes into account what kind of user (and what kind of user activities) take place on the computer. Heck, my desktop never had a firewall and never will. At home I have a NAT-ing router. Not unhackable, but the range is so short that you'd have to camp my house to use it. Or bust through the NAT-ing, which I'm told is hard at best.

 

[XOR != OR]

UAC is in place for a reason.
UAC is not a pain.
Everyone needs UAC.

No, they don't. As mentioned, it bugs people to no end: Hence it's a pain. MS made a security feature a pain. In my world, security features stop being secure once they become painful for the average user. Hell, they're painful to me, and I work in the field.

And the crazy thing about it is... I bet you were one of the many who wanted better security over XP, but don't actually use it when you have it?

This isn't better security. It's a halfassed attempt. The right way to do it, and this isn't anything new or mystic:

1) Administrator account: Used only to install programs and otherwise administrate the box
2) Limited user. Everyone is a limited user. Admin account is only used to do system level functions

This is the user security model, you will note, from a linux box. In fact, Centos has a root prompt when doing something system level. Very convenient. But more importantly, easy to explain to the average user and easy for them to use.

UAC is just another example of why MS just doesn't "get" security.

 

[LhasaCM]

The right way to do it, and this isn't anything new or mystic:
1) Administrator account: Used only to install programs and otherwise administrate the box
2) Limited user. Everyone is a limited user. Admin account is only used to do system level functions

Umm...this is the basic MS model with UAC and Vista. The only difference is that when performing certain sensitive actions, by default UAC prompts the user to be certain. Much like the root prompt you mentioned. Most users should be set up with limited accounts, which means that when prompted they would also have to provide administrative credentials.

MS believes, rightly so I think, that without the obvious attempt to elevate, we'd end up like XP where everyone lives with an administrative account for day to day usage. Obviously, people can agree to disagree, but I think that, while not perfect, it is a happy compromise for today's Windows environment and most users.

 

[XOR != OR]

Umm...this is the basic MS model with UAC and Vista. The only difference is that when performing certain sensitive actions, by default UAC prompts the user to be certain. Much like the root prompt you mentioned. Most users should be set up with limited accounts, which means that when prompted they would also have to provide administrative credentials.

And here's where things get different:
1) Most programs want to touch and feel their folders under program files. This is a no-no, rightly so, under a restricted model. Which means, you guessed it, you either have to run as admin or you may get prompted. What MS should have been focusing on these past several years was to push out vendor guidelines, and come up with someway to enforce them. Instead, we get UACs.

2) I get prompted at least 4 times every night by UAC ( and granted, I haven't put a whole lot of time into researching why. But neither would your average end user ). Were I on a linux box, it'd be 0 most nights. Piddly little actions seem to trigger the prompt, which goes to the heart of my argument.

MS believes, rightly so I think, that without the obvious attempt to elevate, we'd end up like XP where everyone lives with an administrative account for day to day usage. Obviously, people can agree to disagree, but I think that, while not perfect, it is a happy compromise for today's Windows environment and most users.

Then you've never supported a large number of people outside of a work environment. The truth of the matter is the more prompts, the more confusion, the less secure. It really is that simple.

 

[LhasaCM]

The truth of the matter is the more prompts, the more confusion, the less secure. It really is that simple.

Agreed. I've said that it is an imperfect solution. I feel that it is progress over XP - ignoring all of the prompts or disabling UAC is just as secure as XP, and properly used it is an improvement.

Yes, it would be ideal if MS could just start from scratch, get rid of the registry, not have installations touch restricted areas, etc., but can you imagine the uproar when every program needs to be reworked before it could work on the OS? Backwards compatability has a high price, and maintaining it has some unfortunate consequences.

As far as non-work IT support - I did campus support in the dorms for two years in college way back at the turn of the century, plus countless years for my family/friends/neighbors/etc. And yes, nothing in the world would prevent some of these people (especially in college) from breaking their computers. But for those with a bit of common sense, I feel it's a nice added layer.

 

[PtownPhil]

Hi, you mention you've installed a lot of software. Do you have any experience with Quicken 2007. I've installed it several times and have one machine I'm about to begin loading apps with a fresh Vista 32 install completed. All of my previous attempts have a problem with Quicken running in the User Account. Either the sound doesn't work, or despite having set a daily update to occur at 5pm the update doesn't run (even though the prompt at Windows startup ask for the Quicken password for the update).

Will loading the app in the Admin account with the right click run as admin on the installer, and then open the program for the first time in the User account using right click run as administrater resolve this issue? Later if it still takes a right click run as administrater to open Quicken might that prevent the automatic updates from running daily?

 

[zacdl]

Bump this up to the top again... needs to be stickied.

 

[digital_exhaust]

It is. In the FAQ page.

 

[zacdl]

It's a start at least.

Although I think the FAQ needs to be renamed to something like "Windows Problems and Solutions" or something. I thought it was a general forum FAQ....

 

[calebb]

Great post I just found it (again) while doing a google search on UAC