Putting limits on users' privileges... Windows UAC

Page 1 of 5 123 ... LastLast

    Putting limits on users' privileges... Windows UAC


    Posted: 13 Jul 2010

    "Least privilege" is the No. 1 IT security mantra. It means, "Don't grant users permissions or privileges beyond the bare minimum they need to perform their assigned duties." Unfortunately, adhering to this mantra always has been easier said than done. Both Microsoft and third-party software vendors have attempted to ease the task, with some (but not complete) success.

    For two decades in the Windows world, application developers were accustomed to users always being logged on as full-time administrators. Removing regular users from the built-in Administrators group proves among the most difficult tasks a security administrator can perform. Well, it's easy to do -- just remove the user from the Administrators group -- but the fallout from the operational aftermath has often forced well-meaning administrators to reverse course or to delay least-privilege implementations.

    Microsoft upped the ante starting with Vista by implementing a least-privilege default process called User Account Control (UAC). When UAC is enabled and a user from one of 17 pre-defined elevated groups (such as Administrators, Domain Admins, Enterprise Admins), or one who has been assigned an elevated privilege (act as the operating system) logs on, Windows splits his or her single logon access token into two tokens: one standard and one elevated. By the default, the elevated user runs with the standard token most of the time, such as answering email and surfing the Web, and must be prompted to approve actions requiring the use of the elevated token. Although Microsoft (my full-time employer) would prefer that standard users never log on as elevated users while performing non-elevated tasks, UAC is seen as necessary evil.

    More...
    Putting limits on users' privileges | Security Central - InfoWorld
    Posted By: JMH
    13 Jul 2010



  1. OEM
    Posts : 617
    OS3.5
       #1

    Good Read,

    The UAC is a necessary "evil" thats not so evil if one, Your running Se7en as it has many less UAC requests than its predecessor, Vista. Two, there's a neat little trick you can use on Programs and System Tasks that when normally asked for your approval from the UAC, is not needed. Found it on the web some time ago and use it for programs I trust that normally require UAC approval, and now don't. You set it up in all places, the "Task Scheduler".

    See this tutorial made by Brink.

    All-in-all, you have to agree that MS trying to better secure your PC cannot be looked at as a bad thing. In most cases the average user doesn't need to have an administrator account. Having said that, I do remember and know that while using Vista, as MS first introduced the UAC, it was a pain in the neck. Running safe games in a limited account was impossible b/c the game needed access to certain drivers that Vista categorized as needed to be ran under an admin account which was ridiculous.

    But much of that has been worked out, and I think the UAC set at its default, is no bother at all. Rarely do I even see it anymore since Se7en does a better job and the trick using the Task Scheduler. Better Safe than Sorry is a good way of thinking about your PC, as for those who don't run regular back-ups, don't concern themselves with anti-virus, will be in for a treat when they have to do a full system recovery b/c they just couldn't be bothered by just that "one more click" from the UAC. I mean really, countless clicks are made all day long, but when a click is required that you didn't ask for is needed, you blow your top and say this is UAC is ridiculous and I don't want it.
    My Goodness, just a few more clicks a day and you'd think it would give you carpel tunnel by the end of the day.

    -OEM
      My Computer


  2. Posts : 154
    Windows XP-Pro-SP3, Windows 7
       #2

    For the home computer user who started out with their first computer ten to fifteen years ago (Windows 95 or 98) the UAC is a waking nightmare.

    I remember the very first Vista PC that I was called out to install. I'd never seen UAC yet at that time. The new PC owner was watching me (trying) to set up their new computer. Every time I'd try to do anything, UAC would pop up on the screen.
    The old gentleman finally said to me "am I going to have to put up with that CRAP all the time?"

    That's the attitude I see for all new Vista or Win-7 users. They bought the #%$@ computer....they are the owners and only users and yet they don't have permission to access files and folders, delete files, etc. It's an understatement to say that they are VERY angry about that. I know I am too.

    I know I'll get flamed for this, but when I set up any new PC for one of my home computer customers (I don't do commercial systems) I first shut off UAC with a little script I carry on my Utilities disk. Then I run the "Take Ownership" script and take ownership of all pertinent folders.
    Then I shut down a gaggle of services, with another script.
    And then tweak and tune Windows for more efficient use of RAM and HD.

    The biggest problem I have is setting up eMail for people used to running Outlook Express. (but that's another whole topic)

    When Windows 7 is first being installed on a PC, there should be a box that could be checked for "Home Use ONLY". That could give the owner/user full permission to do what they want with 'Their' computer.

    A home PC user doesn't want to be told that they have to contact their IT specialist in order to do something. That's BS!

    Cheers mates!
      My Computer


  3. Posts : 7,538
    Windows 10 64bit/Windows 10 64bit/Windows 10 64bit
       #3

    I don't see any problem with UAC, in fact I think it was a good move by Microsoft, as OEM stated it's only another click, how hard can that be.:)

    OK yes it's my computer and it's just me using it but that doesn't mean to say that I wont try to do something stupid and try to download something that could harm my machine or not concentrate when doing something and not having UAC turned on could prove to be damaging to my machine and my pocket.

    I'm pleased that Microsoft came up with this feature and are trying to protect users from their mishaps.
      My Computer


  4. Posts : 154
    Windows XP-Pro-SP3, Windows 7
       #4

    OK, try this scenario on for size:
    (forget for a minute that you're already a computer Guru )

    You're 65 and getting cranky. Your ten year old PC just shot craps and you went out and spent nearly a thousand dollars on a whole new system. The high pressure salesman at Best Buy convinced you that you needed a new monitor and printer too.

    So you get the new PC out of the box and all connected up and start through the half hour long installation procedure. After registering and making your own backup disks, (that's usually another hour or so) you finally get to settle down to actually running your new PC.

    To see just what you've got, you open up Windows Explorer and click on "Documents and Settings" and you get a message telling you that you don't have permission to look at that. If you, the owner of the PC, doesn't have permission to look at it, who in heck does?
    Arggggggggggggggg!

    So this doesn't become a rant.....I rest my case!

    If you like UAC and all those permissions, then by all means KEEP THEM!
    For me and mine.....they're HISTORY!:)

      My Computer


  5. Posts : 91
    Windows 7 Professional x64
       #5

    If people hate UAC because they have to click on a button, then they're gonna hate Macs and Linux when they ask you to type in your root password.
      My Computer


  6. Posts : 2,072
    Windows 7 x64 Professional SP1
       #6

    @DrWho

    I concur with your piece/rant sir, 100%

    Sometimes Windows needs to be reminded of who's the boss. Turn off that persistent mothering/nanny tool and be the boss of your own PC today! First thing i did when i install a brand new Win7 system too. All is well after that :)

    And don't tell me I don't know what I am doing, because I do. All arguments for UAC in a standalone, non networked PC running only trusted apps are null and void.
      My Computer


  7. Posts : 1,403
    Win 7 Ultimate 32bit
       #7

    Yeah, gotta love how not secure Win XP was and all the complaints about that.
    Yeah, screw security, it's such a pain in the arse. Why would anyone want to have a more secure system?
    I mean, come on, it's my system, it's not like I am going to get hit by some drive-by download, and hey I am running Norton or McAfee, it's not like viruses target those apps anymore to shut them down and take em out.

    Yeah, that nasty UAC and admin rights on all those pesky files and folders that I should be able to do what I want with.

    I can't be bothered saving my info to the Documents folder or and external drive,, I have to save them to C: drive and my profile folder, cause dammit, it's my PC.

    I digress,,, sarcasm is a wonderful thing ya know!
      My Computer


  8. Posts : 2,963
    Windows 7 Professional SP1 64-bit
       #8

    I will never turn off the UAC after a certain event that happened back in November. I was visiting a site that had quite a few ads for the first time. Suddenly the UAC thing popped up asking if I wanted a program to be able to make changes to my computer. I can't remember the name of the program, but I had never seen it before. I clicked no, closed Chrome, updated then ran MSE and it found a virus and promptly removed it. I'm not sure if MSE would have nipped it in the butt before it did what ever it was designed to do if it wasn't for the UAC stopping it. It slows me down, but it has it's place. I can't blame MS for trying and at least I don't have to put in my password constantly like in Ubuntu and Knoppix.

    Not saying UAC will help even half the time, but it helping once is good enough reason for me to waste two seconds every once in a while. It's better than wasting two hours removing a virus or reinstalling Windows.
      My Computer


  9. Posts : 173
    Windows 7 Ultimate x64
       #9

    Well I'm found of my system these days.
    It's ultimately tweaked from annoying shit like UAC and all the other stuff you don't need.
    It was such a relief for me upgrading to 7, Vista killed me with bad performance and all these security settings popping up all the time. Maybe this occurs on 7 too, but at least not on mine :)
      My Computer


 
Page 1 of 5 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 13:59.
Find Us