Rethinking usefulness of UAC

I've been running Win 7 since RC1 and I've always run with UAC enabled but I've been rethinking that lately.

About a week ago I was trying to run a little utility from the Startup folder but it wouldn't run because of UAC. I set it to "Run As Administrator" but that didn't make any difference. I looked for an option that would let me tell UAC that I want to permanently allow that program to run but couldn't find such an option. (If that option exists, please tell me where it's at.) I ended up disabling UAC to get it to work.

I was concerned about that at first but then I got to thinking and realized that in the almost 2 years I've been running Win 7 on multiple machines, not once have I ever answered "No" when prompted by UAC as to whether to allow some program to do something that it was trying to do. Not once.

Has anyone else ever had UAC catch some errant program from doing something you didn't want it to do? I still haven't totally decided against UAC, the rest of my machines still have it enabled but I'm not concerned about having it disabled on the one machine.

Hello Bruce .



Have a look at this, you may find it useful, I use it for several things to include opening an elevated command window when needed.

Elevated Program Shortcut without UAC Prompt - Create

UAC provides a lot of benefits, but it's not something that I would give a blanket "everyone should use this" statement to either. However, if you disable UAC, you lose the ability for file and registry virtualization, regular users lose the ability to run utilities and programs that need elevations without using something 3rd party, you lose mandatory integrity control (low, medium, high IL processes), and admins run with full tokens (and as such become much more dangerous, from a security perspective, to do). If you are personally comfortable running without UAC, then it's worth looking into. However, given that quite a bit of OS security is "hidden" behind having UAC running, it is usually more useful to figure out why what you're doing requires UAC, if there's a way to find another way to do whatever it is you're doing (without needing UAC - that might include using a different program or method to accomplish a task), etc.

For an example of something related I came across today, read this.

I'm with Bruce on this too. If UAC had a setting "don't bother me when I open a program I've opened before" it would be great. even at the lowest setting it will give me a squawk.
Yes, CCleaner and Norton will make changes to my computer, but it is OK.

OK, but where do you store this information, and protect it from malicious software (which would rename itself to something you've allowed - now, you might as well have disabled it)? It'll be somewhere on the filesystem or registry, which means you'll have to store it with some sort of encryption, making something that could be time-sensitive now have to do hashing and checks on a binary, which also means totally checking it, which will depend on binary size and whether or not it has an ADS. That's not a good user experience, which makes it more likely people will disable UAC, which is exactly what you *don't* want the average user doing. You could reduce some of those checks or make them less strict (or fairly insecure) to increase performance, but that makes it easier to attack (and if UAC keeps a list somewhere, it ***will*** be a massive attack vector - imagine hundreds of millions of machines with security you can bypass if you can simply crack some very inefficient or insecure hash algorithm!!!

It's not just that straightforward - yes, a very good idea on paper, but a pretty poor one to implement.

The issue with remembering a program, is that UAC is designed to alert you when a program elevates. So, if at one point your browser wants to elevate to patch it, you might want it to proceed. But in the middle of a week, without an update, I'd be very concerned if I opened up Firefox and it wanted to escalate. With a blanket allow statement, how would i know if anything fishy came up.

How is it different than using Brink's tutorial that BFK linked to above? The info to run the program thru the task scheduler "with highest privileges" must be stored somewhere as well, no?

I also would like to reiterate that I personally have never had a situation where UAC protected me from an errant program but had plenty of instances where the UAC was an annoyance.

It's stored as a manifest in the program itself, making it 1. attackable only on a per-binary basis and 2. much quicker and easier to trust, because only trusted binaries with a valid signature matching back to a Microsoft-signed and trusted CRL (this is one of the reasons getting CRL CAPI errors in the event log could be bad... ) are allowed to do this by default. So no, it's not the same.

Right cluberti, but I'm no software engineer so I have no idea how most things really operate. What are CRL CAPI errors? I'm not up to speed with all anagrams.

Hi,

Something that hasn't yet been mentioned, but could be critical for browser security is that if you turn UAC OFF, then you also turn OFF IE Protected Mode.

For me, UAC provides an additional layer of security in my IE browser through the Protected Mode. From that point of view, I think UAC is really useful.

Referer to the warning in Brink's tutorial here:

Internet Explorer Protected Mode - Turn On or Off

Regards,
Golden