 |
Windows 7: is it bad to turn off user account control?
|
21 Jun 2010
|
#61 | |
|
Quote: Originally Posted by malexous 
Quote: Originally Posted by zzz2496 ...
Quote: Originally Posted by malexous
Quote: Originally Posted by Chris K Create Your own account as 'user' only - you can play anywhere you like with full knowledge that your PC is pretty bulletproof - nothing can be installed on your PC in the background - to install anything you will have to switch accounts LUA doesn't stop malware from running and stealing your data. It just prevents them from embedding into your system. LUA doesn't stop all malware from doing harm. That's my point. The topic is "is it bad to turn off user account control?", my answer is NO - it's not bad, BUT there's a catch - you need to use LUA... I, now, will not argue if LUA stop ALL malware or not, I've stated several times, even if you got a nasty keylogger, the keylogger will be locked at your current LUA, it won't go system wide (which is VERY GOOD).
As pparks1 said, if you want to be completely safe, turn off your computer, go play something else...
zzz2496 | My System Specs |
| System Manufacturer/Model Number Self Built
OS Windows7 Ultimate 64bit
CPU Intel Core 2 Quad Q6600
Motherboard Abit IN9-32X-MMAX
Memory DDR2 Adata 4GB
Graphics Card Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card Asus Xonar HDAV 1.3
Monitor(s) Displays Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution 3840x1200 and 1024x768
Keyboard MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
PSU Corsair TX 850W
Case Cooler Master HAF932
Cooling Arctic Cooling Freezer Extreme and plenty of fans...
Hard Drives 2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
Internet Speed 1.5Mbps down/384Kbps up
Other Info APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
|
21 Jun 2010
|
#62 | |
Windows 7 Home Premium x64 Liberty University |
Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion. | | My System Specs | | System Manufacturer/Model Number Alienware X51
OS Windows 7 Home Premium x64
CPU Intel Core i7-2600 @3.40GHz
Memory 8.00GB DDR3
Graphics Card NVIDIA GeForce GTX 555 w/1.0GB RAM
Monitor(s) Displays BenQ XL2420TX
Screen Resolution 1920x1080@120Hz
Keyboard Logitech Wireless Illuminated Keyboard K800
Mouse Razer Orochi
PSU 330-watt
Hard Drives 1TB
Internet Speed Campus Internet
|
21 Jun 2010
|
#63 | |
Windows 7 Ultimate X64 SP1 Cromer Norfolk UK |
Quote: Originally Posted by BCXtreme Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion. +1 to that | | My System Specs | | Computer type PC/Desktop
System Manufacturer/Model Number Self Built
OS Windows 7 Ultimate X64 SP1
CPU Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz
Motherboard Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz
Memory 8GB 1333Mhz DDR3
Graphics Card NVIDIA GeForce GTX 460
Sound Card Realtek
Monitor(s) Displays Acer Al1980,
Screen Resolution 1360*768
Keyboard Alba USB
Mouse IT Works Wireless USB
PSU 750W Cooler Master
Case Cooler Master Haf X
Cooling Cooler Master Hyper TX3
Hard Drives 500GB SATA WBC
1TB WD Caviar Green
80GB IDE Samsung
Internet Speed 12Mb/s Down 1.2 Mb/s Up
|
21 Jun 2010
|
#64 | |
|
Quote: Originally Posted by BCXtreme Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion. Agreed, plus the power switch...
zzz2496 | | My System Specs | | System Manufacturer/Model Number Self Built
OS Windows7 Ultimate 64bit
CPU Intel Core 2 Quad Q6600
Motherboard Abit IN9-32X-MMAX
Memory DDR2 Adata 4GB
Graphics Card Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card Asus Xonar HDAV 1.3
Monitor(s) Displays Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution 3840x1200 and 1024x768
Keyboard MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
PSU Corsair TX 850W
Case Cooler Master HAF932
Cooling Arctic Cooling Freezer Extreme and plenty of fans...
Hard Drives 2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
Internet Speed 1.5Mbps down/384Kbps up
Other Info APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
|
21 Jun 2010
|
#65 | |
Windows 7 Ult, Windows 8 Pro, San Diego |
Quote: Originally Posted by zzz2496 IMHO, it's better to have UAC at off... It's not a security feature (it's written several times in MSDN). It's a way to force developers to develop proper applications that respects user class differentiation. Having UAC on doesn't protect you from virus/malware, it just made it a tiny bit hassle for the virus/malware to get installed. I got mine at off, and so are my colleagues and close friends... We know what we're doing, so UAC is off for us, I don't really know about you, but that's where I'm at...
zzz2496 Agree with this 100 percent, if you think UAC is going to save you then you are sadly mistaken. It's more about using compatible and safe programs rather than saving your system. Not even A/V's will save you from some of the exploits that are floating around. UAC is mostly there to save people who know nothing about the programs they are installing, even then it's just too easy to click yes all the time which defeats the purpose of using it. If you want to be completely safe turn off your computer LOL, so true.
Obviously we could go back and forth on this subject all day but I think my original answer was worth defending.  | | My System Specs | | System Manufacturer/Model Number Home built
OS Windows 7 Ult, Windows 8 Pro,
CPU Q9650-4.275GHz, E8600 4.5GHz, E6750-3.8GHz
Motherboard Evga 780i FTW
Memory G.Skill PC2 9600 1200Mhz 5 5 5 15 2T
Graphics Card GTX480
Sound Card Asus Xonar D2
Monitor(s) Displays HannsG
Screen Resolution 1680X1050
Keyboard Logitech G15
Mouse Logitech G9
PSU ThermalTake Toughpower 1000Watt modular
Case ThermalTake XaserV
Cooling Xigmatek S1283
Hard Drives GSkill Phoenix Pro 120GB SSD
Internet Speed T1
|
21 Jun 2010
|
#66 | |
Windows 7 Ultimate 32 bit Orlando, Florida |
Quote: Originally Posted by BCXtreme Let's face it ... there is NOTHING that will completely stop all malware. You can have LUA, UAC, and a high-end AV software; you still need user discretion. +2 Very well stated. | | My System Specs | | System Manufacturer/Model Number Home built
OS Windows 7 Ultimate 32 bit
CPU Intel(R) Pentium(R) 4 CPU 3.00GHz
Motherboard ASUS P4P800-VM Motherboard Chipset: Intel 865G + ICH5
Memory 2.50 GB RAM
Graphics Card NVIDIA GeForce 7600 GS
Sound Card SoundMax Integrated Digital Audio (Chip)
Monitor(s) Displays ViewSonic VX 1962 wm
Screen Resolution 1680 X 1050
Keyboard Microsoft Comfort Curve Keyboard 2000 v10 USB
Mouse Logitec optic USB
Cooling Fan based
Hard Drives Seagate Barracuda 7200.10 80 GB
ST380215A ATA Device 18.6 GB
Western Digital "My Book" external hard drive 750 GB
Internet Speed 3.01 Mb/s download 0.64 Mb/s upload
|
21 Jun 2010
|
#67 | |
|
Quote: Originally Posted by chev65 if you think UAC is going to save you then you are sadly mistaken. While it may not save you, it may alert you to a strange situation when a known piece of software is attempting to auto elevate itself. This is where I come to rely upon knowing that UAC is in place. Even as a systems admin and a self proclaimed computer nerd...I honestly don't know exactly what every single piece of software is doing on my machine.
Quote: Originally Posted by chev65 UAC is mostly there to save people who know nothing about the programs they are installing, even then it's just too easy to click yes all the time which defeats the purpose of using it. This really isn't the intention of UAC. While it might be the result, the intent is to run a Windows computer without being an admin 100% of the time. Previously history in Windows shows that everybody=admin=all the time...doesn't work out so well and you end up with egg on your face at a corporate level with people belittling your software/OS. | | My System Specs | | System Manufacturer/Model Number Self-Built in July 2009
OS Windows 7 Ultimate x64
CPU Intel Q9550 2.83Ghz OC'd to 3.40Ghz
Motherboard Gigabyte GA-EP45-UD3R rev. 1.1, F12 BIOS
Memory 8GB G.Skill PI DDR2-800, 4-4-4-12 timings
Graphics Card EVGA 1280MB Nvidia GeForce GTX570
Sound Card Realtek ALC899A 8 channel onboard audio
Monitor(s) Displays 23" Acer x233H
Screen Resolution 1920x1080
Keyboard ABS M1 Mechanical
Mouse Logitech G9 Laser Mouse
PSU Corsair 620HX modular
Case Antec P182
Cooling stock
Hard Drives Intel X25-M 80GB Gen 2 SSD
Western Digital 1TB Caviar Black, 32MB cache. WD1001FALS
Internet Speed 15/2 cable modem
Other Info Windows and Linux enthusiast. Logitech G35 Headset.
|
21 Jun 2010
|
#68 | |
Arch Linux 64-bit Ireland |
Quote: Originally Posted by zzz2496 The topic is "is it bad to turn off user account control?", my answer is NO - it's not bad, BUT there's a catch - you need to use LUA... I, now, will not argue if LUA stop ALL malware or not, I've stated several times, even if you got a nasty keylogger, the keylogger will be locked at your current LUA, it won't go system wide (which is VERY GOOD).
As pparks1 said, if you want to be completely safe, turn off your computer, go play something else...
zzz2496 I know/I agree.
I'm questioning whether you should "play anywhere you like" when using LUA. | | My System Specs | | |
21 Jun 2010
|
#69 | |
|
Disabling UAC basically results in a return to the Windows XP security model. Here are some consequences of disabling UAC:
a) When using standard account: - loss of protective benefits of mandatory integrity control using integrity levels, including User Interface Privilege Isolation and Protected Mode of Internet Explorer
- worse application compatibility due to disabling of file and registry virtualization
- loss of UAC prompt when a program isn't working due to lack of admin rights, which lets the user know why the program failed; some programs will give an informative error message at such a failure, but some won't
- loss of ability to elevate programs through UAC
- switching to admin account to do admin activities is more dangerous (see below)
b) When using admin account: - programs run with full admin token by default, including Internet Explorer
- worse application compatibility due to disabling of file and registry virtualization
- system compromise by malware can be done without any UAC prompt
From New UAC Technologies for Windows Vista: Quote: UIPI [User Interface Privilege Isolation] comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.A lower privilege process cannot: - Perform a window handle validation of higher process privilege.
- SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
- Use thread hooks to attach to a higher privilege process.
- Use Journal hooks to monitor a higher privilege process.
- Perform dynamic link-library (DLL) injection to a higher privilege process.
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels: - Desktop window, which actually owns the screen surface
- Desktop heap read-only shared memory
- Global atom table
- Clipboard
I use a standard account for everyday tasks, and normally switch to an admin account to do admin-only tasks. I use UAC on its highest setting. For situations in which there is too much inconvenience to switch to an admin account, I launch programs elevated from a standard account without any UAC prompt by using an elevated program launcher - see http://www.sevenforums.com/system-se...-launcher.html for more details. | | My System Specs | | |
21 Jun 2010
|
#70 | |
|
Quote: Originally Posted by MrBrian Disabling UAC basically results in a return to the Windows XP security model. Here are some consequences of disabling UAC:
a) When using standard account: - loss of protective benefits of mandatory integrity control using integrity levels, including User Interface Privilege Isolation and Protected Mode of Internet Explorer
- worse application compatibility due to disabling of file and registry virtualization
- loss of UAC prompt when a program isn't working due to lack of admin rights, which lets the user know why the program failed; some programs will give an informative error message at such a failure, but some won't
- loss of ability to elevate programs through UAC
- switching to admin account to do admin activities is more dangerous (see below)
b) When using admin account: - programs run with full admin token by default, including Internet Explorer
- worse application compatibility due to disabling of file and registry virtualization
- system compromise by malware can be done without any UAC prompt
From New UAC Technologies for Windows Vista: Quote: UIPI [User Interface Privilege Isolation] comes into effect for a user who is a member of the administrators group and may be running applications as a standard user (sometimes referred to as a process with a filtered access token) and also processes running with a full administrator access token on the same desktop. UIPI prevents lower privilege processes from accessing higher privilege processes by blocking the behavior listed below.A lower privilege process cannot: - Perform a window handle validation of higher process privilege.
- SendMessage or PostMessage to higher privilege application windows. These application programming interfaces (APIs) return success but silently drop the window message.
- Use thread hooks to attach to a higher privilege process.
- Use Journal hooks to monitor a higher privilege process.
- Perform dynamic link-library (DLL) injection to a higher privilege process.
With UIPI enabled, the following shared USER resources are still shared between processes at different privilege levels: - Desktop window, which actually owns the screen surface
- Desktop heap read-only shared memory
- Global atom table
- Clipboard
I use a standard account for everyday tasks, and normally switch to an admin account to do admin-only tasks. I use UAC on its highest setting. For situations in which there is too much inconvenience to switch to an admin account, I launch programs elevated from a standard account without any UAC prompt by using an elevated program launcher - see http://www.sevenforums.com/system-se...-launcher.html for more details. MrBrian, very nice post... I understand the implications of disabling UAC, I understand many technologies that make up UAC and I'm one of those who won't use UAC. If you read this thread from the start, I posted a link to another thread where I discussed UAC quite lengthy with other members (one of them is pparks1). Yes I know about MIC, UIPI, Registry virtualization, and other virtualization techiques implemented by UAC. Here are my why(s): - Running everything in standard user with UAC off is faster because all of those so called "security" layers aren't operational, and is not needed because the token which is currently used is a standard user. Why waste processor cycles for useless processes? There are lots and lots of malware that uses social engineering that can "bypass" UAC just like that, why waste processing time if with or without UAC you can catch bad things? MIC, UIPI and so on is there so that if a so called malware wants to install it self silently UAC will catch it, but come on, this is 3+ years since UAC is first introduced, are those malware/virus developers really that stupid?
- IE, don't use it, it's bad for anything - unless your company is depending it's life on it (which is VERY BAD), still dont' use it (argue your boss to move to another safer browser)... No matter what version, as long it's IE, stay away from it (unless MS can prove otherwise in a wide open public test with several hundred thousand testers and tested for at least a year straight). With LUA or not, stay away from IE period.
- Application compatibility has nothing to do with UAC, if a program can't access HKEY_LOCAL _MACHINE, with UAC it won't be able to access it, without UAC it still won't be able to access (with LUA), in both cases - the app will crash. Better for it to crash than to run intermittently. Maybe UAC will tell you something, but how many users will read the darn message? The fact is the app crashed... Should the registry virtualization let you run an app, most of the time that app will crash anyway, unless you run it in XP mode (saves time, blood, tears, and frustration).
- Privilege elevation is still somewhat doable through "Run as..." context menu, too bad this method doesn't behave as transparent as sudo in *nix.
- Once you understand the difference between Admin and Standard user, when you need to do system administration, you login to admin account, do whatever you need (update apps, install new apps [installers has been scanned with AV], update drivers, etc), then log off and use standard user for everything else. You don't use admin to browse the net, especially use IE while in admin account, that's suicidal.
- You can get malware/virus. With UAC enabled or not, you can still get it, with admin + UAC, your virus/malware will infect your whole system in an instant (there are many thread posts that proofs just that). With LUA, the one that's infected is the limited user's files/account, it won't spread to Windows's core. Login to another user (preferably admin) and clean it up.
The basic idea of UAC is to let regular Windows user (those who uses admin account all the time) to be able to practice safe computing without learning anything, that's all there is to it. UAC strips you off your admin privileges and saving you in the process. But for those who understands the basics of how multi user environment works, using UAC + LUA is moot, it checks and do everything to strip you out off something you don't have... It's pointless...
zzz2496 | | My System Specs | | System Manufacturer/Model Number Self Built
OS Windows7 Ultimate 64bit
CPU Intel Core 2 Quad Q6600
Motherboard Abit IN9-32X-MMAX
Memory DDR2 Adata 4GB
Graphics Card Nvidia GeForce GTX 285 1024 and Nvidia GeForce 8800GT 512
Sound Card Asus Xonar HDAV 1.3
Monitor(s) Displays Dell 2407WFP and BenQ 2400v and Philips 150v3
Screen Resolution 3840x1200 and 1024x768
Keyboard MicrosoftNaturalKeyboard 4000/Apple Alu keyboard/Dinovo mini
Mouse Logitech G5/MarbleMouseTrackball/PerformanceMX/SpacePilotPRO
PSU Corsair TX 850W
Case Cooler Master HAF932
Cooling Arctic Cooling Freezer Extreme and plenty of fans...
Hard Drives 2 WDC 1TB
1 WDC 1.5TB
1 WDC 640GB
1 WDC 320GB
1 Seagate 200GB
Internet Speed 1.5Mbps down/384Kbps up
Other Info APC SURT 1000XL
Logitech Z-560
Wiimote
Mikrotik Router
Linksys (now Cisco) SD2008 8 port Gigabit switch
Linksys WRT54G (acting as AP)
Apple wireless Aluminium keyboard
Apple Magic Mouse
Xbox360 wired controller
is it bad to turn off user account control? problems? All times are GMT -5. The time now is 12:13 PM. |  |
How to turn User Account Control setting to off? 
