Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Windows UAC question

11 May 2010   #11
Corrine

Windows 7 & Windows Vista Ultimate
 
 

zzz2496,

Although written based on Windows Vista, I refer you to UAC: Desert Topping, or Floor Wax? an article by Crispin Cowan, Program Manager on Microsoft's Security Team. The conclusion:
Quote:
UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.
Also see the more recent User Account Control: Inside Windows 7 User Account Control by Microsoft Technical Fellow Mark Russinovich where he provides a excellent information on UAC.

In particular note that although it is true that the primary purpose of elevation is not security, unlike Windows XP where it was necessary for a standard user to log on to an Admin account or use Fast User Switching, with UAC enabled, all user accounts—including administrative accounts—run with standard user rights.

This does indeed provide a significant layer of security!


My System SpecsSystem Spec
.
11 May 2010   #12
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

no way, it´s absolutely NOT safe to turn off UAC.

install Winpatrol too, and let both UAC & Winpatrol keep an eye on your system.
My System SpecsSystem Spec
11 May 2010   #13
exia

Windows 7 x64
 
 

Seems like a lot of work to change the UAC for one program. I will let things be. I rarely run Ace Utilities anyways, thought I would save an extra click by turning off UAC for that program.

I won't be install WinPatrol, too many programs, I will let the OS take care of itself.
My System SpecsSystem Spec
.

11 May 2010   #14
Bare Foot Kid
Microsoft MVP

W 7 64-bit Ultimate
 
 

Quote   Quote: Originally Posted by exia View Post
Seems like a lot of work to change the UAC for one program. I will let things be. I rarely run Ace Utilities anyways, thought I would save an extra click by turning off UAC for that program.

I won't be install WinPatrol, too many programs, I will let the OS take care of itself.


That's a very good decision.
My System SpecsSystem Spec
11 May 2010   #15
severedsolo

Windows 7 Ultimate X64 SP1
 
 

Quote   Quote: Originally Posted by Bare Foot Kid View Post
Quote   Quote: Originally Posted by exia View Post
Seems like a lot of work to change the UAC for one program. I will let things be. I rarely run Ace Utilities anyways, thought I would save an extra click by turning off UAC for that program.

I won't be install WinPatrol, too many programs, I will let the OS take care of itself.


That's a very good decision.
+1 totally agree
My System SpecsSystem Spec
11 May 2010   #16
zzz2496

Windows7 Ultimate 64bit
 
 

Corrine,

I have personal reasons to disable UAC, and yes I know how UAC works. As UAC as security feature, honestly... I find that statement ridiculous. See, to limit an Administrator so that it looks like a standard user is silly, putting locks and limiters and blockers and sandboxes EVERYWHERE literally, IMHO is beyond ignorant imbecile levels... The proper way to practice security is -> just lock the user, plain and simple. Security is "paid" not "given". You'd lose some flexibility when implementing proper security practice, it's a price you have to pay, and in time - you must educate your users to practice proper "secure conducts". I'd prefer to use (or forced to use) a standard user, and have my resources to be used by my applications, rather than it's used to BLOCK/CHECK/LOCK/ASK/HINDER everything I do to the system. The UAC sandbox, as efficient as MS told to customers, it's still a sandbox - meaning it does more and more checking and blocking on top of NTFS ACL/Object ACL, user token security checks, it's redundant and wasting processing power, it's horrible, just horrible...

Force Windows user to use standard user type, and only make ONE Administrator that is password protected BY DEFAULT at system install (you can optionally add another Administrator class user later, after many system checks), that is the correct way. Everything that needs a system administrator privilege will invoke a dialog box containing username/password textboxes (similar to what Linux/MacOS does). The problem here is, Windows is still using the old design, to be used as a single user, administrator friendly, -kernel/driver hooks access directly from user space applications- operating system. The usage model is still focused as old Windows is, single user...

Standard user security level is what UAC wants, so why not just use a standard user instead? The problem is, in Linux/UNIX, there is SUDO (and it's variance), that will run a process as different user, practically easy. In Windows on the other hand, "run as different user" doesn't act like SUDO, it still limited in some ways, and isn't as predictable -limited by how Windows is designed-, again back to the "design" problem.

But then again, there's few hundred millions Windows users that will get cranky when their beloved OS changed drastically by Microsoft, yes I understand this factor. But let's look at other OS vendor, let's say Apple. They drastically change the way their OS work when they announce that Mac OS X is coming. They again change drastically as killing PowerPC support in 10.6, they kill classic (OS 9 virtualization layer) in OSX (I forgot the exact version). For the sake of progress, some legacy MUST GO, it has to. Microsoft in this sense is the slowest of them all, Linux is even crazier than Apple, the software stack is changing in daily basis, kernel gets upgraded by the hour, and yet - the most complaint prone market in the world, the corporate users, are sitting happily with their Linux servers...

So, IMHO, UAC is useless, a technological mess orchestrated beautifully by Microsoft engineers, disable it if you know what you're doing, by that I mean that you'll use the standard user account instead for day to day use plus a dose of common sense, and an updated AV/malware scanner, and fast user switch to admin account to do admin works...

zzz2496
My System SpecsSystem Spec
11 May 2010   #17
Creer

Windows 7 Home Premium x32 SP1
 
 

Hi zzz2496,

Please note that on Windows OS you have something like mentioned by you SUDO for unix - it's called SuRun.
There are also other bulit-in mechanisms in Windows like DEP, SRP, LUA, UAC and 3rd party software called PGS - Pretty Good Security for managing SRP policy.

Also please remember that from security point of view, there is no one GOLD rule which will allow create so called 'perfect and 100% bullet proof setup' - it's impossible.
Security setup should to be optimal for eg. torrent user and only Internet web-browsing person, they needs different level of protection for what they do. There will be no one 'gold' setup for everyone, it depends on also level of their knowledge about pc's, networking, etc... What will work for you or me won't work for others.
The point is... you will not find the one true perfect security setup for everyone. Absolute security doesn't exist, however rational risk management does. Although there are no guarantees of absolute protection against future threats.
My System SpecsSystem Spec
11 May 2010   #18
zzz2496

Windows7 Ultimate 64bit
 
 

Quote   Quote: Originally Posted by Creer View Post
Hi zzz2496,

Please note that on Windows OS you have something like mentioned by you SUDO for unix - it's called SuRun.
There are also other bulit-in mechanisms in Windows like DEP, SRP, LUA, UAC and 3rd party software called PGS - Pretty Good Security for managing SRP policy.

Also please remember that from security point of view, there is no one GOLD rule which will allow create so called 'perfect and 100% bullet proof setup' - it's impossible.
Security setup should to be optimal for eg. torrent user and only Internet web-browsing person, they needs different level of protection for what they do. There will be no one 'gold' setup for everyone, it depends on also level of their knowledge about pc's, networking, etc... What will work for you or me won't work for others.
The point is... you will not find the one true perfect security setup for everyone. Absolute security doesn't exist, however rational risk management does. Although there are no guarantees of absolute protection against future threats.
Hi Creer,

IIRC, SuRun is the console version of "Run as different user" context menu, but I can be wrong on this one... As I said earlier "Run as different user" doesn't behave consistently (I've bumped to several issues with it in the past).

Yes I know there are other security protections in place other than UAC, and yes, there is no 100% secure in computer security. What I mean is, UAC is a mess, the concept of "underpowering a super user" is flawed from the very fundamental of the concept. If we want security, we need to use something that's limited by default, then fine tune the "limiter" - it can't go "over limit" when the "limiter" failed. Start with a "no limit" then put "limiters" can results in a failure of the "limiter" which then resulting a "no limit" situation, which is bad...

I'm not after the "gold" standard, it'd be too constricting for a regular user to use, but you get what I mean, UAC is a mess, it's fundamentally flawed concept is NOT a security feature, though in some cases it can safe our arse. Still, it's "in some cases it can safe us" - which can mean "in some other cases it can't"...

zzz2496

Ps. In a standard user situation, my last statement will be like this: "in any case, it WILL safe us", which is FAR better than "sometimes it will, sometimes it won't"...
My System SpecsSystem Spec
11 May 2010   #19
Corrine

Windows 7 & Windows Vista Ultimate
 
 

UAC is only one factor. DEP is another as are the firewall, antivirus and anti-malware software programs. I have yet (*knock on wood*) been hit by a drive-by attempt. Should that happen, I certainly hope to be alerted by one if not all of the above to prevent, or at least limit, the damage.

So, for myself, I'll keep UAC active on my computer.
My System SpecsSystem Spec
11 May 2010   #20
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

zzz2496: "Standard user security level is what UAC wants, so why not just use a standard user instead? "

a good security starts with ALWAYS running on a "normal" USER-account !
then when you need elevated privilege, UAC let you have it.
you should only run on an ADMIN-account when it´s absolutely necessary,
fx. when you are doing system maintenance and don´t want to enter your password several times.

exia: get Winpatrol, it´s a good addition to your safety, it uses very little memory and adds security to your system.
it has saved my A-S-S several times.
Winpatrol is FREE, so you have nothing to lose on getting it....
My System SpecsSystem Spec
Reply

 Windows UAC question




Thread Tools




Similar help and support threads
Thread Forum
Thermal Paste Question..(Noobish Question)
Hey guys, I recently purchased Corsair H40 that came with pre applied thermal paste. Before I placed the H40 sink on my processor, I applied a thin layer on the on the processor with Cooler Master thermal paste. So essentially I mixed the H40 pre applied thermal paste with the Cooler Master thermal...
PC Custom Builds and Overclocking
Logitech 5.1 surround question and soundcard question IDT and Realtek
So my situation is unique lol i have a Dell inspiron n5010 laptop running Windows 7 ultimate 64 bit the soundcard for this is either IDT 92HD79B1, v.6.10.0.6267, A01 or A03 i dont know what the default one mine came with is. Documentation i hope that helps ^ and the attatchment i...
Sound & Audio
Windows.old Question
Hey guys, first post here but don't worry I'm not a noob. I know my fair share about computers. So anyway onto my question... I installed a new version of windows over my old one leaving me with the Windows.old file. I was wondering if i installed windows again if that first windows.old file...
General Discussion
Windows 7, Windows Live Mail and Word 2007 question:
Windows 7, Windows Live Mail and Word 2007 question: Where is my saved doc file? I have one problem today: Using Windows live mail with hotmail account in my windows 7. Get an email from my colleague, there is a doc file as an attachment. I open it by double click the attachment directly. It...
Microsoft Office
Windows XP Question:
I know this isn't Win7 related, but I love this forum and know you can help me through my giant brainfart. I got a "new to me"/used computer from a friend. The case has the windows xp sticker on it. It is currently running Windows XP Home, but is glitchy. It needs a reformat and reinstall. I...
Installation & Setup
Windows 7 UAC question
I'm not yet a Windows 7 user, so pardon my lack of personal experience with it. My biggest complaint with the Vista implementation of UAC is constantly having to OK the same programs I use dozens of times a week. There's no learning mode in Vista UAC. Does the Windows 7 version's option "Notify...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:57.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App