Getting back my security by "fixing" User-Account

[wabbo]

Hey there,

when I first installed I set up my own account to be part of the administrator-group and deactivated UAC, because I came from XP and was annoyed about all the popups and prompts during the installation of all my apps. I made a backup of this set-up, and now, a year later, restored it, because my old win7 was broken in some points. Now I'm wondering how to restore the complete security for me?

Is it enough to remove the "administrator"-group for my user (so that only the group "HomeUsers" remains) and activate UAC? Is this the default setting, or is there anything left?

Thanks so far!

Edit: Damn, I made myself to "HomeUser" and activated UAC (admin acc is inactive, though). But now I can't do anything!? I thought this was the right way to do it, but now I can't even click "yes" when promped by UAC...
Edit2: Okay made it back by googling: using safemode of Win7, logging into Adminacc and than I could restore my user-acc to be part of administrators...

 

[jav]

no, don't make your only account into standard user. Because you will need atleast one active administrator account.

You can do two things:
1) Restore back to the state where you haven't made your account standard user yet.
Create new account (standard user account)
And use this standard user account for your everyday tasks.
For administrative tasks either login to your last admin account or "run as administrator" and put password for your admin account.

2) If you don't want to configure your settings and preferences to new account:
Restore back.
Create new Administrator account.
Login in with it.
Make your previous account standard user.
Proceed just like at (1). use standard account for everyday tasks and for administrative tasks either switch user or "run as admin".

First option is more preferable, as in some cases if you convert admin into LUA (limited user account) it may still inherit some privileges from admin.

 

[wabbo]

Thanks so far, do you think UAC is worth all the stuff?
I played a bit with it now, and found it very very uncomfortable. I mean, every default program asks for admin rights or, if not, I need to rightclick->start as admin, because it's installed in c:\programs and needs write access:

-miranda
-rainlendar
-keepass
-flashfxp

It's just very very annoying and isn't there a way to always execute them as admin without having to click yes everytime? I mean, e.g. miranda doesn't even run without admin privileges, since history etc is written to my database...

I enjoy the UAC when installing new programs etc, so there's no security lack for viruses, keyloggers etc etc, because I have to click "yes" before they can install, but I don't want to always have to click yes when just starting my programs Im working with everyday...

 

[jav]

Thanks so far, do you think UAC is worth all the stuff?
I played a bit with it now, and found it very very uncomfortable. I mean, every default program asks for admin rights or, if not, I need to rightclick->start as admin, because it's installed in c:\programs and needs write access:

-miranda
-rainlendar
-keepass
-flashfxp

It's just very very annoying and isn't there a way to always execute them as admin without having to click yes everytime? I mean, e.g. miranda doesn't even run without admin privileges, since history etc is written to my database...

I enjoy the UAC when installing new programs etc, so there's no security lack for viruses, keyloggers etc etc, because I have to click "yes" before they can install, but I don't want to always have to click yes when just starting my programs Im working with everyday...

Lets say, UAC actually is not security product but more of a compatibility provider.
But, yes in a way it will give you a security.

I am not really familiar with programs you listed (except keepass), but I will try to help you.

I cant understand why IM (miranda) can't run without admin privileges.
It is the problem of the developers. In Vista and Windows 7, Microsoft has moved into different strategy of working of software.
Basically in this OSes, most of the programs shouldn't need admin privileges and should not write to "program files" folder.
All their configurations and stuff, they should write into AppData and ProgramData folders.
So, it is actually laziness by developers of Miranda to adopt, new model which is causing problems.
Microsoft did know that developers will be slow to adopt to this model, and that it will break some of the current software, therefore it created UAC.
So, it will enable those programs work under the new model.
But it never meant to be final solution, but temporary one.
It was created to give time to developers to adopt to new working model.
But as you can see some developers are still too slow to move to the new model.
Therefore in a way it was meant to be annoying, to force developers to adopt faster (because otherwise they will start loosing annoyed customers)
Unfortunately, as you can see some developers don't care about it.
And I am 100% sure, it IS possible to move IM into full LUA environment.

So, in a nutshell, this annoyance isn't fault of UAC, but fault of lazy third party developers.
Secondly, contrary to popular belief, UAC is not meant to be security mechanism. It was made to assist developers and users to move into standard user environment.
And in many technical papers it was stated that it was only temporary, until all developers adopt to LUA.

ok, anyway. I am going to much into details

It's just very very annoying and isn't there a way to always execute them as admin without having to click yes everytime?

Have a look at this tutorial: http://www.sevenforums.com/tutorials/11949-elevated-program-shortcut-without-uac-prompt-create.html

 

[wabbo]

Okay thanks so far. I now see what you mean. But no, the miranda IM messenger isn't laziness-product it's me, who likes the "portable" software, where the profiles, data etc is written to the folder itself. I don't like it, when the data is scattered around the hdd... So I often download portable software which doesn't really run because it needs to write data to the programs folder... Thanks for the link though, I'm gonna try it out.

But what do you mean by saying, that UAC isn't a security mechanism? I mean, it's obvious that this helps to be more secure, doesn't it? This makes me safe against any virus installation etc, because I will SEE it and can click "no"...

 

[jav]

But what do you mean by saying, that UAC isn't a security mechanism? I mean, it's obvious that this helps to be more secure, doesn't it? This makes me safe against any virus installation etc, because I will SEE it and can click "no"...

Yes, it will help you. I am not saying it is useless from security point of view.
It is just it wasn't meant to be security product.

The point is some people put to much hope in UAC as their security and when it fails they blame Microsoft for creating incomplete security product. But in reality they didn't create it as security mechanism.

This makes me safe against any virus installation etc, because I will SEE it and can click "no"...

Not always.
1) It has been already illustrated that malware can possibly bypass UAC.
2) There are already wild malware that don't need administrative privileges to run. (UAC will prompt you, only if something needs admin privileges.)

So, that's why I recommend average users to move into full LUA (limited user/standard user) rather than admin account with UAC.

Anyway, to your question, in most cases UAC can become security product, even though it wasn't directly meant to be.

EDIT: I see irony http://www.sevenforums.com/system-s...n-bootkit-trojan-crossing-64-bit-barrier.html

 

[Corrine]

Thanks so far, do you think UAC is worth all the stuff?

Hi, wabbo.

Yes, UAC Is worth it, particularly since you have a 64-bit system. The quote below is from this topic: http://www.sevenforums.com/system-s...n-bootkit-trojan-crossing-64-bit-barrier.html

However, it's important to note, the infection can only compromise a 64 bit Windows 7 or Vista system, if User Account Control (UAC) is turned OFF or if the user casually approves the malicious action.

 

[wabbo]

Thanks so far. If I understand it right, I can say generally, that infecting a 64bit system is harder than doing it on a 32bit system. At least, that is what I read from this part of the text:

More recently, in early August 2010, a new Alureon TDL variant that displayed the ability to infect Vista and Windows 7 64 bit based computers emerged.
This was a very unsettling but significant development, because very strict security measures that were integrated into 64 bit versions of Vista and Windows 7 (Patchguard and very stringent driver signing requirements) had to be bypassed to allow this to happen!

Am I assuming right? Is it really harder for malware and viruses to get into a 64bit system? Or do they only mean such rootkits, which need to install into MBR etc...?

 

[Corrine]

You are correct, wabbo. At this point, it really is more difficult for malware and viruses to get into 64-bit systems that are kept up to date with Microsoft and third-party security updates, UAC on, antivirus and firewall installed and, most importantly, the user doesn't allow install an infected program. There is no protection from the careless user.

 

[wabbo]

Thanks. Assuming that UAC is turned off, is there still a difference between 64bit and 32bit (User is the same (he is not careless), Firewall and Avast Antivir turned on)? From what I read off the article, there is one because 64bit viruses need some signed drivers, but I'm not sure about it.

 

[mborner]

Thanks. Assuming that UAC is turned off, is there still a difference between 64bit and 32bit (User is the same (he is not careless), Firewall and Avast Antivir turned on)? From what I read off the article, there is one because 64bit viruses need some signed drivers, but I'm not sure about it.

Will you be running as an administrator or a standard user? IMO, and many here, it is not recommended to turn UAC off. UAC, in itself, is not a security driven feature. It is first, and foremost, a convenience feature. The security that comes from UAC is that UAC allows a user to use his/her PC as a standard user, (more secure) yet still be able to have full administrative privileges without having to log off the standard account and then log onto an administrator account to perform administrative tasks. I mean, what would you rather do to perform administrative tasks, enter a password and hit enter, or, switch users and log onto an administrator account and start over again?
I don't believe security risks are any different for 32 or 64bit users.

 

[Corrine]

Yes, 64-bit includes mandatory driver signing. In addition, 64-bit includes Kernel Patch Protection (see Kernel Patch Protection: Frequently Asked Questions for more info on Kernel Patch Protection) and support for hardware-backed Data Execution Protection (DEP) (rather than a software-based version of DEP).