Solved UAC and System Protection

[dw85745]

Is UAC only valid for system login or does it work for other things?

For example if a user logs in as a "standard user" (no admin rights) and then uses
IE, Firefox or Thunderbird for example, what happens in the following cases (windows 7 Pro):

1) User wants to download a webpage and save to the system
2) User wants to view his/her email and then save an attachment to the system
3) User clicks on an embedded link within the email and the email contains malware
4) User clicks on a web page link and is taken to a malware page
5) User wants to run a program that requires streaming data for a server and that
data must be saved to a database on the system

Thanks

 

[samuria]

The user can do all they need to do all it stops is system things which may effect the o/s like format drive change critical services files etc

 

[Barman58]

UAC is simply a dual token system that simplifies the correct way of working that has been in use for many years in major computer systems.

Before UAC an administrator would perform their normal day to day tasks as a standard user, (with possibly a slightly raised set of access permissions). When the administrator wished to perform an administrative task they would either use a password protected RunAs process or in more complex cases they would log out and log back in with an administrative account, (with password) perform the tasks and then log-out and back in as a standard user again.

As you can see this was a long winded process and thus the use of UAC gives the same protection levels with a lot less effort, so is more likely to be used, and also as the elevation of rights is on a case by case basis there is no need to reduce the rights level.

With your examples above as long as you assume that the local save location is one which the standard user has Read/Execute/write access to then there will be no issue with running or saving data.

The case of the malware is a little more complex, If there is no anti-malware protection running, (normally these run with system rights so protect all users and files ), then the malware will infect the files and possibly some programs that the user has rights to access but will not be able to infect any critical systems so the clean-up will just need the removal of the infected account and it's replacement

 

[dw85745]

samuria: Thanks for responding.

Based on your response the UAC affects what the user can do to the system and does NOT have anything to do to
keep malware off the system. I was under the impression -- rightly/ wrongly - that when a "standard" user account was created that those "gifted" rights belonged to the user. Hence, if the user can Not create a file, then the malware "MIGHT" be also prohibited from creating a file, unless the malware is somehow going around the user account such as directly manipulating memory which impacts the system when something is done where that memory is now saved to file.

Barman58: we crossed posts. Thanks for responding. If appears you answered my above followup,
except for trying to understand how malware (email click for example) can gain access to the system
if User is denied "write" access -- or -- better yet:

Say user has"write" access. How can malware go outside the directory where right access exists?
For example, if the User is allowed to run Thunderbird (email)
they need write access. Since Thundebird upon install makes a number of directories, how is one (admin) to know which directories have write access when one allows a User write access to Thunderbird since Thunderbird does NOT id those directories during install?

 

[Barman58]

The standard user cannot access any system files or memory locations directly so neither can the malware that is running as that user the only damage that malware can produce when running as a standard user is to that particular user alone so running as a standard user prevents malware damage and BTW also malicious actions by a disgruntled user

 

[dw85745]

Barman58:

Thanks a bunch. That clears up a few things for me.