Windows 7 Permissions - How do they work?

[CriticalError]

I have Windows 7 Ultimate and I an quite confused on how the permissions work.

Basically there is an XML file (Windows Image Backups). And only Administrators and Backup operators have full access I am in the Administrators group why do I still have to specify my self individually?

 

[Alejandro85]

As far as I understand, the permissions work as expected, and it's due to UAC that you're seeing tht behavior.

When UAC is enabled and you login with an administrator user, Windows silently deprives you of the administrator group membership, efectively leaving yourself as a standard user, that's why giving permissions to the administrators alone will NOT give permissions to use the file.
Whe you use "Run as administrator" option, after accepting the UAC prompt, the program you start gets the full administrator membership as you expect, but ONLY for that program, so the solution in your case would be to run the program that uses the files as administrator.

As a sidenote, that's why normally you can read from program files but not write without elevation. In that case, administrator group has full control, but regular user groups only has read-only access.

 

[andrew129260]

As far as I understand, the permissions work as expected, and it's due to UAC that you're seeing tht behavior.

When UAC is enabled and you login with an administrator user, Windows silently deprives you of the administrator group membership, efectively leaving yourself as a standard user, that's why giving permissions to the administrators alone will NOT give permissions to use the file.
Whe you use "Run as administrator" option, after accepting the UAC prompt, the program you start gets the full administrator membership as you expect, but ONLY for that program, so the solution in your case would be to run the program that uses the files as administrator.

As a sidenote, that's why normally you can read from program files but not write without elevation. In that case, administrator group has full control, but regular user groups only has read-only access.

That is well explained and correct

 

[CriticalError]

Can I just turn UAC off? Any harm in doing so...?

 

[Alejandro85]

Sure you can, but it's highly NOT recommended, because you get every program you use to have full access to the system and that has security implications you may not prefer to face.
It's much better to just run the program in question as administrator and give it only full access when it really needs it. Or as you did, give your user (or the users group) permission to access the needed files, without the need to trash UAC as a whole.

 

[andrew129260]

Can I just turn UAC off? Any harm in doing so...?

Sure, would you also like to go back to windows xp?

Because that is basically what you are doing when turning uac off.

UAC is one of the main features of security in ,vista, windows 7, 8. It protects all kinds of things in the OS.

 

[LMiller7]

The purpose of UAC is to improve security.

By default the software you run inherits the rights and privileges of the account you are using. If that account gives you full and unrestricted access to everything, the software you run will also have those rights. If you are using a limited account that software will also be limited. In particular it will be unable to modify or delete system files or change system settings. Someone using such an account can't do much harm to the system.

In XP and older logging in with an admin account gave you almost full and unrestricted access to whatever you wanted with no questions asked. That was very convenient. But that convenience came with a price. If you were to accidentally run malicious software, such as that downloaded and run without your knowledge by a web browser, that software also has full and unrestricted access to the system with no questions asked. That is very good for the malware authors, but bad for you.

The default behavior of Vista and later changed all that. When you log in with an admin account you initially only have the rights of a standard user. That is quite confusing to inexperienced users but greatly enhances security. That malicious software that was unknowingly downloaded now only has the rights of a limited user. All the doors to the sensitive areas of the operating system are now locked and it it does not have the key. That malicious software is pretty much helpless.

Sophisticated malware can evade UAC but it is hard. UAC doesn't provide absolute protection but it is another layer of protection. In the current and future state of malware you can use all the protection that is available.

 

[Alejandro85]

Sophisticated malware can evade UAC but it is hard.

Actually, Microsoft made it easy to bypass UAC by introducing a critical bug in Windows 7:
Windows 7 UAC whitelist: Code-injection Issue (and more)

In the default configuration, UAC can be bypassed at will by any program that knows the trick (published in 2009). It's not trivial, but not rocket science certainly

Other than that, I second your words!