Vista "complaints"

Greets all: It's Friday, and I haven't had a good rant in a while, so...

Recent misconceptions about Vista and UAC posted to the Focus-Apple group,
as well as the following article by John Leyden at The Register have
prompted me to submit what I consider to be clarifications and corrections
on the issue:

I thought about emailing John and Ms. Rutkowska directly, but figured this
forum was a far better place to discuss this. Vista's UAC is a huge leap
forward in allowing people to move away from interactively logging in as
administrator, and combined with the many configuration options Vista
supports, is a "Good Thing." When I read stuff like this article, I can't
help but think that people are just going WAY out of their way to make
mountains out of molehills. Simply put, I think the security model of Vista
is the best yet. But if one rushes to judgment regarding a particular
aspect of a process or procedure in Vista without performing one's due
diligence in research, it is easy to arrive at misconceptions.

Let's start with this snip from John's article:

White hat hacker Joanna Rutkowska discovered that users attempting to
run an installation file need to do so in admin mode. That means users
are confronted with the all-or-nothing choice of granting an installed
program complete system privileges or abandoning an installation

"That means that if you downloaded some freeware Tetris game, you will
have to run its installer as administrator, giving it not only full
access to all your file system and registry," Rutkowska writes, adding
that Win XP gave her the ability to add permissions to her normal
(restricted) user account that isn't possible with Vista.

There are several points in those two paragraphs that are simply wrong.

First off, the account you create that has administrator privileges does NOT
have "complete system privileges." One great distinction is that Vista's
WRP protects SystemRoot from write access to all but the SYSTEM service.
And even if one chooses to run interactively as the admin account (which you
simply do not have to do), the "default" security context is tokenized as a
"standard user." Operations requiring escalated privileges require specific
allowance to do so. Note that on my system, I have changed the default UAC
prompt for administrators from "prompt for consent" to "prompt for
credentials" so you can't be lazy and hit "allow." Even if you do allow
escalation for a process, spawned processes requiring escalation will also
require explicit permissions. For example, if you go to change the
permissions on a folder, even if in as admin, you'll have to explicitly pass
the admin credentials on to change them. If you then go to change the
owner, though you're already in "Advanced Settings," you'll have to approve

The example of "installing some freeware Tetris game" is a perfect testament
to the exact reason for UAC. Don't let stupid people run as administrator,
and you won't have to worry about stupid people installing untrusted,
freeware Tetris games. If you have an administrator that will download and
install executables from untrusted sites that are unsigned and unverified,
then THAT is your problem, not the UAC. But, even if you are smoking crack
and give your users the admin password, and after sharing the pipe with them
they go to install the freeware Tetris game, you can still prevent it by
simply enabling "Only elevate executables that are signed and validated" and
be done with it. Or use Software Restriction Policies and be done with it.

Further, the bit about "the ability to add permissions to her normal
(restricted) user account [that] isn't possible with Vista" is wrong as
well. This from the blog site:

I see the above limitation as a very severe hole in the design of UAC. After
all, I would like to be offered a choice whether to fully trust given
installer executable (and run it as full administrator) or just allow it to
add a folder in C:\Program Files and some keys under HKLM\Software and do
nothing more. I could do that under XP, but apparently I can¹t under Vista,
which is a bit disturbing (unless I¹m missing some secret option to change
that behavior).

It's no "secret option." Simply change the permissions of Program Files and
the software hive in the registry... When you log in as administrator, and
go to Program Files permissions and tell it to change them, after you enter
your credentials (or just hit allow if still on the default prompt) some
will obviously be thrown off by the fact that they can't immediately edit
them. That's because the admin user (or "true" administrator account)
doesn't own the object: the "TrustedInstaller" does. But it's simple
permissions management... Just take ownership of the directory, and feel
free to muck up the permissions all you want. Done. Then muck up the
registry permissions and get 'er done again. Done, done.

Of course, you can re-enable PowerUsers if you really want to by extending
the security templates to the UI and go nuts applying whatever security
template you want to to further muddy the configuration waters.

But calling it a "severe hole" is FUD. So is writing an article about it.
People on the Apple list criticize the "allow" behavior because they say
stupid people running as administrator will just hit "allow" and malware
will run rampant and we'll all end up standing in the Microsoft Cheese Line..
Then change the default prompt to "prompt for credentials" as I mentioned
earlier. Others say the fact that you can't do anything else when the UAC
comes up will further train people to just hit "allow." Then turn off
"secure desktop UAC." That's not a smart thing to do, but you can do it.

My main point is that we're obviously going to be hit by numerous "Vista
sucks" reports by talking heads all over the place, and we should be
prepared to provide some thought leadership for those who are prone to
swallowing it. Just like the speech recognition "vulnerability" where you
turn on speech recognition, leave your microphone on, go to a malicious web
site, and play an MPG where they tell your computer to Shut Down. Oh, the
horror. It's ludicrous. Stupid, really. Why not just call your users and
ask to be put on speaker phone? That way it could be a "remote" attack.
Besides, that stuff won't work on my system anyway because instead of saying
"Shut Down, please" when training it, I say "Ecky- ecky- ecky- ecky- pikang-
zoop- boing- goodem- zoo- owli- zhiv" for a little security in depth. Of
course, when I watch Monty Python, my system shuts down, but it's worth it.

Anyway, it looks like it's time to set up a rebuttal blog on the ole Hammer
of God website. I could use some new content anyway. If you guys come
across "real" reports that need stomping on, please forward the to me.

And that's the skinny on that.