Re: turn off user account control



Mark H wrote:
How did we ever live without UAC?

If you didn't have problems with malware before UAC, you probably don't need
UAC now.
With any other detection scheme, all those prompts would be called "false
positives" and leads to ignoring the prompt.
In that sense only, UAC is garbage.

Is it protecting me? Not unless you actually pay attention to all those
prompts and recognize who started the process.

Nothing beats safe hex.


You are wrong, and with UAC on one is practicing safehex.

Jack the Ripper wrote:
> Saucy wrote:
>> "Not Even Me" <cargod01@xxxxxxxxxxx> wrote in message
>> news:uNylAgOkJHA.5732@xxxxxxxxxxxxxxxxxxxxxxx
>>> "Jack the Ripper" <Jack@xxxxxxxxxxx> wrote in message
>>> news:eUh6F1LkJHA.4760@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Justin wrote:
>>>>> Jack the Ripper wrote:
>>>>>> Justin wrote:
>>>>>>> Jack the Ripper wrote:
>>>>>>>> +Bob+ wrote:
>>>>>>>>> On Sun, 15 Feb 2009 15:43:31 -0500, Jack the Ripper
>>>>>>>>> <Jack@xxxxxxxxxxx>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Nothing is bulletproof, but one doesn't see a lot of posts by
>>>>>>>>>> Vista users about virus or malware issues, not like you see on
>>>>>>>>>> XP.
>>>>>>>>>
>>>>>>>>> No, but you do see a lot of posts about how UAC sucks. Good
>>>>>>>>> idea, bad
>>>>>>>>> implementation.
>>>>>>>>>
>>>>>>>>
>>>>>>>> It's the posts of the ignorant. I would rather have it enabled
>>>>>>>> so that I am not on the Internet with full admin rights, like
>>>>>>>> the previous versions of the NT based O/S(s,) which are open by
>>>>>>>> default O/S(s) and wide-open to attack/compromise by default.
>>>>>>>>
>>>>>>>> Is that so hard for you or anyone else to understand?
>>>>>>>
>>>>>>>
>>>>>>> As long as you're not logged on as admin you should be fine. At
>>>>>>> most I keep users at Power User rights.
>>>>>>> While I understand running as admin is unsafe, simply having the
>>>>>>> account enabled is not a security risk.
>>>>>>
>>>>>> I am going to try to explain this again. The out of the box admin
>>>>>> account on Vista that is given to a user or any subsequent admin
>>>>>> account that is created on Vista with UAC enabled is NOT a
>>>>>> full-rights-admin account. It's only a Standard user account,
>>>>>> which must be escalated to a use the full-adminrights token to do
>>>>>> anything requiring admin-full-rights as an administrator.
>>>>>
>>>>>
>>>>> I get it.
>>>>> I don't need any escalation to admin. The problem is, what if
>>>>> there's some malware. Some malware named "winenhancer." The user
>>>>> sees the UAC prompt "Winenhancer must access the internet!" and the
>>>>> user clicks on yes.
>>>>> So UAC only works when the user knows everything about the PC,
>>>>> which is unrealistic for a standard dumb user whose job is to type
>>>>> out proposals and reports.
>>>>
>>>> Oh, I get it. It's not the responsibility of the dumb user to know
>>>> what he or she is dumbly clicking on as they point and click. It's
>>>> their responsibly to know the situation, but they don't and most
>>>> never will.
>>>>
>>>> However, network admins take that responsibly for this type of
>>>> worker by using a network proxy that only allows the users to go to
>>>> approved sites closing the attack vector and mitigating such damage,
>>>> as its their responsibility to protect company's interest and not
>>>> some office clerk, lock them down.
>>>>
>>>> Just like with Linux which has the same kind of an approval process
>>>> within its O/S, they point, click, approve and it's all bets are
>>>> off. But with UAC enabled when one does this, the damages are
>>>> mitigated to a certain degree as UAC protects critical areas and
>>>> also not allowing the malware to continuously run under the context
>>>> of the user-admin full-rights access token, to spread damage.
>>>>
>>>> But rather with UAC enabled, the compromise runs under the context
>>>> of the admin's Standard user token, because admin user on Vista is
>>>> returned to using that token upon privileged escalation completion,
>>>> and it's a limit rights token, which mitigates/limits damage.
>>>>
>>>> Like I said, nothing is bulletproof not even god's O/S Linux, but
>>>> UAC on the MS platform is better than have nothing at all, which is
>>>> the case in fact with the previous versions of the NT based O/S
>>>> platform, open by default O/S(s), to help protect the O/S.
>>>
>>> Real time scanning by (even free) third party programs provides (in
>>> many cases) superior protection with less annoyance.
>>> So why put something in the OS that just pisses many people off and
>>> is (by MS admission) made irritating on purpose?
>>>
>>
>>
>> Didn't he just explain it to you? Re-read his post:
>>
>> "But rather with UAC enabled, the compromise runs under the context
>> of the admin's Standard user token, because admin user on Vista is
>> returned to using that token upon privileged escalation completion,
>> and it's a limit rights token, which mitigates/limits damage."
>>
>> Combining secutity features such as UAC and real time scanning makes
>> systems more difficult to compromise both directly and indirectly
>> [say, by social engineering].
>>
>
> EXCELLENT!

.



Relevant Pages

  • Re: turn off user account control
    ... If you didn't have problems with malware before UAC, ... all those prompts would be called "false ... >>> Real time scanning by third party programs provides (in ... >> "But rather with UAC enabled, the compromise runs under the context ...
    (microsoft.public.windows.vista.security)
  • Re: OT: computer problem update
    ... If that many elevation prompts are occurring, it could be a case of too many programs needing full administrator access to run properly--that's a program vendor issue for sure, and it can also occur when running legacy programs in Vista or Windows 7. ... Also, don't confuse Windows Firewall prompts with UAC prompts, because Windows Firewall will also prompt when a program wants to access the Internet and if they answer to the prompt is No then it will be blocked until otherwise unblocked in the Windows Firewall settings. ...
    (rec.food.cooking)
  • Re: capin crunches parental acknowledgment...LOL!
    ... User Account Control, or UAC is perhaps the most significant and ... UAC is a security technology that makes it ... Internet does not trigger UAC prompts. ... and only the authorization window is active and highlighted. ...
    (microsoft.public.windows.vista.general)
  • Re: Windows7 *not* a major overhaul
    ... Well the UAC story is that developers are expected to create or enhance applications for least user privilege to the point where UAC prompts are rare. ... Windows 2008 "out of the box" is really quite nice; I've been using it as a desktop for the last month or so. ... If and when they componentized windows more, hopefully that will become more of an opt in thing like Windows 2008 has. ...
    (microsoft.public.vb.general.discussion)
  • Re: capin crunches parental acknowledgment...LOL!
    ... in cases where the user is already an administrator, ... Internet does not trigger UAC prompts. ... and only the authorization window is active and highlighted. ...
    (microsoft.public.windows.vista.general)