wonderfield
Supreme [H]ardness
- Joined
- Dec 11, 2011
- Messages
- 7,396
That's basically exactly what's happening.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
UAC, a waste?
- Thread starter RogueTrip
- Start date
rudy
[H]F Junkie
- Joined
- Apr 4, 2004
- Messages
- 8,704
UAC should be on. It is a sensible way to tell people when to know if something is installing something. My biggest problem with UAC is that it does not require a password. You should be forced to enter the admin password every time. Because of this I set up every computer, and family computer with a separate admin account and make them log into a standard account.
The reality is most people just click OK to make UAC go away, and it is only through the process of typing a password that they stop to think. In fact if they have to type a password some will be lazy and just x out. This is all safer than the current system which just lets you press OK>
The reality is most people just click OK to make UAC go away, and it is only through the process of typing a password that they stop to think. In fact if they have to type a password some will be lazy and just x out. This is all safer than the current system which just lets you press OK>
Thing is, an OK/Cancel prompt is convenient, and having to type a password? Most people wouldn't be lazy and X out they would just disable it and run as root, heck I probably would too. I don't get UAC prompts often, but sometimes I'll be installing a few things and modifying a few settings and get a dozen or so of them, so I'm grateful it's an OK/Cancel prompt.
rudy
[H]F Junkie
- Joined
- Apr 4, 2004
- Messages
- 8,704
Ya it is convienient thats the problem, lol. I am not really speaking about seasoned tech savy people, but the thing is those people really dont need security much anyway, they know better than to even open forwards, they dont visit suspect websites and so on. The whole purpose of UAC is to protect everyone that does not reside in the 0.01% of the population that visits places like this.
I mean heck even if there is a total exploit and [H] gets hacked and installs a virus the tech savy can have windows reinstalled in 30 minutes with an SSD and a completely clean system. But thats not what UAC is about.
I find UAC to be a bad compromise like many MS choices. It does not go far enough to really curb malware because the typical people like (some members of my family) dont read the prompts they just say go, even if they do read they really dont understand when programs might be bad and when they might be good, tool bars pile up on their computer and the only way I ever fixed that behavior was to force them to type a password. On the other hand it is obviously not easy enough to please people like the ones in this thread.
I think UAC should force a password period, and then there should be some place burried in the settings where you have the option to disable that so the impatient can do as they please. Also one reason I dont care is because I discovered the wonders of a finger print reader, set my ring finger to admin pw, set my index finger to standard user.
I mean heck even if there is a total exploit and [H] gets hacked and installs a virus the tech savy can have windows reinstalled in 30 minutes with an SSD and a completely clean system. But thats not what UAC is about.
I find UAC to be a bad compromise like many MS choices. It does not go far enough to really curb malware because the typical people like (some members of my family) dont read the prompts they just say go, even if they do read they really dont understand when programs might be bad and when they might be good, tool bars pile up on their computer and the only way I ever fixed that behavior was to force them to type a password. On the other hand it is obviously not easy enough to please people like the ones in this thread.
I think UAC should force a password period, and then there should be some place burried in the settings where you have the option to disable that so the impatient can do as they please. Also one reason I dont care is because I discovered the wonders of a finger print reader, set my ring finger to admin pw, set my index finger to standard user.
wonderfield
Supreme [H]ardness
- Joined
- Dec 11, 2011
- Messages
- 7,396
I don't disagree. I don't particularly understand the current system the way it's implemented. There are four options to tune UAC to a user's liking, but no option to require a password. What's the deal there?
I don't think most people ignore and don't read prompts. Maybe the small statistical sample of people you know, but look at https://www.blurity.com/blog/2012/0...lorer-put-me-out-of-touch-and-cost-me-dearly/ for instance, it's not about UAC, but about the 'this program is not commonly downloaded' prompt that IE throws for unsigned or rarely downloaded software. Here this web developer says that 80% of non-IE users ran his program after downloading it, but only 20% of IE users ran the program after downloading it when IE gave this warning, after he signed his program so IE did not give a warning, 85% of IE users installed his program after downloading. Again, not UAC, but it shows that the "most people don't read warning prompts" thinking is wrong. Most such arguments are never based on proof anyway, they are just the gut feeling of mostly non-Windows users making desperate arguments because they feel and/or want others to feel that nothing can be better than the Mac or Linux way even in theory.
UAC can prompt for a password, I believe it can be done in gpedit or if you have home editions, you can find the registry keys to do this by searching the web. Also, you may as well just make a standard user account since it's slightly (in theory) more secure.
Last edited:
http://www.sevenforums.com/tutorials/7357-local-security-policy-editor-open.html
As I said, you'll need to find the registry keys on home versions, or maybe there's some 3rd party program out there that you could use to set it with a gui app.
Tawnos
2[H]4U
- Joined
- Sep 9, 2001
- Messages
- 3,808
Or you just set the user to be a user and not an admin...
I did say that too, in post #166. The post you quoted was me correcting someone who said you could use local security policy to do this with UAC and 'never have to touch the registry.'
I didn't "never", I simply said there's no need. Besides, I highly doubt anyone in this thread is using Home edition anyway.
"Never have to touch the registry", and "no need to touch the registry" are pretty much equivalent in the context of this discussion, and it doesn't appreciably change the meaning. And you'd be surprised what people run here, hardforum.com is not exclusive in any way, anyone can sign up here..
Deadjasper
2[H]4U
- Joined
- Oct 28, 2001
- Messages
- 2,584
It's useless, it's stupid and it will always remain off on my computers. I can't believe there are actually people who believe it performs a useful function. 
wonderfield
Supreme [H]ardness
- Joined
- Dec 11, 2011
- Messages
- 7,396
Troll-necro. Can't get any classier than that.
Gorankar
[H]F Junkie
- Joined
- Jul 19, 2000
- Messages
- 11,107
So true.
Never understood the hate for something that does actually function as intended, as part of an all around security strategy, that is easily turned off with little more than a few mouse clicks, and maybe a quick google to find out where to click if you don't know or can't figure it out on your own.
It's not like they turned it up to maximum annoyance, tore of the knob, and then removed the code that let you go back to doing it the Xp way.
Semantics
2[H]4U
- Joined
- May 18, 2010
- Messages
- 2,811
Doesn't prevent a PBKAC
Gorankar
[H]F Junkie
- Joined
- Jul 19, 2000
- Messages
- 11,107
Nothing prevents pebkac except not having a human touch the input devices to a computer. At best, the risks can only be mitigated.
It's useless, it's stupid and it will always remain off on my computers. I can't believe there are actually people who believe it performs a useful function.
That is a very ironic sentiment, because I can't believe people think separating Admin and User programs is a useless function. Do you tell Linux users to run as root all the time because user accounts are useless as well, or do you only serve up that nugget of insight to Windows users?
sadly it does seem alot of users still need educating. All unix based OS's have for decades worked on the principle you dont do your normal day to day tasks as root, root is only used for system administration and thats it. Processes are rarely run under root and if they are they normally setui'd to a non root user after launch. Its basic security 101.
Microsoft realised this when they launched vista and introduced UAC, in my view UAC is supposed to eba s top gap and eventually the idea is people will run using restricted user accounts by default, but it seems this migration process is been quite slow. Its not a good thing to run day to day stuff as admin, people who think they been a power user by turning off UAC fail to grasp a basic understanding of security.
Now in my view UAC has been poorly implemented, there really should have been a whitelist function, eg. in linux sudo has a whitelist function where certian commands can be approved for root escalation without password prompt.
If people however want no UAC and want to be secure then do this.
Add a limited user account for day to day use.
Configure SRP so that programs can only execute from folders where the user has NO write permissions.
This is extremely effective.
http://www.wilderssecurity.com/showthread.php?t=262686
That does sound useful. Unfortunately I have a couple of dozen portable apps that do things like write their config to their program directory, while I could manually make each .exe and .dll (and other executable files) non-writeable, it would be a pain. Any suggestions?
UAC is very important. If you turn it off, every single process running under your account has an administrative token (unless you're not running as an administrator, but then...you don't have much to worry about, at that point). If you leave it on, only apps which you explicitly allow to elevate will have administrative tokens.
And, of course, if you're not one of those stubborn folks who thinks they're too good to not have administrative privileges on every single thing they ever do, UAC is convenient for elevating things when you're not logged in as an administrator. I never log into my administrator account directly, since there's literally no reason I would ever need to. If I need to do something administrative, I can just let the UAC prompt come up and enter my credentials for my administrative account.
Additionally, UAC has added features such as data redirection and registry virtualization that you lose when UAC is disabled.
I like to equate logging into an administrative account with UAC turned off to logging into 'root' on a UNIX system for everything you do. The latter would be considered by the vast majority of knowledgeable people to be an extremely insecure thing to do, but for some reason doing the equivalent thing on Windows bears the consensus that it is a perfectly secure thing to do. It must be that Windows users have far fewer viruses and exploits to worry about since Windows represents a small percentage of the OS market share....or do I have that backwards?
And, of course, if you're not one of those stubborn folks who thinks they're too good to not have administrative privileges on every single thing they ever do, UAC is convenient for elevating things when you're not logged in as an administrator. I never log into my administrator account directly, since there's literally no reason I would ever need to. If I need to do something administrative, I can just let the UAC prompt come up and enter my credentials for my administrative account.
Additionally, UAC has added features such as data redirection and registry virtualization that you lose when UAC is disabled.
I like to equate logging into an administrative account with UAC turned off to logging into 'root' on a UNIX system for everything you do. The latter would be considered by the vast majority of knowledgeable people to be an extremely insecure thing to do, but for some reason doing the equivalent thing on Windows bears the consensus that it is a perfectly secure thing to do. It must be that Windows users have far fewer viruses and exploits to worry about since Windows represents a small percentage of the OS market share....or do I have that backwards?
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
UAC is very important. If you turn it off, every single process running under your account has an administrative token (unless you're not running as an administrator, but then...you don't have much to worry about, at that point). If you leave it on, only apps which you explicitly allow to elevate will have administrative tokens.
And, of course, if you're not one of those stubborn folks who thinks they're too good to not have administrative privileges on every single thing they ever do, UAC is convenient for elevating things when you're not logged in as an administrator. I never log into my administrator account directly, since there's literally no reason I would ever need to. If I need to do something administrative, I can just let the UAC prompt come up and enter my credentials for my administrative account.
Additionally, UAC has added features such as data redirection and registry virtualization that you lose when UAC is disabled.
I like to equate logging into an administrative account with UAC turned off to logging into 'root' on a UNIX system for everything you do. The latter would be considered by the vast majority of knowledgeable people to be an extremely insecure thing to do, but for some reason doing the equivalent thing on Windows bears the consensus that it is a perfectly secure thing to do. It must be that Windows users have far fewer viruses and exploits to worry about since Windows represents a small percentage of the OS market share....or do I have that backwards?
The registry and data virtualization is actually one of the nastyest side-effects of UAC as it breaks some legacy apps - not to mention the PITA it causes to any technical support. The data is not where it's supposed to be - it's in blabla/blabala/balbalabl/user/blabal/hidden folder/app.
The 'security' of *nix and OSX is more related to obscurity than anything else. They're suspectible to all of the social engineering attacks (and nobody can change the fact). Here, install a barking puppy dog to your desktop. But I need a quick courtesy of root password to make it run automatically
It's also very easy to create an extremely destructive code that runs with users credentials. For a desktop user it doesn't matter if the code can't reach system files if it can delete all the data the user has using his own privileges. The end result is pretty much the same. Of course on multiuser machines the damage is more localized than with windows.
The registry and data virtualization is actually one of the nastyest side-effects of UAC as it breaks some legacy apps - not to mention the PITA it causes to any technical support. The data is not where it's supposed to be - it's in blabla/blabala/balbalabl/user/blabal/hidden folder/app.
The 'security' of *nix and OSX is more related to obscurity than anything else. They're suspectible to all of the social engineering attacks (and nobody can change the fact). Here, install a barking puppy dog to your desktop. But I need a quick courtesy of root password to make it run automatically
It's also very easy to create an extremely destructive code that runs with users credentials. For a desktop user it doesn't matter if the code can't reach system files if it can delete all the data the user has using his own privileges. The end result is pretty much the same. Of course on multiuser machines the damage is more localized than with windows.
The file and folder virtualization actually helps old programs run without breaking when they can't write to protected folders, can you give an example of some programs that break with this that otherwise wouldn't, because that makes no sense. If there are some, they are coded so poorly that it's not file and folder virtualization that broke them, they broke themselves I would say.
I agree that Unix/Linux are mostly security through obscurity, in the sense that they are secure by modern OS standards, but not any more so than most others including Windows, definitely not like a lot of their advocates insinuate.
A user mode payload can be damaging, but usually in security circles it's considered more damaging when the malware has Root/Admin access, because they can hide the infection and steal business's, customers' and governments' data for years without detection in those situation, even hiding from the installed and updated AV. They can also do things like destroy firmware, possibly rendering certain types of hardware useless, and so on. Most don't do these things, but it's better not to give them a chance obviously.
The registry and data virtualization is actually one of the nastyest side-effects of UAC as it breaks some legacy apps - not to mention the PITA it causes to any technical support. The data is not where it's supposed to be - it's in blabla/blabala/balbalabl/user/blabal/hidden folder/app.
The 'security' of *nix and OSX is more related to obscurity than anything else. They're suspectible to all of the social engineering attacks (and nobody can change the fact). Here, install a barking puppy dog to your desktop. But I need a quick courtesy of root password to make it run automatically
It's also very easy to create an extremely destructive code that runs with users credentials. For a desktop user it doesn't matter if the code can't reach system files if it can delete all the data the user has using his own privileges. The end result is pretty much the same. Of course on multiuser machines the damage is more localized than with windows.
any examples? I am able to run apps/games more than 10 years old without issues.
Dark Shade
[H]ard|Gawd
- Joined
- May 2, 2006
- Messages
- 1,872
Like others before me, UAC is the first thing I turn off. I've never had a problem since Windows 7 debuted (never used Vista) on several machines as long as you're smart about what you download and open. If you're willy nilly clicking on everything .exe file you download from anonymous sources, I would suggest leaving UAC on, otherwise it's time well wasted clicking and getting annoyed.
I've had to deal with these issues, yes, but usually if you put any amount of effort into it, they can be circumvented.
The 'security' of *nix and OSX is more related to obscurity than anything else. They're suspectible to all of the social engineering attacks (and nobody can change the fact). Here, install a barking puppy dog to your desktop. But I need a quick courtesy of root password to make it run automatically
I don't see why you're pointing this out here. It's not relevant to the purpose or meaning of my post.
You can create destructive code, but with proper permissions and barring things like rare exploits that allow elevated permission, said destructive code is generally only destructive to the user it runs as. If you've been running some form of backups regularly, it's usually as simple as wiping that account and making a new one, then restoring all of your backed up stuff for a fix, which is much better than wiping an entire machine.
schmuckley
[H]ard|Gawd
- Joined
- Oct 21, 2011
- Messages
- 1,236
UAC is nothing but a PITA..I set my Windows up to have it turned off from the jump.
I can think of worse PITAs than one that keeps the system secure.
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
Sure but a desktop machine usually has just one user. If your own data goes what more do you really want at that stage? If you have no backups what's gone is gone.
Personally it makes no difference to me if I have to restore the whole machine from an image if I'm facing restoring all data from zero. Deleted apps also need reinstalling unless imaged.
...So take backups. Aside from that, there's the benefit of not having to spend the time reinstalling Windows and all of your applications. The benefits might not be tremendous, but considering there's effectively no downside at all, I don't see what the fuss is.
Having firmware corrupted possibly rendering the hardware useless, and rootkits that make the infection undetectable is also a consideration. More than worth the few extra mouse clicks I spend on UAC. (wouldn't repeat myself if people didn't ignore me. )
)
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
That would be all good unless UAC had also been circumvented already.Having firmware corrupted possibly rendering the hardware useless, and rootkits that make the infection undetectable is also a consideration. More than worth the few extra mouse clicks I spend on UAC. (wouldn't repeat myself if people didn't ignore me.
https://www.google.fi/search?q=expl...&rls=org.mozilla:en:official&client=firefox-a
Why do people keep acting like security is useless unless it can never be broken? ANY security can be broken, but with patches, these issues are usually much less severe than if any malware could get guaranteed Admin/Root on your system at any time with no effort. Do you leave your door unlocked because someone can blow it off it's hinges with dynamite?