Vista, Admin rights, UAC, and You

bbz_Ghost

2[H]4U
Joined
Aug 4, 2006
Messages
3,548
Vista, being the new kid on the OS block, is kicking ass and taking names like the bloated bully it is - with respect to hard drive space requirements, that is. One of the most fertile battlegrounds at this point is the security - or the lack of it depending on your point of view - of how the new OS "protects" itself from not only the common malware that has plagued previous versions of Windows but also the biggest reason for most problems by and large:

You.

Let's face it, the type of person I end up defending or just being the Devil's advocate for most often - Joe Average, consumer that happens to own a computer - tends to be the biggest single factor in the spread of malware, spyware, adware, viruses, trojans, worms, etc. outside of the computer itself. It's your fault, so deal with it. :)

Take that statement and this entire document with a grain of salt. I like to make stuff a bit humorous or at least make the effort so it tends to stick with you after you've read it. I'm not going to bring up other OSes for comparison except to very briefly point out some aspects of where Vista's security models and practices are finally catching up to - and in some respects surpassing - the "competition."

So let's get right to it.

The biggest complaint about Windows of late is security. "It's wide open," or "It's so insecure you could drive a truck through it," or "It's got so many holes even Swiss cheese is jealous" are the kinds of comments you'll find with respect to Windows and security. Hell, just saying "Secure Windows" is an oxymoron to many people.

Having said that, it's pretty obvious that Microsoft, when developing Vista's security model, needed to take a very large step back and quite literally start from scratch. It simply wasn't going to be enough to continue using the standard Windows security model with user accounts, Admin accounts, levels of priviledge (Power User, Standard User, etc etc).

This time out, they had no other choice but to start clean with a fresh slate and, in the process, they spent a great deal of time looking at other OS models like UNIX, and yes Linux, as well as OSX and its BSD heart beating inside. And by doing research into those other OSes, Microsoft came up with probably the only thing they were capable of: a new security model that closely resembles a lot of the features and practices of those other OSes, but still retains a lot of "innovation" dare I say it with respect to Microsoft and what it needed to accomplish.

In a nutshell, it works like this:

Everyone on a Vista machine - including those individuals that would normally have what we all consider "Administrator" level access under Windows XP - will be using Vista with accounts that do not (by default, and this is the critical point) have the ability to install software into the Program Files directory. With 64 bit editions of Vista, this same rule applies to the Program Files and Program Files (x86) directory.

Now, to a lot of people this might seem a bit odd considering it means every time you go to install a piece of software it's going to cause a problem - and you'd be correct because it does cause a problem, but the problem isn't a problem, it's just how things are done now. The only people that see it as a problem are those that simply don't like their OS dictating how it will respond to whatever the user wants done. It's a pissing match, of sorts, but in the long run this new method and the new practices put in place with Vista will ensure your machine stays safer, runs better, and even you the user needs to jump through a hoop or two to get something done that might have dire consequences for the system itself.

To put it bluntly the new security model in Vista is there for one primary reason: to keep the damned machine operational, even in spite of the user's best efforts to bring it down like a house of cards.

There is no more Administrator account as it has always existed in Windows versions prior to Vista. Now all users have standard user accounts, or tokens which denote the level of access they have when logged in. The standard user account is what forms the basis of the new security model in Vista. To gain access to Administrative options, the user must provide the necessary credentials (by bringing that particular token into play) on a per-case-basis as required called Admin Approval Mode. Even if you log in as an Administrator under Vista, to do anything that requires actual Admin priviledges will still prompt the Administator account user for consent or credentials to perform the task at hand.

It's common knowledge and a long standing practice in the UNIX world that you never use the computer on a regular basis as root - anyone worth his weight or the cost of his education and experience will agree with that practice. If not, go back to playing your consoles games, computers are simply outta your league. :)

So, knowing that using the computer in regular daily sessions logged in as an Administrator (we're talking about Windows Vista here, or Windows machines in general, so that's the proper terminology, and not 'root' which is the UNIX/Linux terminology) is a very bad thing, Microsoft had to find some way to address the need for Administrative priviledges on an as-needed per-instance usage. And they came up with a great solution:

User Account Control.

This particular feature of Vista allows for many things, and I'll quote a few lines from this TechNet page about UAC to explain:

"The main goal of User Account Control is to reduce the exposure and attack surface of the operating system by requiring that all users run in standard user mode. This limitation minimizes the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected their computer.

With User Account Control, IT administrators can run most applications, components and processes with a limited privilege, but have "elevation potential" for specific administrative tasks and application functions.

Conversely, when users encounter a system task that requires administrator privileges, such as attempting to install an application, Windows Vista will notify the user and require administrator authorization. This type of prompting helps ensure that users do not accidentally make modifications to their desktops. It also helps eliminate the ability for malware to invoke administrator privileges without a user's knowledge.

As a defense-in-depth measure, User Account Control also provides additional protection for administrators through its Administrator Approval Mode. With Administrator Approval Mode, Windows Vista will run most applications with standard user permissions even if the user is an administrator.

If a user wishes to run a program that requires administrator permissions, they must give consent through a User Account Control prompt. This helps limit malware's ability to make system-wide changes without the administrator's knowledge. However, Administrator Approval Mode does not provide the same level of security or control as a true standard user account."


That should make it considerably easier to understand but, for the rest of this posting I'm going to spend time explaining why UAC works the way it does and how it keeps the machine safe from most if not all the "bad stuff" that's been making people so pissed about Windows in the past and unfortunately is pissing them off again with Vista.

"It's the permissions... it's always the permissions..." to paraphrase a common statement about driver problems.

In Vista, you're limited to executing applications from directories or folders where you have the permission to do so - this is where the research into UNIX/Linux comes in. But obviously the concept, the very idea itself of permissions has been around for decades, so what's the deal now with Vista and doing things a different way? Glad you asked.

Since the Program Files directory tends to be the center of attention for applications and software packages, Vista prevents anything from writing to that directory without some form of notification to the user happening, and that's where UAC comes in again. If you've used Vista yet, you've most certainly seen that "all too famous" popup now asking for permission to continue.

Everything stops at that point, at least from the user input perspective. The screen dims a bit, the popup appears, and you're basically left with only two options: Click Continue to give permission the application trying to do whatever action it's trying to do, or click Cancel to stop that application in its tracks. Unfortunately for Apple, while their current "Allow or Cancel" commercial is funny - for all of 3 seconds - it gets old pretty fast hearing "Allow or Cancel" knowing that it's asking for you to "Continue or Cancel." I'm a nitpicker, sue me.

So, it comes down to the nuts and bolts:

Under Vista, if you haven't disabled UAC (the Devil's work, I tell you) or done some Registry or Group Policy edit (Security Policy, to be more precise) that allows your priviledges to automagically be escalated whenever necessary (the Devil's work with every other bad guy in history helping out on the task), then you can't install or place much of anything in the Program Files directory at all without some notification or request for permission and a total stopping of all user input systemwide on that machine until you click Continue or Cancel.

The upside to that process is that, as long as you're running the default options in Vista (UAC is on, Admin elevation is normal and will be prompted as necessary), nothing will have access to the Program Files directory or any other directory where such permissions are explicitly required.

As Martha Stewart is fond of saying: "It's a good thing..."

Now, some people will complain: "I've got this old stuff laying around, and since I'm not paying for new versions - hell, some of it ain't even available anymore - how is this going to affect my ability to use that software under this here newfangled Vista stuff?" Again, glad you asked.

Microsoft knew this would be a major MAJOR sticking point for a huge number of users who have legacy applications and simply won't move on without 'em. Personally, for that sort of stuff I say go get VirtualPC 2007 and run 'em all inside virtual machines with zero ill effects except for perhaps 3D capability if required. That gets rid of any possible compatibility issues, and adds yet another layer of protection for Vista itself because all those old apps would be running inside a virtual machine, cut off from Vista itself directly - a common practice nowadays called a 'sandbox'.

But, since not everyone wants to use a virtual machine application like VirtualPC or VMWare, Microsoft was forced to hit that drawing board once again and come up with a solution - and they did, and I find it a very elegant one to this problem.

Old software will still see Program Files, and the software can be installed there as noted above by clicking Continue on the UAC prompt that appears when the application installer tries to write to the Program Files directory. But after that, any subsequent write operations to that folder in Program Files will actually be redirected to a subdirectory inside the user's own user profile directory under the Users directory in the root of the system partition.

Vista creates junction points and symbolic links to the actual desinations now, aka shortcuts.

The legacy software "sees" the directory as in Program Files, but whenever data is sent there, it obviously redirects to the proper location which falls under the Users\AppData\Roaming subdirectory.

Pretty damned spiffy, I'd say. And in the process, while the application works normally, your basic underlying Vista installation is safe and sound and the security model is still 100% intact: no data is being sent directly to the Program Files directory - and if such a thing did happen to occur, the UAC popup would once again appear, stopping the user input in its tracks, and forcing the user to provide input while at the same time acting as a notification that "Hey man, something is going on, and you need to be aware of it, so here I am pointing it out to you."

Works for me, and I bet it works for most of you too.

In the long run all of this results in a vastly more solid operating system platform to work with. Vista keeps an eye on itself not only to stop the external attempts coming in from the Internet (and you are online, I hope, elsewise, how the hell did you access this webpage to begin with?) by all those wily little bastards with a lot of talent and not enough brains to use it for making money, but it also keeps you - the user - from screwing things up so bad the whole machine craps out and then you try to blame it on the OS. Sorry, I ain't believing it. :p

Most everything of any consequence is going to happen under the user's profile in Vista, so that itself keeps things nice and tidy. Errant applications, malware, spyware, viruses, trojans, worms, whatever... it all falls under that particular section of Vista and because of that, even if something does go wrong, the worst you'd have to do is some data recovery, some backup, then wipe out the profile(s) and create new ones. Vista itself will still be running strong since it's closed itself off from your lackluster attempts to rain on its parade, so to speak.

I hope this has helped in some way to explain how Vista's new security model is implemented, and maybe from extrapolation you can now understand why the UAC prompt appears and when it does, you'll also hopefully develop a bit of appreciation for how things work in Vista compared to older versions of Windows.

Yes, sometimes getting that UAC prompt so many times can get irritating - mainly when you're setting up a brand new machine with a fresh installation of the OS and your applications, but in the long run it's for the best. I'd rather have to click a button (which takes what, 1 second, less?) than spend hours doing a recovery operation to try and recover important data because of a mistake I made when I chose to run as a "proper" Admin or because I disabled UAC and right at the most inopportune moment something got in and trashed my system.

In the long run, it's your choice to do what you want with Vista. My suggestion: Leave it alone. It's not like any other OS ever made, and it can take care of itself, very well I might add.

Thanks for reading, and have fun, always...

---------------------------------------------------------------------------------

To put all this together, I've installed Vista more times than anyone should ever do in 20 lifetimes, I've read websites, read magazine articles, participated in forum postings (some still exist, some are dead threads, some turned into battlegrounds, some...well, bleh). I've condensed a lot of the info to what is posted above, and I might add more to this as time goes on, or if I made booboos and people spot them or care to correct me (I'll expect to verify it, obviously) so, comments are most welcome.

I won't say this is "sticky worthy" but, it sure wouldn't hurt to have a point of reference for the [H]ardForum at least in the Operating System subforum so that the constant Vista questions at least have someplace to be referred to. Do with it as you wish, I guess.

References of note:

"Finding the User Settings in Vista" by John Mueller, August 2006 (primary source of information about junction points and symbolic links)

User Account Control Overview by Microsoft on TechNet (basic overview material I condensed into simpler terms as well as providing a direct quote of several paragraphs as noted)

Understanding and Configuring User Account Control in Windows Vista by Microsoft on TechNet (provided a lot of information with respect to the elevation levels, account priviledge tokens, detailed explanations of the different between a user and Administrator account in Vista, as well as a wealth of other information also)

MaximumPC, June 2006 (had a nice article providing a lot of rather easy to understand explanations for how some aspects of Vista work in common everyday usage)

And of course, I have to toot my own horn here, and I should have mentioned this earlier in this posting but now that you've read all of it, reading this next posting I'm about to provide a link for should make installing and using applications under Vista that much easier for you:

The best Vista tip I can offer and one that is sorely needed

The hundreds if not thousands of forums postings I've read over the past year or so as I got "serious" about Vista as an operating system.


"For all those about to install... I salute you..." ;)
 
Excellent, accurate, informative and very well-written post, which not only deserves stickification but warrants stickification also.

Sadly, I suspect that it'll instead simply meander on into a lengthy progression of ill-informed debate and MS-bashing, before either ending up trashed by the haters and then locked by the supervisors, or ending up drifting down the page and away from notice, rarely again to be ever mentioned.

Should that happen, as it quite likely will, I'd be overjoyed to publish it for you elsewhere, to enable it to be 'Dugg' or otherwise promoted in its own right. ;)
 
Excellent read. Cleared up a few things for me. I cursed UAC and now have a much better appeiciation for it.

Copied
Pasted
Saved.

Great reference material.
 
Cool. I've seen a few of your posts on Vista which helped to clarify alot of questions I had about it.

You describe HOW it works rather than "It just does".
 
Your posts NEED to be acknowledged as educational,informative
and worthy of THE sticky.

Admins please listen up here and take notice. PLEASE

bbz_Ghost is speaking to us the masses of enthusists on this forum
in the language we all understand.

As a IT professioanl myself I find it refreshing that someone like this would take HIS time to be so helpfull.

kudos...for those interested search for his posts under his name, you just might learn something
 
Excellent, but I think you knew I would say that:)
Thank you, sincerely, for taking the time and putting forth the effort to put together such well thought out and informative posts..

And copied and saved here as well.

Thanks again
 
Holy long post, Batman! I demand compensation for replacing my mouse wheel!! ;)

Excellent post. One problem with stickying bbz_Ghost's threads. If we stickified each one that deserved it, we'd have to go to page 3 just to view new threads.

I definitely agree on the nomination for stickiness. The more good information out there, the more we can slim down on FUD, and stick (pun intended) to factual information.
 
This will shut up anyone with half a brain who might complain about UAC...it annoyed the heck out of me for a while but I know how to deal with it (and programs that need to be "run as an administrator").
 
It simply wasn't going to be enough to continue using the standard Windows security model with user accounts, Admin accounts, levels of priviledge (Power User, Standard User, etc etc).
One could argue that defaulting to non-privileged user accounts would have been a way to use the ``old'' system without any problems. I am under the impression that it works fine in that way in many large companies around the world.

edit: I found this amusing:
http://technet2.microsoft.com/WindowsVista/en/library/00d04415-2b2f-422c-b70e-b18ff918c2811033.mspx?mfr=true said:
Until the development of Windows Vista, there was no built-in method within the Windows operating system for a user to “elevate” in flow from a standard user account to an administrator account without logging off, switching users, or using Run as.
So they are saying that there were the following ways to elevate to admin:
  • log off
  • use run as
  • switch users

Old software will still see Program Files, and the software can be installed there as noted above by clicking Continue on the UAC prompt that appears when the application installer tries to write to the Program Files directory. But after that, any subsequent write operations to that folder in Program Files will actually be redirected to a subdirectory inside the user's own user profile directory under the Users directory in the root of the system partition.

Vista creates junction points and symbolic links to the actual desinations now, aka shortcuts.

The legacy software "sees" the directory as in Program Files, but whenever data is sent there, it obviously redirects to the proper location which falls under the Users\AppData\Roaming subdirectory.
that is pretty neat. Do these directories get merged upon login? Is there a way to relocate that folder from AppData to LocalSettings? Does this behavior require UAC to be active or can I use it in a domain with regular user accounts as well?

How does UAC work in a AD environment, where users are supposed to be users and admins are supposed to be admins?
 
For the really really good stuff, I'd refer you (meaning drizzt81) or anyone else to the specific linkage provided at the end of the posting. They go into far more detail than I ever could and remarkably it's fairly easy to understand. If Microsoft does one thing fairly well it's document the hell out of stuff. Also, there's so many dev writers out there finding good information isn't hard to do.

I just figured I'd condense it down to as small a post as I could to make it a bit easier for the majority of peeps around here to just have one point of reference to look at or one place to direct other people with similar questions.

Thanks for the kind words, also...
 
bbz_Ghost needs a new titles, like Vista[H]Gawd; or some such. Once again, excellent descriptive and informative post that cuts through all the misinformation and needs a sticky! If something is done about the two recent threads of yours..well..then.. I may have to just start a poll. :p
 
I've installed Unreal Tournament in C:\Program Files (x86)\UnrealTournament. I went into the UT system file USER.INI and change some settings and keybinding but for some reason when I open UT, the setting wouldn't update. First of all my Vista wouldn't let me save the USER.INI, try overwriting the file and still wouldn't let me. So I deleted it and replace USER.INI with the setting that I wanted. Still the configuration in UT wouldn't update.

So am I missing here?

SInce I'm running Vista 64 bit. Another thing is that there are 2 programs folders: the C:\Program Files and C:\Program Files (x86). How important is it to install whatever under which. I believed that C:\Program Files(64bit) programs. Does it really matter where I installed my programs? Because let say that you want to installed your applications/softwares in the D:\Program Files and installed 64 or 32 bit programs into there.
 
I've installed Unreal Tournament in C:\Program Files (x86)\UnrealTournament. I went into the UT system file USER.INI and change some settings and keybinding but for some reason when I open UT, the setting wouldn't update. First of all my Vista wouldn't let me save the USER.INI, try overwriting the file and still wouldn't let me. So I deleted it and replace USER.INI with the setting that I wanted. Still the configuration in UT wouldn't update.

So am I missing here?

SInce I'm running Vista 64 bit. Another thing is that there are 2 programs folders: the C:\Program Files and C:\Program Files (x86). How important is it to install whatever under which. I believed that C:\Program Files(64bit) programs. Does it really matter where I installed my programs? Because let say that you want to installed your applications/softwares in the D:\Program Files and installed 64 or 32 bit programs into there.

did you try taking ownership of the UT folder? Go into Program Files, find the root folder, right click and click Properties. Go to the Security tab and click on Advanced near the bottom. Go to the Owner tab, click Edit, then select your username and also check the box near the bottom and click ok. Then click ok on everything to get out of the properties dialog box. Then right click the folder again and go to Properties again. Go to Security and click Edit, and then give all the users in the box full access. Click Apply and then your username should show up. Click your username and give yourself full access. Click ok on everything and then try and do your USER.INI file editing. Then run the game as an Admin and hopefully the settings will stick.

As far as giving every user full access you prolly don't need to. I believe only Users needs full access for your name to show up when you click Apply. But I give everyone full access just to be on the safe side. Well not safe but you know what i mean lol.
 
did you try taking ownership of the UT folder? Go into Program Files, find the root folder, right click and click Properties. Go to the Security tab and click on Advanced near the bottom. Go to the Owner tab, click Edit, then select your username and also check the box near the bottom and click ok. Then click ok on everything to get out of the properties dialog box. Then right click the folder again and go to Properties again. Go to Security and click Edit, and then give all the users in the box full access. Click Apply and then your username should show up. Click your username and give yourself full access. Click ok on everything and then try and do your USER.INI file editing. Then run the game as an Admin and hopefully the settings will stick.

As far as giving every user full access you prolly don't need to. I believe only Users needs full access for your name to show up when you click Apply. But I give everyone full access just to be on the safe side. Well not safe but you know what i mean lol.

Ok the problem is fixed. I have to rightclick UnrealTournament.exe and Run as administrator. Now its updating my USER.INI.
 
I agree UAC can be annoying, but it definitely is worth keeping enabled. I have it enabled on my pc at work, and being an admin I think it a good idea.

I hope all who are known as the "computer guy/girl" that everyone comes to for computer help will be proponents of UAC and make sure it is enabled as well as not disabling it on computers that they work on. It will benefit all of us.
 
*Song to the tune of Over the Rainbow*
Ooooo...mmmmmm..oooooo...ooo...oo.ooooooo

Somewhere, over the [H]OCP, this thread..
stickied up high..
and the support that's given, won't die..
FUD will fly-i-y-i-y

Somewhere over the [H]OCP, real supprot will be given...
UAC and User accounts won't confuse..
Users can stop the abuse..
from illegitimate software rouse...

Oh why.. oh why..
Can't it be stuck up hi-i-i-gh
Someday my dreams will come true.....



What, I know it's a double post. I ain't gonna lie, everyone has their own agenda. For now, here, mine is to promote this and the other thread to be sticked or compiled into a sticky..

Oh, and bbz_ghost still needs a new title, like [H]VistaGawd..Or whatever he likes.
 
Bump this up to the top for n00bs again.
Get this stickied!!!
 
dot_Zen's post makes me glad this is a non-audio enabled forum! ;)
 
my own notes:
1)turn off UAC because its fricking annoying
2)don't be an idiot (shouldn't be hard. I personally was not an idiot under XP)
3)reap the rewards of not being annoyed and not being an idiot.
 
my own notes:
1)turn off UAC because its fricking annoying
2)don't be an idiot (shouldn't be hard. I personally was not an idiot under XP)
3)reap the rewards of not being annoyed and not being an idiot.

I see we have another fan-boy with us... again. ;)
 
bbz_Ghost, this was a great read! I'm going to point it to people who piss and moan about the UAC being annoying. Personally, I see it as a great improvement to the complete lack of privilege segregation that XP utilized by default (and unlike Tutelary, I like to be notified when system changes are occuring).

That thing about legacy programs being symlinked from Program Files to the Users directory is pretty damn cool too. Did not know that.

There is just one nontrivial criticism I can levy against your article (although it's kind of a big one). You failed to touch upon what is, in my opinion, a glaring problem with UAC: the fact that it is ultimately under user control. As you pointed out, the UAC system is in place to protect the OS from the end-user. This is good in theory, but when any Joe Shmoe user can escalate their privileges to administrator with just one ill-informed click, the UAC system fails to be more than an annoyance.

Example:
  • mom has some old 70s song stuck in her head
  • mom goes to a site advertising "Free MP3s"
  • site forces you to use their special "MP3 Download Manager" program
  • mom tries to install "MP3 Download Manager" program
  • UAC pops up. "Continue / Cancel"
  • mom clicks continue (of course she wants to continue! she double clicked the icon after all)
  • computer is riddled with spyware / trojans and god knows what else.
Like I said, this is the only issue I can see in your article. To people who don't know what the hell they're doing anyway, all UAC does is require them one extra click to mess up their PCs. On a large scale, this may become a huge Achille's Heel to the supposedly better security of Windows Vista as the install base moves from the enthusiast to the casual PC user end of the spectrum.

Unfortunately, I don't know if there is truly any elegant solution to the problem of protecting an OS from its user. If Vista required a secondary logon to modify system files then people would either:
  1. bitch that the whole OS is broken (not knowing how to do a secondary login) *or*
  2. run in Administrator mode all the time and be no better off
Ultimately what the problem boils down to is that (going from my prior experience in tech support) your average PC user does not know squat about PCs, is incredibly naïve about potential threats on the Internet, and is very apt to blame Microsoft or anyone else for their inability to maintain a stable operating platform. UAC may be nice for people who know a little bit about what they're doing, but for everyone less-informed it is just a useless annoyance.
 
i believe that if uac was smart, it would know what programs are safe and what programs are not. but that may be asking too much. for now i'll just do the extra click.
 
i believe that if uac was smart, it would know what programs are safe and what programs are not. but that may be asking too much. for now i'll just do the extra click.

Take the time to read the thread and the information that's been printed about UAC.

The biggest reason something like the above is not common place falls to the developers of software (even some of Microsoft's own software development departments), who write software which will try to install and write to folders that they shouldn't. If they were written correctly, they would only need UAC at install and never again; some may never need to have elevated privileges at all.. Well, common every day programs that the avg. user will utilize.

'Elevated privileges' is not a new concept, but one that will (now) start making a major impact.

The Vista development team took a chance, it may not be implemented 100% the way it was envisioned but it makes a giant leap in Windows security. In the future, it can only get better.
 
my own notes:
1)turn off UAC because its fricking annoying
2)don't be an idiot (shouldn't be hard. I personally was not an idiot under XP)
3)reap the rewards of not being annoyed and not being an idiot.

As much as I may hate to say it, Tutelary has a point. UAC bugs the ever living shit outta me, I can well imagine what's going on as a regular user. They aren't taking the prompts to heart, weighting their decision to accept or decline. They are merely clicking the button to get the damn prompt out of their face faster.

UAC is a horrible design decision from the end user's perspective. What I don't get is why MS can't simply get the idea of a truly limited user through their head. I've set up many many people as a limited user under XP ( grandmas and grandpas alike ). I explained to them why and what they'd have to do if they wanted to install something. They may not get why I'm doing it, but it's usable for them so they do it.

That makes far more sense and is easier to work with than UAC.
 
What I don't get is why MS can't simply get the idea of a truly limited user through their head.
Why are people blaming Microsoft for this? Why not blame the application programmers who insist on admin rights for installations? Why does a game like the Sims need admin rights to install? This is your classic case where MS tries to do something positive, but because some 3rd party doesn't follow along with progress, everyone dumps on MS.
 
As much as I may hate to say it, Tutelary has a point. UAC bugs the ever living shit outta me, I can well imagine what's going on as a regular user. They aren't taking the prompts to heart, weighting their decision to accept or decline. They are merely clicking the button to get the damn prompt out of their face faster.

UAC is a horrible design decision from the end user's perspective. What I don't get is why MS can't simply get the idea of a truly limited user through their head. I've set up many many people as a limited user under XP ( grandmas and grandpas alike ). I explained to them why and what they'd have to do if they wanted to install something. They may not get why I'm doing it, but it's usable for them so they do it.

That makes far more sense and is easier to work with than UAC.

exactly. People are clicking continue with UAC just like they have with every damn popup on the internet. Theres no safety here for the general populace, its a joke.
 
Why are people blaming Microsoft for this? Why not blame the application programmers who insist on admin rights for installations? Why does a game like the Sims need admin rights to install? This is your classic case where MS tries to do something positive, but because some 3rd party doesn't follow along with progress, everyone dumps on MS.

I wouldn't call UAC something positive. It's an attempt, but if I were to make half assed attempts at work, I'd still get in trouble.

It's something like the chicken and the egg: MS needs to block regular users from modifying data in program files and 3rd party vendors need to stop coding their apps in such boneheaded ways. They've had, what, 6 years+ of dealing with XP to get their head around this concept? Who goes first? Who gets the blame? In my mind, they both do. If I had to pick one, it's MS simply because of the numbers. 1 vs many. MS should be the more responsible party.

However, I hold both sides in contempt on this particular issue.
 
Actually that little "pop-up" has saved me probably near a 100 hours of tech support with my family so far. My policy with them is that if that box pops up, they must call me BEFORE they click. If they don't, my only form of support will be putting back the image I made a while back and they will lose all data. This is much easier to enforce than say "don't do anything" since some programs nicely trick you into installing themselves.

Overall, I believe UAC will improve security for my family and reduce my headaches...but still, there is still an endless supply of iditos who can break anything given enough time.
 
Users still need to be educated.
The OS can't do EVERYTHING for them.

You fail to realize though, if you don't want someone screwing with something, set them on a limited account.

I know this has saved me a ton of work with relatives so far. They don't know the Administrator password- they can't install crap to screw it up. They have to go through me.
If it's Adobe or something (which I forget to install sometimes), I gladly enter my PW for them.
Obviously if it's sweetvideo.bat trying to run, I'm not going to let that through at all.

I do think Vista is a stepping stone to something bigger. Companies need to not have Administrative access all the time. Simply running their installs and writing with Administrator rights is the easy way around- which is why it is done that way.
Vista is encouraging software developers to write good programs- stuff that can run under the User account- effectively limiting the install prompts just as a confirmation you want to install the program- not escalate.

The something bigger I described in another thread- but MS needs to get rid of the registry.
All programs needs to utilize something similar to U3. Obviously the same technology wouldn't work in an OS environment- but this is what it needs. Run it, and when you close it- no dependancies upon anything.
This eliminates programs writing to or using ANY OS files/functions. It basically turns programs into data... You would be able to copy/paste the program's directory and move it to another computer. No more registry.
Obviously piracy would need to be re-thought as well, which I see going into Internet-based authentications...
 
While your points are for the most part valid, you must at least acknowledge the fact that UAC may not be the answer.

Is it more secure than older Windows? Of course. Is it the best solution? Probably not.

I know what you're saying "It's annoying, but deal with it for security." The thing is, we shouldn't have to. What upsets me more is that some applications shit the bed with UAC enabled. The file virtualiztion seems to get confused, and files aren't where they should be.

While I commend MS for the effort (to an extent) I hope they don't see this as the end-all of Vista security. I hear in future updates that UAC will become less of a hassle...time will tell.
 
Is it more secure than older Windows? Of course.
I'd argue this, actually. In theory, sure it's more secure. In practice, we're teaching users just to click "OK" at every window that comes up. Which makes it worse that previous versions.

You can yell all day long about user education, but the fact is users don't want the education. The OS can and should do more than windows does. UAC is a determent not a feature.
 
Back
Top