W7 - UAC and Folder Permissions

[thecrafter]

I just noticed that if UAC is enabled, you don't get write permissions on any folder outside your user directory. Why? I guess I've always ran with UAC off and never noticed this but now that I did a fresh install I'm dumbfounded. It forced me to reinstall Windows 2x because I thought CCleaner or something else must have messed up my registry because I wasn't able to create anything other than a new folder within directories (what I mean is, right click-> new-> only shows folder; no text file, nothing else). I also am unable to edit files for programs I installed. i.e if I install a video game, I can't edit a .ini or anything within the directory, as permission is denied.

Disabling UAC and I am then have the full right click->New menu selection and am able to edit files just fine.

The hell is the reasoning for this? I can understand for the Windows folder somewhat, but not being able to even easily place a .txt file under C:\... or edit files of programs you've installed? WTF

 

[Arainach]

You can comprimise a system easily by overwriting files in the root directory or app directories...if I simply rewrote the .exe for a program you were going to run, I'm in effect getting you to run that code. Particularly if that's a program you usually run as administrator. Same for the root of the drive.

This is all common sense security measures. Use any directory other than the root of the drive and you're fine. That's what your Documents folder, etc. are for.

 

[bigdogchris]

UAC basically is just confirming you want an action to take place. So as an Administrator, if you try to write to a folder which you are not the owner of, you can, you just need to confirm it.

UAC doesn't do a whole lot if you are the only user on the computer, but it's really nice for the Admin/Standard user paradigm. I can hop onto a computer that a Standard User is logged in, right click and run-as admin, to type in my credentials, or while installing. Makes things very easy in that scenario.

 

[B00nie]

UAC basically is just confirming you want an action to take place. So as an Administrator, if you try to write to a folder which you are not the owner of, you can, you just need to confirm it.

UAC doesn't do a whole lot if you are the only user on the computer, but it's really nice for the Admin/Standard user paradigm. I can hop onto a computer that a Standard User is logged in, right click and run-as admin, to type in my credentials, or while installing. Makes things very easy in that scenario.

The failure of UAC (and windows security with it in general) is that almost all programs are made unlocalized which in turn means an automatic UAC prompt during install. Once the user becomes accustomed to UAC popping up on every program install, it no longer serves as the warning sign it's supposed to be. Instead of a security tool it becomes just another pop-up window to accept.

This is in stark contrast to OSX and linux which will ask for privilege escalation only when the system needs to be accessed in a deeper level. On those systems the authorization popup is always a warning sign as it should be.